Bug 1986094 (CVE-2021-3667) - CVE-2021-3667 libvirt: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API
Summary: CVE-2021-3667 libvirt: Improper locking on ACL failure in virStoragePoolLooku...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3667
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1984318 1986113 1986456 1986457 1986458 1986459 1993310
Blocks: 1986808 1986096
TreeView+ depends on / blocked
 
Reported: 2021-07-26 16:31 UTC by Mauro Matteo Cascella
Modified: 2022-04-17 21:31 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-09-30 18:21:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3703 0 None None None 2021-09-30 16:54:06 UTC
Red Hat Product Errata RHSA-2021:3704 0 None None None 2021-09-30 19:01:52 UTC
Red Hat Product Errata RHSA-2021:4191 0 None None None 2021-11-09 17:40:12 UTC

Description Mauro Matteo Cascella 2021-07-26 16:31:37 UTC
A flaw was found in the libvirt virStoragePoolLookupByTargetPath API. The storagePoolLookupByTargetPath() function does not properly release a locked object (virStoragePoolObj) on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition.

Upstream fix:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87

Comment 3 Mauro Matteo Cascella 2021-07-26 17:25:08 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1986113]

Comment 6 Mauro Matteo Cascella 2021-07-27 17:00:29 UTC
This bug was introduced in libvirt-4.1.0 when virStoragePoolLookupByTargetPath was exported as a public API with commit:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=7aa0e8c0cb8a6293d0c6f7e3d29c13b96dec2129

Comment 8 Mauro Matteo Cascella 2021-08-02 09:47:07 UTC
By default no access control checks are done once a client has authenticated with libvirtd. An authenticated user is allowed access to all libvirt API calls. Libvirt provides support for fine grained per-API access control via polkit, by enabling the 'polkit' access control driver.

This issue allows a denial of service on a libvirt socket that has been configured with polkit fine grained access controls. The attack vector is "Network" since libvirt can be optionally enabled for remote access over TCP (together with polkit access control).

Comment 16 errata-xmlrpc 2021-09-30 16:54:03 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.Z

Via RHSA-2021:3703 https://access.redhat.com/errata/RHSA-2021:3703

Comment 17 Product Security DevOps Team 2021-09-30 18:21:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3667

Comment 18 errata-xmlrpc 2021-09-30 19:01:49 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2021:3704 https://access.redhat.com/errata/RHSA-2021:3704

Comment 19 errata-xmlrpc 2021-11-09 17:40:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4191 https://access.redhat.com/errata/RHSA-2021:4191


Note You need to log in before you can comment on or make changes to this bug.