Bug 1977726 (CVE-2021-3631) - CVE-2021-3631 libvirt: Insecure sVirt label generation
Summary: CVE-2021-3631 libvirt: Insecure sVirt label generation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3631
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1977760 1977774 1977775 1977776 1977777 1977778 1993309
Blocks: 1977735 1977727
TreeView+ depends on / blocked
 
Reported: 2021-06-30 11:12 UTC by Mauro Matteo Cascella
Modified: 2022-04-17 21:28 UTC (History)
16 users (show)

Fixed In Version: libvirt 7.5.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-09-30 18:21:06 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3703 0 None None None 2021-09-30 16:54:06 UTC
Red Hat Product Errata RHSA-2021:3704 0 None None None 2021-09-30 19:01:50 UTC
Red Hat Product Errata RHSA-2021:4191 0 None None None 2021-11-09 17:40:11 UTC

Description Mauro Matteo Cascella 2021-06-30 11:12:41 UTC
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw may allow one exploited guest to access files labelled for another guest, thus breaking out of sVirt confinement.

Upstream issue:
https://gitlab.com/libvirt/libvirt/-/issues/153

Comment 2 Mauro Matteo Cascella 2021-06-30 12:42:36 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1977760]

Comment 3 Mauro Matteo Cascella 2021-06-30 13:14:01 UTC
As noted by Daniel P. Berrangé, the impact of this flaw is minor because:

1) the probability of generating a label with the same MCS category is rather small (0.2%).
2) there needs to be another guest on the same host with a category pair, one of whose categories matches the vulnerable guest configuration.
3) the attacker needs to escape from the guest with some exploit in QEMU first.

Under these circumstances this flaw will make it possible for the exploited guest to break out of sVirt confinement and impact another guest. Note that this flaw does *not* allow the exploited guest to impact the host system.

Comment 5 Mauro Matteo Cascella 2021-07-01 08:42:08 UTC
Upstream fix:
https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2

Comment 8 errata-xmlrpc 2021-09-30 16:54:04 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703

Comment 9 Product Security DevOps Team 2021-09-30 18:21:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3631

Comment 10 errata-xmlrpc 2021-09-30 19:01:48 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704

Comment 11 errata-xmlrpc 2021-11-09 17:40:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191


Note You need to log in before you can comment on or make changes to this bug.