[Libvirt-announce] LSN-2019-0004 virDomainSaveImageGetXMLDesc does not check for read-only connection

24 Jun 2019

      Libvirt Security Notice: LSN-2019-0004
        ======================================

       Summary: virDomainSaveImageGetXMLDesc does not check for
                read-only connection
   Reported on: 20190604
  Published on: 20190620
      Fixed on: 20190620
   Reported by: Matthias Gerstner <mgerstner@suse.de>
    Patched by: Ján Tomko <Ján Tomko>
      See also: CVE-2019-10161

Description
-----------

The virDomainSaveImageGetXMLDesc accesses and parses arbitrary files
without checking for the read-only connection. This allows
unprivileged users to check for existence of arbitrary files or
executing arbitrary binaries with elevated privileges.

Impact
------

The default libvirt configuration allows all local user accounts
read-only access to the libvirtd daemon. Any local user can check
for the existence of an arbitrary file by watching for a different
error message. Additionally, since v1.2.19, by providing a crafted
save file pointing to an arbitrary emulator, executing arbitrary
binaries as the configured QEMU user is possible. Since v5.1.0, the
emulator binary is run with CAP_DAC_OVERRIDE, essentially having
root privileges.

Workaround
----------

Edit the /etc/libvirt/libvirtd.conf configuration file, to set the
'unix_sock_ro_perms = "0700"' to prevent local users from connecting
to libvirt. Alternatively setup a policy kit rule to prevent them
access without first authenticating as root.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v0.9.4
   Broken in: v0.9.5
   Broken in: v0.9.6
   Broken in: v0.9.7
   Broken in: v0.9.8
   Broken in: v0.9.9
   Broken in: v0.9.10
   Broken in: v0.9.11
   Broken in: v0.9.12
   Broken in: v0.9.13
   Broken in: v0.10.0
   Broken in: v0.10.1
   Broken in: v0.10.2
   Broken in: v1.0.0
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
   Broken in: v1.2.9
   Broken in: v1.2.10
   Broken in: v1.2.11
   Broken in: v1.2.12
   Broken in: v1.2.13
   Broken in: v1.2.14
   Broken in: v1.2.15
   Broken in: v1.2.16
   Broken in: v1.2.17
   Broken in: v1.2.18
   Broken in: v1.2.19
   Broken in: v1.2.20
   Broken in: v1.2.21
   Broken in: v1.3.0
   Broken in: v1.3.1
   Broken in: v1.3.2
   Broken in: v1.3.3
   Broken in: v1.3.4
   Broken in: v1.3.5
   Broken in: v2.0.0
   Broken in: v2.1.0
   Broken in: v2.2.0
   Broken in: v2.3.0
   Broken in: v2.4.0
   Broken in: v2.5.0
   Broken in: v3.0.0
   Broken in: v3.1.0
   Broken in: v3.2.0
   Broken in: v3.3.0
   Broken in: v3.4.0
   Broken in: v3.5.0
   Broken in: v3.6.0
   Broken in: v3.7.0
   Broken in: v3.8.0
   Broken in: v3.9.0
   Broken in: v3.10.0
   Broken in: v4.0.0
   Broken in: v4.1.0
   Broken in: v4.2.0
   Broken in: v4.3.0
   Broken in: v4.4.0
   Broken in: v4.5.0
   Broken in: v4.6.0
   Broken in: v4.7.0
   Broken in: v4.8.0
   Broken in: v4.9.0
   Broken in: v4.10.0
   Broken in: v5.0.0
   Broken in: v5.1.0
   Broken in: v5.2.0
   Broken in: v5.3.0
   Broken in: v5.4.0
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: aed6a032cead4386472afb24b16196579e239580

      Branch: v0.9.6-maint
   Broken in: v0.9.6.1
   Broken in: v0.9.6.2
   Broken in: v0.9.6.3
   Broken in: v0.9.6.4
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v0.9.11-maint
   Broken in: v0.9.11.1
   Broken in: v0.9.11.2
   Broken in: v0.9.11.3
   Broken in: v0.9.11.4
   Broken in: v0.9.11.5
   Broken in: v0.9.11.6
   Broken in: v0.9.11.7
   Broken in: v0.9.11.8
   Broken in: v0.9.11.9
   Broken in: v0.9.11.10
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v0.9.12-maint
   Broken in: v0.9.12.1
   Broken in: v0.9.12.2
   Broken in: v0.9.12.3
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v0.10.2-maint
   Broken in: v0.10.2.1
   Broken in: v0.10.2.2
   Broken in: v0.10.2.3
   Broken in: v0.10.2.4
   Broken in: v0.10.2.5
   Broken in: v0.10.2.6
   Broken in: v0.10.2.7
   Broken in: v0.10.2.8
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.2-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.3-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.4-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken in: v1.0.5.9
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.0.6-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.1.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.1.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.1.2-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken in: v1.1.3.7
   Broken in: v1.1.3.8
   Broken in: v1.1.3.9
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.1.4-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.2-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.3-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.4-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.5-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.6-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.7-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.8-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.9-maint
   Broken in: v1.2.9.1
   Broken in: v1.2.9.2
   Broken in: v1.2.9.3
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.10-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.11-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.12-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.13-maint
   Broken in: v1.2.13.1
   Broken in: v1.2.13.2
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.14-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.15-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.16-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.17-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.18-maint
   Broken in: v1.2.18.1
   Broken in: v1.2.18.2
   Broken in: v1.2.18.3
   Broken in: v1.2.18.4
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v1.2.19-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 4e16e7a3fc44a14f27eda23e75bae75992339b3a

      Branch: v1.2.20-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 99ac102b8310adf50d16b62c533405eee6544cf2

      Branch: v1.2.21-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: fa2016e751452163aa2e93baa6c9bfc239e31885

      Branch: v1.3.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 470d6f5546fd027f9945845f6aad72f33c829be9

      Branch: v1.3.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 980109c41c8bb55fd105809f2e063667721feaea

      Branch: v1.3.2-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 221397df7a5164bcc4d28f3157867db4894000d3

      Branch: v1.3.3-maint
   Broken in: v1.3.3.1
   Broken in: v1.3.3.2
   Broken in: v1.3.3.3
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: b22baef31258621b3bdb5036a84772bc6b6ec0a4

      Branch: v1.3.4-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: a8ae178438be285b91c4871251ad1482c4e396df

      Branch: v1.3.5-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 70e83151456d386580708ade404ada41afac41dd

      Branch: v2.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: a9e40f23207f464c322f4250b1373ff50ca71a85

      Branch: v2.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: dea40b42188e883c4118b02527f5c02a6fbbac59

      Branch: v2.2-maint
   Broken in: v2.2.1
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 97829dcb3889fd0a64ff32a72710303f59d7d5bf

      Branch: v3.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: fb8c9f1305d108e5a43e83b72a86e41abfdeda86

      Branch: v3.2-maint
   Broken in: v3.2.1
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: ff5c64b94133b7b54e7359c63e1c2972531a4f5f

      Branch: v3.7-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 8cf159fed436634a7607964eeecefee59be63b33

      Branch: v4.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 1f8129c5db3952a57900b8cd1d94e629068e6aa5

      Branch: v4.2-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 7312304ec0a50db539c6e1714f2c9b3a9e38daa7

      Branch: v4.3-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 8832b8a44f960229c5aa0a803d26c0ab4aa827af

      Branch: v4.4-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: bafe00de3c62f3638e449ba62d4d88b56188bafe

      Branch: v4.5-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 6a028b6e8228dd19283042e5edef3a45133630e8

      Branch: v4.6-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: a27659643b8ae9b26b52fc857cdc5b301184e26e

      Branch: v4.7-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 3352c8af264a7b9b741208790ecca0bbc6733f42

      Branch: v4.8-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 56fadbbb25190d8ce0dcc54c550cc736a2fc5412

      Branch: v4.9-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c

      Branch: v4.10-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 3572564893d1710beb1862797fe32cc2e9cb1e38

      Branch: v5.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 6aa0c85be9f840a32fcec282185b5ed2513a3aa5

      Branch: v5.1-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 111bb6555c5082ebba3de8e73a4e21a1573a5409

      Branch: v5.1.0-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9

      Branch: v5.2-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: 3d9c8914663549e0cc0e822fa29b0a3a5bbc0fbd

      Branch: v5.3-maint
   Broken by: d2a929d4b371a382d5508ae6bef80e392a34f8b9
    Fixed by: dae676751cee86eaad880ee9c654823ce0e021ad

Ján Tomko

tags

participants (1)