Bug 1706067 (CVE-2019-10132) - CVE-2019-10132 libvirt: wrong permissions in systemd admin-sock due to missing SocketMode parameter
Summary: CVE-2019-10132 libvirt: wrong permissions in systemd admin-sock due to missin...
Status: CLOSED ERRATA
Alias: CVE-2019-10132
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190521:1200...
Keywords: Security
Depends On: 1706667 1706669 1706673 1706666 1706668 1706670 1706671 1706672 1707185 1712497 1712498
Blocks: 1704967
TreeView+ depends on / blocked
 
Reported: 2019-05-03 13:16 UTC by Laura Pardo
Modified: 2019-06-11 13:35 UTC (History)
24 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-10 10:55:02 UTC


Attachments (Terms of Use)
admin: reject clients unless their UID matches the current UID (1.90 KB, patch)
2019-05-07 07:07 UTC, Doran Moppert
no flags Details | Diff
locking: restrict sockets to mode 0600 (1.18 KB, patch)
2019-05-07 07:07 UTC, Doran Moppert
no flags Details | Diff
logging: restrict sockets to mode 0600 (1.17 KB, patch)
2019-05-07 07:08 UTC, Doran Moppert
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1264 None None None 2019-05-23 15:57 UTC
Red Hat Product Errata RHSA-2019:1268 None None None 2019-05-23 16:09 UTC
Red Hat Product Errata RHSA-2019:1455 None None None 2019-06-11 13:35 UTC

Description Laura Pardo 2019-05-03 13:16:28 UTC
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.

Comment 5 Doran Moppert 2019-05-07 07:07 UTC
Created attachment 1564991 [details]
admin: reject clients unless their UID matches the current UID

Comment 6 Doran Moppert 2019-05-07 07:07 UTC
Created attachment 1564992 [details]
locking: restrict sockets to mode 0600

Comment 7 Doran Moppert 2019-05-07 07:08 UTC
Created attachment 1564993 [details]
logging: restrict sockets to mode 0600

Comment 9 Doran Moppert 2019-05-07 07:11:51 UTC
The three patches above, provided by Daniel Berrange, address the issue in multiple layers:  the first adds client verification (as is already performed for libvirt-* sockets), preventing other users from accessing the socket.  The others restrict the mode of these sockets to 0600, reinforcing the protection with filesystem security.

Comment 10 Doran Moppert 2019-05-07 07:19:12 UTC
These sockets enabled if any guest VMs have been started on the host.  The impact of this vulnerability is that any local user can send administrative commands, which could result in denial of service against the libvirt service, any guests managed against it, and directing logs to any location on the host filesystem.  This last vector could lead to denial of service against other processes, or potentially even privilege escalation.

Comment 11 Doran Moppert 2019-05-08 01:21:34 UTC
Acknowledgments:

Name: Daniel P. Berrange (Red Hat)

Comment 15 Laura Pardo 2019-05-21 15:50:39 UTC
External References:

https://security.libvirt.org/2019/0003.html

Comment 16 Laura Pardo 2019-05-21 15:51:44 UTC
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1712498]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1712497]

Comment 17 errata-xmlrpc 2019-05-23 15:57:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1264 https://access.redhat.com/errata/RHSA-2019:1264

Comment 18 errata-xmlrpc 2019-05-23 16:09:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1268 https://access.redhat.com/errata/RHSA-2019:1268

Comment 20 errata-xmlrpc 2019-06-11 13:35:54 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.0.0.Z

Via RHSA-2019:1455 https://access.redhat.com/errata/RHSA-2019:1455


Note You need to log in before you can comment on or make changes to this bug.