1848640 – (CVE-2020-14301) CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml

Bug 1848640 (CVE-2020-14301) - CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml

Summary: CVE-2020-14301 libvirt: leak of sensitive cookie information via dumpxml

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-14301
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat1824368 Engineering1849672 Engineering1849694
Blocks:	Embargoed1848037
TreeView+	depends on / blocked

Reported:	2020-06-18 16:30 UTC by Mauro Matteo Cascella
Modified:	2021-06-17 10:45 UTC (History)
CC List:	18 users (show)
Fixed In Version:	libvirt 6.3.0
Doc Type:	If docs needed, set a value
Doc Text:	An information disclosure vulnerability was found in libvirt. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw could allow a malicious user with a read-only connection to access potentially sensitive information in the domain configuration via the `dumpxml` command.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:26:07 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4676	0	None	None	None	2020-11-04 02:52:56 UTC

Description Mauro Matteo Cascella 2020-06-18 16:30:25 UTC

Starting with version 6.2.0, libvirt makes it possible to pass one or more cookies to access disk images via http/https network protocols:

<disk type="network" device="cdrom">
  <source protocol="https" name="/path/to/image.iso">
  <cookies>
    <cookie name="cookie_name">"cookie_value"</cookie>
  </cookies>
</disk>

The 'cookie' element is included in the XML dump of the guest domain, resulting in a possible information disclosure. An attacker could abuse this flaw to leak the cookie's value via the virsh dumpxml command. Since cookies typically contain sensitive information, they should only be included in the XML dump when using the --security-info attribute.

Upstream fix:
https://github.com/libvirt/libvirt/commit/a5b064bf4b17a9884d7d361733737fb614ad8979
https://github.com/libvirt/libvirt/commit/524de6cc35d3b222f0e940bb0fd027f5482572c5

Comment 1 Mauro Matteo Cascella 2020-06-18 16:30:34 UTC

Acknowledgments:

Name: Han Han (Red Hat)

Comment 2 Mauro Matteo Cascella 2020-06-19 10:34:23 UTC

Statement:

Support for cookies for HTTP based disks was introduced in `libvirt` upstream version 6.2.0. Red Hat Enterprise Linux 5, 6, 7 and 8 are not affected by this issue, as they ship older versions of the `libvirt` package. Red Hat Enterprise Linux Advanced Virtualization 8 is the only affected product.

Comment 7 Product Security DevOps Team 2020-11-04 02:26:07 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14301

Comment 8 errata-xmlrpc 2020-11-04 02:52:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676

Note You need to log in before you can comment on or make changes to this bug.