Bug 1977726 (CVE-2021-3631)

Summary: CVE-2021-3631 libvirt: Insecure sVirt label generation
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agedosier, berrange, clalancette, crobinso, eblake, jdenemar, jforbes, jsuchane, knoel, laine, libvirt-maint, pkrempa, tuxmealux+redhatbz, veillard, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt 7.5.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-30 18:21:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1977760, 1977774, 1977775, 1977776, 1977777, 1977778, 1993309    
Bug Blocks: 1977727, 1977735    

Description Mauro Matteo Cascella 2021-06-30 11:12:41 UTC 
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw may allow one exploited guest to access files labelled for another guest, thus breaking out of sVirt confinement.

Upstream issue:
https://gitlab.com/libvirt/libvirt/-/issues/153
Comment 2 Mauro Matteo Cascella 2021-06-30 12:42:36 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1977760]
Comment 3 Mauro Matteo Cascella 2021-06-30 13:14:01 UTC 
As noted by Daniel P. Berrangé, the impact of this flaw is minor because:

1) the probability of generating a label with the same MCS category is rather small (0.2%).
2) there needs to be another guest on the same host with a category pair, one of whose categories matches the vulnerable guest configuration.
3) the attacker needs to escape from the guest with some exploit in QEMU first.

Under these circumstances this flaw will make it possible for the exploited guest to break out of sVirt confinement and impact another guest. Note that this flaw does *not* allow the exploited guest to impact the host system.
Comment 5 Mauro Matteo Cascella 2021-07-01 08:42:08 UTC 
Upstream fix:
https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
Comment 8 errata-xmlrpc 2021-09-30 16:54:04 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703
Comment 9 Product Security DevOps Team 2021-09-30 18:21:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3631
Comment 10 errata-xmlrpc 2021-09-30 19:01:48 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704
Comment 11 errata-xmlrpc 2021-11-09 17:40:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191