Bug 1005332 - (CVE-2013-4311) CVE-2013-4311 libvirt: insecure calling of polkit
CVE-2013-4311 libvirt: insecure calling of polkit
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130918,repo...
: Security
Depends On: 1006265 1006266 1006272 1009539
Blocks: 1002376 1006244
  Show dependency treegraph
 
Reported: 2013-09-06 12:38 EDT by Kurt Seifried
Modified: 2016-04-18 21:15 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix for git master 1/3 (5.23 KB, patch)
2013-09-10 06:07 EDT, Daniel Berrange
no flags Details | Diff
Fix for git master 2/3 (2.02 KB, patch)
2013-09-10 06:07 EDT, Daniel Berrange
no flags Details | Diff
Fix for git master 3/3 (5.99 KB, patch)
2013-09-10 06:08 EDT, Daniel Berrange
no flags Details | Diff
Fix for rhel-6 0.10.2 branch 1/2 (20.66 KB, patch)
2013-09-10 06:08 EDT, Daniel Berrange
no flags Details | Diff
Fix for rhel-6 0.10.2 branch 2/2 (3.78 KB, patch)
2013-09-10 06:09 EDT, Daniel Berrange
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-09-06 12:38:12 EDT
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 
bz 1002375).

As part of the investigation of this issue it was found that an issue also 
occurs in libvirt, specifically in how it invokes polkit. There are two ways 
for polkit to be invoked, one is via the API which supports  passing a UID to 
the secure function polkit_unix_process_new_for_owner(), the second is via the 
command line (pkcheck) which does not support passing a UID to the function 
polkit_unix_process_new_full(). libvirt used the insecure way to invoke 
polkit, resulting in a privilege escalation vulnerability.
Comment 1 Daniel Berrange 2013-09-10 06:07:26 EDT
Created attachment 795917 [details]
Fix for git master 1/3
Comment 2 Daniel Berrange 2013-09-10 06:07:52 EDT
Created attachment 795918 [details]
Fix for git master 2/3
Comment 3 Daniel Berrange 2013-09-10 06:08:24 EDT
Created attachment 795919 [details]
Fix for git master 3/3
Comment 4 Daniel Berrange 2013-09-10 06:08:57 EDT
Created attachment 795920 [details]
Fix for rhel-6 0.10.2 branch 1/2
Comment 5 Daniel Berrange 2013-09-10 06:09:22 EDT
Created attachment 795921 [details]
Fix for rhel-6 0.10.2 branch 2/2
Comment 8 Vincent Danen 2013-09-18 11:11:26 EDT
This is now public:

http://www.openwall.com/lists/oss-security/2013/09/18/4
Comment 9 Daniel Berrange 2013-09-18 11:19:38 EDT
The relevant upstream GIT master commits are

commit 922b7fda77b094dbf022d625238262ea05335666
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Aug 28 15:25:40 2013 +0100

    Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
    
    With the existing pkcheck (pid, start time) tuple for identifying
    the process, there is a race condition, where a process can make
    a libvirt RPC call and in another thread exec a setuid application,
    causing it to change to effective UID 0. This in turn causes polkit
    to do its permission check based on the wrong UID.
    
    To address this, libvirt must get the UID the caller had at time
    of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
    triple to the pkcheck program.
    
    This fix requires that libvirt is re-built against a version of
    polkit that has the fix for its CVE-2013-4288, so that libvirt
    can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
    
    Signed-off-by: Colin Walters <walters@redhat.com>
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

commit e65667c0c6e016d42abea077e31628ae43f57b74
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Wed Aug 28 15:22:05 2013 +0100

    Ensure system identity includes process start time
    
    The polkit access driver will want to use the process start
    time field. This was already set for network identities, but
    not for the system identity.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Thu Aug 22 16:00:01 2013 +0100

    Also store user & group ID values in virIdentity
    
    Future improvements to the polkit code will require access to
    the numeric user ID, not merely user name.
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 10 Vincent Danen 2013-09-18 11:25:21 EDT
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1009539]
Comment 11 errata-xmlrpc 2013-09-19 14:08:47 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1272 https://rhn.redhat.com/errata/RHSA-2013-1272.html
Comment 12 Fedora Update System 2013-09-30 22:14:20 EDT
libvirt-0.10.2.8-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-10-02 02:40:25 EDT
libvirt-1.0.5.6-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-10-12 00:33:33 EDT
libvirt-1.1.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.