Bug 1048627 - (CVE-2013-6456) CVE-2013-6456 libvirt: unsafe usage of paths under /proc/$PID/root
CVE-2013-6456 libvirt: unsafe usage of paths under /proc/$PID/root
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131217,repor...
: Security
Depends On: 1045643 1048628
Blocks: 1048642
  Show dependency treegraph
 
Reported: 2014-01-05 18:25 EST by Murray McAllister
Modified: 2016-04-26 11:50 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-21 10:35:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2014-01-05 18:25:06 EST
Eric Blake from Red Hat notes:

The LXC driver will open paths under /proc/$PID/root for some operations it performs on running guests. For the virDomainShutdown and virDomainReboot APIs it will use this to access the /dev/initctl path in the container. For the virDomainDeviceAttach / virDomainDeviceDettach APIs it will use this to create device nodes in the container's /dev filesystem. If any of the path components under control of the container are symlinks the container can cause the libvirtd daemon to access the incorrect files.

Impact
------

A container can cause the administrator to shutdown or reboot the host OS if /dev/initctl in the container is made to be an absolute symlink back to itself or /run/initctl. A container can cause the host administrator to mknod in an arbitrary host directory when invoking the virDomainDeviceAttach API by replacing '/dev' with an
absolute symlink. A container can cause the host administrator to delete host device when invoking the virDomainDeviceDettach API by replacing '/dev' with an absolute symlink.

Workaround
----------

Do not use the virDomainShutdown or virDomainReboot APIs without also passing the VIR_DOMAIN_SHUTDOWN_SIGNAL or VIR_DOMAIN_REBOOT_SIGNAL flags respectively. These will cause the LXC driver to send a SIGTERM or SIGHUP signal respectively, to the init process instead of using /dev/initct. Do not use the virDomainDeviceAttach or virDomainDeviceDetach APIs at all unless the guest OS is trusted.

This issue affects the versions of libvirt in Fedora 19 and later. Red Hat Enterprise Linux 5 and 6 are not affected.
Comment 1 Murray McAllister 2014-01-05 18:30:12 EST
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1048628]
Comment 2 Fedora Update System 2014-02-28 13:32:23 EST
libvirt-1.1.3.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.