Bug 1005332 (CVE-2013-4311) - CVE-2013-4311 libvirt: insecure calling of polkit
Summary: CVE-2013-4311 libvirt: insecure calling of polkit
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4311
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1006265 1006266 1006272 1009539
Blocks: 1002376 1006244
TreeView+ depends on / blocked
 
Reported: 2013-09-06 16:38 UTC by Kurt Seifried
Modified: 2021-10-20 10:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-20 10:41:10 UTC
Embargoed:

Attachments (Terms of Use)
Fix for git master 1/3 (5.23 KB, patch)
2013-09-10 10:07 UTC, Daniel Berrangé 		no flags Details | Diff
Fix for git master 2/3 (2.02 KB, patch)
2013-09-10 10:07 UTC, Daniel Berrangé 		no flags Details | Diff
Fix for git master 3/3 (5.99 KB, patch)
2013-09-10 10:08 UTC, Daniel Berrangé 		no flags Details | Diff
Fix for rhel-6 0.10.2 branch 1/2 (20.66 KB, patch)
2013-09-10 10:08 UTC, Daniel Berrangé 		no flags Details | Diff
Fix for rhel-6 0.10.2 branch 2/2 (3.78 KB, patch)
2013-09-10 10:09 UTC, Daniel Berrangé 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1272 0 normal SHIPPED_LIVE Important: libvirt security and bug fix update 2013-09-19 22:02:43 UTC

Description Kurt Seifried 2013-09-06 16:38:12 UTC 
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 
bz 1002375).

As part of the investigation of this issue it was found that an issue also 
occurs in libvirt, specifically in how it invokes polkit. There are two ways 
for polkit to be invoked, one is via the API which supports  passing a UID to 
the secure function polkit_unix_process_new_for_owner(), the second is via the 
command line (pkcheck) which does not support passing a UID to the function 
polkit_unix_process_new_full(). libvirt used the insecure way to invoke 
polkit, resulting in a privilege escalation vulnerability.
Comment 1 Daniel Berrangé 2013-09-10 10:07:26 UTC 
Created attachment 795917 [details]
Fix for git master 1/3
Comment 2 Daniel Berrangé 2013-09-10 10:07:52 UTC 
Created attachment 795918 [details]
Fix for git master 2/3
Comment 3 Daniel Berrangé 2013-09-10 10:08:24 UTC 
Created attachment 795919 [details]
Fix for git master 3/3
Comment 4 Daniel Berrangé 2013-09-10 10:08:57 UTC 
Created attachment 795920 [details]
Fix for rhel-6 0.10.2 branch 1/2
Comment 5 Daniel Berrangé 2013-09-10 10:09:22 UTC 
Created attachment 795921 [details]
Fix for rhel-6 0.10.2 branch 2/2
Comment 8 Vincent Danen 2013-09-18 15:11:26 UTC 
This is now public:

http://www.openwall.com/lists/oss-security/2013/09/18/4
Comment 9 Daniel Berrangé 2013-09-18 15:19:38 UTC 
The relevant upstream GIT master commits are

commit 922b7fda77b094dbf022d625238262ea05335666
Author: Daniel P. Berrange <berrange>
Date:   Wed Aug 28 15:25:40 2013 +0100

    Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
    
    With the existing pkcheck (pid, start time) tuple for identifying
    the process, there is a race condition, where a process can make
    a libvirt RPC call and in another thread exec a setuid application,
    causing it to change to effective UID 0. This in turn causes polkit
    to do its permission check based on the wrong UID.
    
    To address this, libvirt must get the UID the caller had at time
    of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
    triple to the pkcheck program.
    
    This fix requires that libvirt is re-built against a version of
    polkit that has the fix for its CVE-2013-4288, so that libvirt
    can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
    
    Signed-off-by: Colin Walters <walters>
    Signed-off-by: Daniel P. Berrange <berrange>

commit e65667c0c6e016d42abea077e31628ae43f57b74
Author: Daniel P. Berrange <berrange>
Date:   Wed Aug 28 15:22:05 2013 +0100

    Ensure system identity includes process start time
    
    The polkit access driver will want to use the process start
    time field. This was already set for network identities, but
    not for the system identity.
    
    Signed-off-by: Daniel P. Berrange <berrange>

commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
Author: Daniel P. Berrange <berrange>
Date:   Thu Aug 22 16:00:01 2013 +0100

    Also store user & group ID values in virIdentity
    
    Future improvements to the polkit code will require access to
    the numeric user ID, not merely user name.
    
    Signed-off-by: Daniel P. Berrange <berrange>
Comment 10 Vincent Danen 2013-09-18 15:25:21 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1009539]
Comment 11 errata-xmlrpc 2013-09-19 18:08:47 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1272 https://rhn.redhat.com/errata/RHSA-2013-1272.html
Comment 12 Fedora Update System 2013-10-01 02:14:20 UTC 
libvirt-0.10.2.8-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-10-02 06:40:25 UTC 
libvirt-1.0.5.6-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2013-10-12 04:33:33 UTC 
libvirt-1.1.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.