Libvirt Security Notice: LSN-2015-0004 ====================================== Summary: ACL bypass using ../ to access beyond storage pool Reported on: 20151030 Published on: 20151211 Fixed on: 20151211 Reported by: Ossi Herrala <vulncoord(a)ficora.fi&gt; Joonas Kuorilehto <vulncoord(a)ficora.fi&gt; Patched by: Eric Blake <eblake(a)redhat.com&gt; See also: CVE-2015-5313, FICORA bug #876194 Description ----------- Various virStorageVol* API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediately in that directory (there is no traversal into subdirectories). However, other APIs such as virStorageVolCreateXML were not checking if a potential volume name represented one of the volumes that could be returned by virStoragePoolListVolumes; because they were not rejecting the use of '/' in a volume name. Impact ------ Because no checking was done on volume names, a user could supply a potential volume name of something like '../../../etc/passwd' to attempt to access a file not belonging to the storage pool. When fine-grained Access Control Lists (ACL) are in effect, a user with storage_vol:create ACL permission but lacking domain:write permssion could thus abuse virStorageVolCreateXML and similar APIs to gain access to files not normally permitted to that user. Fortunately, it appears that the only APIs that could leak information or corrupt files require read-write connection to libvirtd; and when ACLs are not in use (the default without any further configuration), a user with read-write access can already be considered to have full access to the machine, and without an escalation of privilege there is no security problem. Workaround ---------- If fine-grained ACLs must be used, administrators must consider all of the storage_vol:* permissions as equivalent to domain:write when running an impacted version of libvirt. The easiest way to prevent untrusted users from gaining unauthorized access to volumes outside of permitted pools is by disabling the use of fine-graned ACLs, and ensuring that such users do not have read-write access to libvirtd. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Broken in: v1.2.4 Broken in: v1.2.5 Broken in: v1.2.6 Broken in: v1.2.7 Broken in: v1.2.8 Broken in: v1.2.9 Broken in: v1.2.10 Broken in: v1.2.11 Broken in: v1.2.12 Broken in: v1.2.13 Broken in: v1.2.14 Broken in: v1.2.15 Broken in: v1.2.16 Broken in: v1.2.17 Broken in: v1.2.18 Broken in: v1.2.19 Broken in: v1.2.20 Broken in: v1.2.20 Broken in: v1.3.0 Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 034e47c338b13a95cf02106a3af912c1c5f818d7 Branch: v1.1.0-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 14828a59eadc7221326198a8d7af817a6b8b8c13 Branch: v1.1.1-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 692ce509efa0a07f2811d0fe3b7202b020c874e0 Branch: v1.1.2-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: e8643ef68c99e9f5068f6ff64ea0acab94cac7f6 Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Broken in: v1.1.3.5 Broken in: v1.1.3.6 Broken in: v1.1.3.7 Broken in: v1.1.3.8 Broken in: v1.1.3.9 Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: dcce665904b8ebc9ac3e5109db179a567b33e1a2 Branch: v1.1.4-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: dc2db111a9ba074589c54b90c89f33c01b1e4941 Branch: v1.2.0-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: d414ecb8e1714704e6515ab01ef9386d89b8051e Branch: v1.2.1-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 02d365dae595a3453fe0e438bc274ccf3c18e20d Branch: v1.2.2-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 6542e643024ca4272f14e9052b3786378f6eec62 Branch: v1.2.3-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 91898c606496b14e0891af31dfca7eb77ba9fee3 Branch: v1.2.4-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: c9450f4f855736ef3024dfbab403a849110d8bb5 Branch: v1.2.5-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 890fc0f1ffcc479b08b9fd01de31b62e3d9e7427 Branch: v1.2.6-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 6ae433938377e1b7e657c34cca39e52426347cb4 Branch: v1.2.7-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 4ed8074672f9b847a10464d9c6be77d428c1eb1c Branch: v1.2.8-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 54be99a717873524798d39f8baf49e45054192c8 Branch: v1.2.9-maint Broken in: v1.2.9.1 Broken in: v1.2.9.2 Broken in: v1.2.9.3 Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: b0f88836e5eb5b7156bda99c005cf4aa0456ed0d Branch: v1.2.10-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 53ae31bf4df364a2110f636d5482b21af4e4a0cc Branch: v1.2.11-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 0060c4ee9e70a9f6f297373cb4fd2ace6c187be0 Branch: v1.2.12-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: b5ddfbc0fe13a7910c2303056ddd5df749bcf8b0 Branch: v1.2.13-maint Broken in: v1.2.13.1 Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: b553ec764f7ecdf8962efbf849a0e8524bae610c Branch: v1.2.14-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 6410a22743fadc3b554b2f0866c9ab8008ff4908 Branch: v1.2.15-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 01cbfeb7d81498db3c644404980c9c1aa9cac048 Branch: v1.2.16-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 3e6b40e5aa3edf47443f017a42ec7b87855ed847 Branch: v1.2.17-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 08acad56ce2e5bcfcca8600a4e4074d3aaeb44dd Branch: v1.2.18-maint Broken in: v1.2.18.1 Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: d035796675ca42795953828d11f902f691fa6b29 Branch: v1.2.19-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 69548d200409d2b0dd6356fccfd59570fb58e23a Branch: v1.2.20-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: edeef640db625d23700011dc94adff6e29b85cd3 Branch: v1.2.21-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 29b4ce46798519b93a6a17a5e3734ea4f68ea69d Branch: v1.3.0-maint Broken by: c930410bebae0a45889b992a7932c663b06cbbcd Fixed by: 1d8bcbb7c68d3f35689daf727bc74fcf80a3a6b1 -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org