The upstream qemu guest agent creates files with insecure permissions when started in daemon mode, which could potentially lead local privilege escalation. The Red Hat Enterprise Linux 6 qemu-ga, when started in daemon mode, creates logfiles in /var/log/ world writable allowing any one on the system to wipe the contents of the log file or to store data within the log file. An unprivileged guest user could use this flaw to consume all free space on the partition with qemu-ga log file, or modify the contents of the log. When a UNIX domain socket transport were explicitly configured to be used (non-default), an unprivileged guest user could potentially use this flaw to escalate their privileges in the guest. Acknowledgements: This issue was discovered by Laszlo Ersek of Red Hat.
Statement: This issue does not affect the kvm package as shipped with Red Hat Enterprise Linux 5. This issue does not affect the xen package as shipped with Red Hat Enterprise Linux 5. This issue does affect the qemu-kvm package as shipped with Red Hat Enterprise Linux 6. Future qemu-kvm updates in Red Hat Enterprise Linux 6 may address this flaw. Please note that due to differences in upstream and Red Hat Enterprise Linux 6 versions of qemu guest agent this issue has lower security impact on systems running Red Hat Enterprise Linux 6.
Created attachment 739402 [details] [PATCH] qga: set umask 0077 when daemonizing The qemu guest agent creates a bunch of files with insecure permissions when started in daemon mode. For example: -rw-rw-rw- 1 root root /var/log/qemu-ga.log -rw-rw-rw- 1 root root /var/run/qga.state -rw-rw-rw- 1 root root /var/log/qga-fsfreeze-hook.log In addition, at least all files created with the "guest-file-open" QMP command, and all files created with shell output redirection (or otherwise) by utilities invoked by the fsfreeze hook script. For now clear all file mode premissions for "group" and "others". Signed-off-by: Laszlo Ersek <lersek> --- qga/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67
Created qemu tracking bugs for this issue Affects: fedora-all [bug 969455]
Created xen tracking bugs for this issue Affects: fedora-all [bug 969456]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0896 https://rhn.redhat.com/errata/RHSA-2013-0896.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:0791 https://rhn.redhat.com/errata/RHSA-2013-0791.html