Bug 1848640 (CVE-2020-14301)

Summary: CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agedosier, berrange, clalancette, eblake, erik-fedora, itamar, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, marcandre.lureau, pkrempa, rjones, veillard, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 6.3.0 Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in libvirt. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw could allow a malicious user with a read-only connection to access potentially sensitive information in the domain configuration via the `dumpxml` command.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:26:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1824368, 1849672, 1849694    
Bug Blocks: 1848037    

Description Mauro Matteo Cascella 2020-06-18 16:30:25 UTC 
Starting with version 6.2.0, libvirt makes it possible to pass one or more cookies to access disk images via http/https network protocols:

<disk type="network" device="cdrom">
  <source protocol="https" name="/path/to/image.iso">
  <cookies>
    <cookie name="cookie_name">"cookie_value"</cookie>
  </cookies>
</disk>

The 'cookie' element is included in the XML dump of the guest domain, resulting in a possible information disclosure. An attacker could abuse this flaw to leak the cookie's value via the virsh dumpxml command. Since cookies typically contain sensitive information, they should only be included in the XML dump when using the --security-info attribute.

Upstream fix:
https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979
https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5
Comment 1 Mauro Matteo Cascella 2020-06-18 16:30:34 UTC 
Acknowledgments:

Name: Han Han (Red Hat)
Comment 2 Mauro Matteo Cascella 2020-06-19 10:34:23 UTC 
Statement:

Support for cookies for HTTP based disks was introduced in `libvirt` upstream version 6.2.0. Red Hat Enterprise Linux 5, 6, 7 and 8 are not affected by this issue, as they ship older versions of the `libvirt` package. Red Hat Enterprise Linux Advanced Virtualization 8 is the only affected product.
Comment 7 Product Security DevOps Team 2020-11-04 02:26:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14301
Comment 8 errata-xmlrpc 2020-11-04 02:52:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676