Bug 1677108 (CVE-2019-3831) - CVE-2019-3831 vdsm: privilege escalation to root via systemd_run
Summary: CVE-2019-3831 vdsm: privilege escalation to root via systemd_run
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3831
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1677109 1678090 1677458 1678629
Blocks: 1677100
TreeView+ depends on / blocked
 
Reported: 2019-02-14 04:05 UTC by Doran Moppert
Modified: 2019-09-29 15:07 UTC (History)
26 users (show)

Fixed In Version: vdsm 4.30.9
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands as root.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:47:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0457 None None None 2019-03-05 11:09:24 UTC
Red Hat Product Errata RHSA-2019:0458 None None None 2019-03-05 11:09:31 UTC

Description Doran Moppert 2019-02-14 04:05:51 UTC
vdsm v4.19 through v4.30.3 and v4.30.5 through v4.30.8 exposed a systemd_run() function to the vdsm system user, which could be abused to run arbitrary commands as root. This breaks the defense-in-depth of having a non-root vdsm system account. While not exploitable by attackers under normal circumstances, this flaw could lead to a compromise of services running under the vdsm account being escalated to a full root compromise.

Upstream fix:

https://gerrit.ovirt.org/#/c/97659/

Originally introduced by:

commit e56541ccb372e106eeb4fc3f7afc575f8dd32de2
Author: Francesco Romani <fromani@redhat.com>
Date:   Fri Apr 22 10:15:54 2016 +0200

    supervdsm: expose systemd utilities                             

Removed by:

commit f85f0527f1421618714e89eee03ee2f0400a65ae
Author: Francesco Romani <fromani@redhat.com>
Date:   Thu Nov 22 13:44:25 2018 +0100

    supervdsm: systemd: remove support

Re-introduced by:

commit daf5b3c3aaa3796b8f9be22fe2059f6f6152a3ce
Author: Nir Soffer <nsoffer@redhat.com>
Date:   Sun Dec 9 16:53:28 2018 +0200

    supervdsm: Add back systemd support

Comment 1 Doran Moppert 2019-02-14 04:06:05 UTC
Created vdsm tracking bugs for this issue:

Affects: fedora-all [bug 1677109]

Comment 5 Nir Soffer 2019-02-16 21:54:00 UTC
(In reply to Doran Moppert from comment #0)

Removed again by:

commit f6de9ce61380bbad5c98e7f2e8b26b9de74cf9b5
Author: Nir Soffer <nsoffer@redhat.com>
Date:   Fri Feb 8 17:53:00 2019 +0200

    systemd: Remove systemd_run() supervdsm service

Comment 6 Nir Soffer 2019-02-16 21:57:08 UTC
For 4.2, we have this fix:
https://gerrit.ovirt.org/c/97737/

Comment 8 errata-xmlrpc 2019-03-05 11:09:22 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0457 https://access.redhat.com/errata/RHSA-2019:0457

Comment 9 errata-xmlrpc 2019-03-05 11:09:30 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:0458 https://access.redhat.com/errata/RHSA-2019:0458


Note You need to log in before you can comment on or make changes to this bug.