It was discovered that the Access Control List (ACL) implemented by qemu-bridge-helper program could be bypassed in particular cases when the bridge interface names are as long as IFNAMSIZ-1, ie 15 characters. If the ACL specified in the /etc/qemu-kvm/bridge.conf file denies access to a bridge interface with a name long IFNAMSIZ-1, but it allows all other interfaces, it is possible for a local attacker to use qemu-bridge-helper to create a tap device and attach it to a denied bridge interface, thus bypassing the ACL. This could be used by the attacker to get access to confidential data transmitted on the bridge. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html Reference: ---------- -> https://www.openwall.com/lists/oss-security/2019/07/02/2
Acknowledgments: Name: Riccardo Schirone (Red Hat)
Statement: Red Hat Virtualization Hypervisor is not affected by this vulnerability, as its bridge configuration can not take the required form.
Mitigation: This flaw can only be exploited if `/etc/qemu*/bridge.conf` contains a line containing `allow all` or at least one line with a bridge name of at least 15 characters.
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1726407]
*** Bug 1729958 has been marked as a duplicate of this bug. ***