Bug 1848640 (CVE-2020-14301) - CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml
Summary: CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1824368 1849672 1849694
Blocks: 1848037
TreeView+ depends on / blocked
 
Reported: 2020-06-18 16:30 UTC by Mauro Matteo Cascella
Modified: 2020-11-04 02:52 UTC (History)
18 users (show)

Fixed In Version: libvirt 6.3.0
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in libvirt. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:26:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4676 None None None 2020-11-04 02:52:56 UTC

Description Mauro Matteo Cascella 2020-06-18 16:30:25 UTC
Starting with version 6.2.0, libvirt makes it possible to pass one or more cookies to access disk images via http/https network protocols:

<disk type="network" device="cdrom">
  <source protocol="https" name="/path/to/image.iso">
  <cookies>
    <cookie name="cookie_name">"cookie_value"</cookie>
  </cookies>
</disk>

The 'cookie' element is included in the XML dump of the guest domain, resulting in a possible information disclosure. An attacker could abuse this flaw to leak the cookie's value via the virsh dumpxml command. Since cookies typically contain sensitive information, they should only be included in the XML dump when using the --security-info attribute.

Upstream fix:
https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979
https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5

Comment 1 Mauro Matteo Cascella 2020-06-18 16:30:34 UTC
Acknowledgments:

Name: Han Han (Red Hat)

Comment 2 Mauro Matteo Cascella 2020-06-19 10:34:23 UTC
Statement:

Support for cookies for HTTP based disks was introduced in `libvirt` upstream version 6.2.0. Red Hat Enterprise Linux 5, 6, 7 and 8 are not affected by this issue, as they ship older versions of the `libvirt` package. Red Hat Enterprise Linux Advanced Virtualization 8 is the only affected product.

Comment 7 Product Security DevOps Team 2020-11-04 02:26:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14301

Comment 8 errata-xmlrpc 2020-11-04 02:52:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676


Note You need to log in before you can comment on or make changes to this bug.