Bug 2044863 (CVE-2022-0358) - CVE-2022-0358 QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405
Summary: CVE-2022-0358 QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2046202 2046198 2046199 2046200 2046201 2048618 2048619 2048625 2048627
Blocks: 2044890 2044869
TreeView+ depends on / blocked
 
Reported: 2022-01-25 10:31 UTC by Mauro Matteo Cascella
Modified: 2022-05-17 09:26 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Clone Of:
Environment:
Last Closed: 2022-03-21 11:01:41 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0759 0 None None None 2022-03-07 15:04:27 UTC
Red Hat Product Errata RHSA-2022:0886 0 None None None 2022-03-15 10:04:31 UTC
Red Hat Product Errata RHSA-2022:0949 0 None None None 2022-03-16 14:08:00 UTC
Red Hat Product Errata RHSA-2022:0971 0 None None None 2022-03-21 07:52:10 UTC
Red Hat Product Errata RHSA-2022:0973 0 None None None 2022-03-21 08:04:12 UTC

Description Mauro Matteo Cascella 2022-01-25 10:31:30 UTC
Virtiofs is still vulnerable to CVE-2018-13405 even with an upstream host and guest kernel which has fixed this CVE. A local user in the guest can still create files in the directories shared by virtiofs with unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. Here, the non-member can trigger the creation of a plain file whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Comment 2 Mauro Matteo Cascella 2022-01-25 17:03:37 UTC
Acknowledgments:

Red Hat would like to thank Jietao Xiao (shawtao1125@gmail.com), Jinku Li (jkli@xidian.edu.cn), Wenbo Shen (shenwenbo@zju.edu.cn), Nanzi Yang (nzyang@stu.xidian.edu.cn) for reporting this issue.

Comment 3 Mauro Matteo Cascella 2022-01-26 09:29:34 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg05364.html

Comment 4 Dr. David Alan Gilbert 2022-01-26 11:14:53 UTC
Qemu pull sent:
https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg05447.html

Comment 8 Mauro Matteo Cascella 2022-01-26 11:57:19 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2046202]

Comment 9 Dr. David Alan Gilbert 2022-01-26 15:57:43 UTC
Merged in upstream qemu / virtiofsd c code:
449e8171f96a6a944d1f - virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)

Comment 11 Dr. David Alan Gilbert 2022-02-02 12:44:20 UTC
I think I've POSTed all the RHEL and c9s bugs now; not done the fedora one - I'll leave that to someone who knows Fedora process.

Comment 13 Mauro Matteo Cascella 2022-02-07 15:13:22 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca

Comment 15 errata-xmlrpc 2022-03-07 15:04:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0759 https://access.redhat.com/errata/RHSA-2022:0759

Comment 16 errata-xmlrpc 2022-03-15 10:04:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0886 https://access.redhat.com/errata/RHSA-2022:0886

Comment 17 errata-xmlrpc 2022-03-16 14:07:56 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0949 https://access.redhat.com/errata/RHSA-2022:0949

Comment 18 errata-xmlrpc 2022-03-21 07:52:07 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2022:0971 https://access.redhat.com/errata/RHSA-2022:0971

Comment 19 errata-xmlrpc 2022-03-21 08:04:09 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2022:0973 https://access.redhat.com/errata/RHSA-2022:0973

Comment 20 Product Security DevOps Team 2022-03-21 11:01:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0358


Note You need to log in before you can comment on or make changes to this bug.