Bug 1541444 (CVE-2018-6764) - CVE-2018-6764 libvirt: guest could inject executable code via libnss_dns.so loaded by libvirt_lxc before init
Summary: CVE-2018-6764 libvirt: guest could inject executable code via libnss_dns.so l...
Alias: CVE-2018-6764
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1542814 1542815 1542816 1589061
Blocks: 1541446
TreeView+ depends on / blocked
Reported: 2018-02-02 15:13 UTC by Pedro Sampaio
Modified: 2019-09-29 14:31 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 03:39:05 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 0 None None None 2018-10-30 07:42:42 UTC

Description Pedro Sampaio 2018-02-02 15:13:11 UTC
libvirt_lxc resolves a host name after the guest filesystem is mounted but before the init from it is executed. That in turn causes glibc to load libnss_dns.so and it ends up being loaded from the guest tree, making it possible for the guest to inject executable code before the host filesystem is umounted and file handles closed. That has potential security implications.

Comment 1 Prasad J Pandit 2018-02-07 04:32:17 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1542815]

Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1542814]

Comment 3 Daniel Berrangé 2018-02-08 16:05:18 UTC
Upsptream fix is in git as:

commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167
Author: Lubomir Rintel <lkundrak>
Date:   Sat Jan 27 23:43:58 2018 +0100

    virlog: determine the hostname on startup CVE-2018-6764
    At later point it might not be possible or even safe to use getaddrinfo(). It
    can in turn result in a load of NSS module.
    Notably, on a LXC container startup we may find ourselves with the guest
    filesystem already having replaced the host one. Loading a NSS module
    from the guest tree would allow a malicous guest to escape the
    confinement of its container environment because libvirt will not yet
    have locked it down.

Comment 4 Fedora Update System 2018-03-01 16:23:41 UTC
libvirt-3.7.0-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2018-10-30 07:42:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3113 https://access.redhat.com/errata/RHSA-2018:3113

Note You need to log in before you can comment on or make changes to this bug.