7:34 a.m.
Libvirt Security Notice: LSN-2019-0005
======================================
Summary: virDomainManagedSaveDefineXML does not check for
read-only connection
Reported on: 20190604
Published on: 20190620
Fixed on: 20190620
Reported by: Matthias Gerstner <mgerstner(a)suse.de>
Patched by: Ján Tomko <jtomko(a)redhat.com>
See also: CVE-2019-10166
Description
-----------
The virDomainManagedSaveDefineXML API redefines the manage-saved
domain XML without checking for a read-only connection. This allows
unprivileged users to check for existence of arbitrary files or
executing arbitrary binaries with elevated privileges.
Impact
------
The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can provide
an arbitrary emulator, executing arbitrary binaries as the
configured QEMU user. Since v5.1.0, the emulator binary is run with
CAP_DAC_OVERRIDE, essentially having root privileges.
Workaround
----------
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v3.7.0
Broken in: v3.8.0
Broken in: v3.9.0
Broken in: v3.10.0
Broken in: v4.0.0
Broken in: v4.1.0
Broken in: v4.2.0
Broken in: v4.3.0
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: db0b78457f183e4c7ac45bc94de86044a1e2056a
Branch: v3.7-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: e7d9c8899fc7751201b46b6cf6bff4eadb38af2f
Branch: v4.1-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: d9a1f3debad411756f53ab8ab81e44ab0bb50e0a
Branch: v4.2-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 1813138f6b00058285e325191d50c41ace39e5b3
Branch: v4.3-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 9816854ac4e5ccd87cf82320b4550671e75f6509
Branch: v4.4-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: e777cce08e069e29deedec540d463ed70c29e92c
Branch: v4.5-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: d025c10d54975fe98927be85f33146e780c28d52
Branch: v4.6-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 00e673c93fc3d0cfed274cc7a1ec2c52260c8262
Branch: v4.7-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 6da721ea37bf3624ff9922637cfa657d2dcb20f9
Branch: v4.8-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 6dc29a174ae204b1ae13fed0f533818ad6d24b9f
Branch: v4.9-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1
Branch: v4.10-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 3f744efec31959f7643849f6a3708198bcdfc6ae
Branch: v5.0-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: a064d492272bcb0029b140ec4e18fce1ac0ec5b2
Branch: v5.1-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 58c7c3fc4a0f15544c2054ed4682ff5d740681ab
Branch: v5.1.0-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Branch: v5.2-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: 96bca3af450cc62183b91a361f7024f93126bc49
Branch: v5.3-maint
Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6
Fixed by: f4dabe99f7f46520f2967f3e068fcbeb54e617df