Bug 1722559 (CVE-2019-13164)

Summary: CVE-2019-13164 Qemu: qemu-bridge-helper ACL can be bypassed when names are too long
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amit, areis, berrange, cfergeau, dfediuck, dwmw2, eedri, itamar, jen, jferlan, jjoyce, jschluet, knoel, lhh, lpeer, mburns, mgoldboi, michal.skrivanek, mkenneth, mrehak, mrezanin, mst, pbonzini, ppandit, rbalakri, ribarry, rjones, sbonazzo, sclewis, security-response-team, sherold, slinaber, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:55:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1726404, 1726405, 1726406, 1726407, 1726408, 1726472, 1726473, 1726474, 1726475, 1726502, 1793217    
Bug Blocks: 1722723    

Description Riccardo Schirone 2019-06-20 15:56:12 UTC 
It was discovered that the Access Control List (ACL) implemented by
qemu-bridge-helper program could be bypassed in particular cases when the bridge
interface names are as long as IFNAMSIZ-1, ie 15 characters. If the ACL specified
in the /etc/qemu-kvm/bridge.conf file denies access to a bridge interface with
a name long IFNAMSIZ-1, but it allows all other interfaces, it is possible for
a local attacker to use qemu-bridge-helper to create a tap device and attach it
to a denied bridge interface, thus bypassing the ACL. This could be used by the
attacker to get access to confidential data transmitted on the bridge.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/07/02/2
Comment 1 Riccardo Schirone 2019-06-20 15:56:15 UTC 
Acknowledgments:

Name: Riccardo Schirone (Red Hat)
Comment 3 Doran Moppert 2019-07-02 05:19:24 UTC 
Statement:

Red Hat Virtualization Hypervisor is not affected by this vulnerability, as its bridge configuration can not take the required form.
Comment 4 Doran Moppert 2019-07-02 05:19:26 UTC 
Mitigation:

This flaw can only be exploited if `/etc/qemu*/bridge.conf` contains a line containing `allow all` or at least one line with a bridge name of at least 15 characters.
Comment 5 Prasad Pandit 2019-07-02 19:25:26 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1726407]
Comment 9 Riccardo Schirone 2019-07-17 15:45:22 UTC 
*** Bug 1729958 has been marked as a duplicate of this bug. ***