Bug 1172176 (CVE-2014-8119) - CVE-2014-8119 netcf: augeas path expression injection via interface name
Summary: CVE-2014-8119 netcf: augeas path expression injection via interface name
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1165965 1165966 1186316 1186318 1207396 1207397
Blocks: 1172181 1210268
TreeView+ depends on / blocked
 
Reported: 2014-12-09 14:22 UTC by Martin Prpič
Modified: 2019-09-29 13:25 UTC (History)
4 users (show)

Fixed In Version: netcf 0.2.7
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in netcf. A specially crafted interface name could cause an application using netcf (such as the libvirt daemon) to crash.
Clone Of:
Environment:
Last Closed: 2015-11-20 05:25:45 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2248 normal SHIPPED_LIVE Moderate: netcf security, bug fix, and enhancement update 2015-11-19 09:11:05 UTC

Description Martin Prpič 2014-12-09 14:22:21 UTC
A flaw was found in the way the netcf's find_ifcfg_path() function processed certain XPath expressions. An attacker able to supply a specially crafted XML file to an application using netcf could cause that application to crash.

Acknowledgements:

This issue was discovered by Hao Liu of Red Hat.

Comment 2 Tomas Hoger 2014-12-10 14:36:35 UTC
augeas-devel mailing list thread, discussing lack of ways to safely include untrusted user-supplied input in path strings used in augeas queries:

https://www.redhat.com/archives/augeas-devel/2014-December/msg00000.html

Comment 3 Tomas Hoger 2015-03-30 19:49:11 UTC
Augeas upstream issue that tracks changes required to completely fix this netcf issue:

https://github.com/hercules-team/augeas/pull/198

The changes are:

- Addition of new API - aug_escape_name() - which can be used to escape untrusted inputs before using them as part of path expressions passed to APIs as aug_match() or aug_get().

- The aug_match() is changed to return properly escaped output that can be safely passed back to aug_get().

Comment 4 Tomas Hoger 2015-03-30 20:20:31 UTC
The netcf uses the Augeas library to read network configuration files.  It constructs paths to configuration files based on supplied interface name, and uses those paths as arguments for Augeas' aug_match()/aug_get() calls.

However, these Augeas APIs do not handle supplied provided paths as static and rather evaluates them as "path expressions", an XPath-like expressions, documented here:

https://github.com/hercules-team/augeas/wiki/Path-expressions

Augeas does not provide any way to force handling them as static paths rather than evaluating them as path expressions.  Before the changes mentioned above, it also did not provide any mechanisms to escape user-supplied inputs before adding them to path expressions.

An interface name containing Augeas path expression makes Augeas API call return value netcf does not expect, leading to NULL pointer deference and application crash.  As netcf is used by libvirt, this flaw can allow an attacker able to establish read-only connection to libvirt daemon (in the default configuration, any local user) to cause it to crash.

Comment 5 Tomas Hoger 2015-03-30 20:22:43 UTC
Lifting embargo.

Comment 6 Tomas Hoger 2015-03-30 20:23:30 UTC
Created netcf tracking bugs for this issue:

Affects: fedora-all [bug 1207396]
Affects: epel-5 [bug 1207397]

Comment 9 Fedora Update System 2015-04-29 13:04:07 UTC
netcf-0.2.8-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-05-10 23:38:51 UTC
netcf-0.2.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-05-11 00:08:33 UTC
netcf-0.2.8-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Huzaifa S. Sidhpurwala 2015-07-27 04:57:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHBA-2015:1307 https://rhn.redhat.com/errata/RHBA-2015-1307.html

Comment 13 Huzaifa S. Sidhpurwala 2015-07-27 04:58:26 UTC
Statement:

(none)

Comment 14 errata-xmlrpc 2015-11-19 08:58:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2248 https://rhn.redhat.com/errata/RHSA-2015-2248.html


Note You need to log in before you can comment on or make changes to this bug.