It was discovered that libvirt is accidentally leaking a file descriptor for /dev/mapper/control into the QEMU process. This file descriptor allows for privileged operations to be made against device mapper on the host. Thus a malicious QEMU has the potential to do serious damage to the host OS. Upstream fix: https://libvirt.org/git/?p=libvirt.git;a=commit;h=22494556542c676d1b9e7f1c1f2ea13ac17e1e3e
Acknowledgments: Name: Daniel Berrange (Red Hat)
Statement: This flaw was introduced in `libvirt` version 6.2.0. Red Hat Enterprise Linux 5, 6, 7, and 8 are not affected by this issue as they shipped an older version of the `libvirt` package which did not include the vulnerable code. This issue affects versions of the `libvirt` package as shipped with Red Hat Enterprise Linux Advanced Virtualization 8. Future `libvirt` package updates for Red Hat Enterprise Linux Advanced Virtualization 8 may address this issue.
Mitigation: This issue is mitigated on Red Hat Enterprise Linux if SELinux is in enforcing mode, which prevents the `/dev/mapper/control` file descriptor from being accessible by a guest user/process.
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2020:3586 https://access.redhat.com/errata/RHSA-2020:3586
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14339
Created mingw-libvirt tracking bugs for this issue: Affects: fedora-all [bug 1881035]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676