Bug 1706067 (CVE-2019-10132) - CVE-2019-10132 libvirt: wrong permissions in systemd admin-sock due to missing SocketMode parameter
Summary: CVE-2019-10132 libvirt: wrong permissions in systemd admin-sock due to missin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10132
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1706666 1706667 1706668 1706669 1706670 1706671 1706672 1706673 1707185 1712497 1712498
Blocks: 1704967
TreeView+ depends on / blocked
 
Reported: 2019-05-03 13:16 UTC by Laura Pardo
Modified: 2021-02-16 21:58 UTC (History)
24 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:55:02 UTC
Embargoed:

Attachments (Terms of Use)
admin: reject clients unless their UID matches the current UID (1.90 KB, patch)
2019-05-07 07:07 UTC, Doran Moppert 		no flags Details | Diff
locking: restrict sockets to mode 0600 (1.18 KB, patch)
2019-05-07 07:07 UTC, Doran Moppert 		no flags Details | Diff
logging: restrict sockets to mode 0600 (1.17 KB, patch)
2019-05-07 07:08 UTC, Doran Moppert 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1264 0 None None None 2019-05-23 15:57:31 UTC
Red Hat Product Errata RHSA-2019:1268 0 None None None 2019-05-23 16:09:18 UTC
Red Hat Product Errata RHSA-2019:1455 0 None None None 2019-06-11 13:35:55 UTC

Description Laura Pardo 2019-05-03 13:16:28 UTC 
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.
Comment 5 Doran Moppert 2019-05-07 07:07:36 UTC 
Created attachment 1564991 [details]
admin: reject clients unless their UID matches the current UID
Comment 6 Doran Moppert 2019-05-07 07:07:59 UTC 
Created attachment 1564992 [details]
locking: restrict sockets to mode 0600
Comment 7 Doran Moppert 2019-05-07 07:08:23 UTC 
Created attachment 1564993 [details]
logging: restrict sockets to mode 0600
Comment 9 Doran Moppert 2019-05-07 07:11:51 UTC 
The three patches above, provided by Daniel Berrange, address the issue in multiple layers:  the first adds client verification (as is already performed for libvirt-* sockets), preventing other users from accessing the socket.  The others restrict the mode of these sockets to 0600, reinforcing the protection with filesystem security.
Comment 10 Doran Moppert 2019-05-07 07:19:12 UTC 
These sockets enabled if any guest VMs have been started on the host.  The impact of this vulnerability is that any local user can send administrative commands, which could result in denial of service against the libvirt service, any guests managed against it, and directing logs to any location on the host filesystem.  This last vector could lead to denial of service against other processes, or potentially even privilege escalation.
Comment 11 Doran Moppert 2019-05-08 01:21:34 UTC 
Acknowledgments:

Name: Daniel P. Berrange (Red Hat)
Comment 15 Laura Pardo 2019-05-21 15:50:39 UTC 
External References:

https://security.libvirt.org/2019/0003.html
Comment 16 Laura Pardo 2019-05-21 15:51:44 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1712498]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1712497]
Comment 17 errata-xmlrpc 2019-05-23 15:57:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1264 https://access.redhat.com/errata/RHSA-2019:1264
Comment 18 errata-xmlrpc 2019-05-23 16:09:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1268 https://access.redhat.com/errata/RHSA-2019:1268
Comment 20 errata-xmlrpc 2019-06-11 13:35:54 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.0.0.Z

Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455
Note You need to log in before you can comment on or make changes to this bug.