Libvirt Security Notice: LSN-2015-0003
======================================
Summary: denial of service through root-squash NFS storage
pools
Reported on: 20150814
Published on: 20150903
Fixed on: 20150903
Reported by: Han Han <hhan(a)redhat.com>
Patched by: John Ferlan <jferlan(a)redhat.com>
See also: CVE-2015-5247
Description
-----------
The virStorageVolCreateXML API had a bug where it could create a
volume on a root-squash NFS mount, but then fail to remove that
volume if later steps during the API encountered problems. This was
further compounded by code which used a wrong conditional on whether
the new volume needed to have permissions changed, making it more
likely to trigger the failed unlink attempt. Poor error handling
after a failed unlink left libvirt with an inconsistent view of the
storage volume that could then result in a libvirtd crash. While the
libvirtd crash might be delayed until by subsequent actions from a
read-only connection, the conditions that set up the crash can only
be triggered by a client with a read-write connection.
Impact
------
When using fine-grained Access Control Lists (ACL), the
virStorageVolCreateXML API only requires the storage_vol:create
permission. A client with this privilege but lacking the
more-powerful domain:write permission could exploit the API bugs to
cause a denial-of-service attack by taking down libvirtd through a
crash. It can also be argued that the ability to cause libvirt to
create files which it cannot delete can be used as a
denial-of-service attack on storage resources.
Workaround
----------
The problems with libvirt creating a file which it does not then
clean up on error is specific to root-squash NFS, so one mitigation
is avoiding the use of the root-squash option when exporting NFS
volumes for use by libvirt storage pools. Note that in general, the
use of root-squash NFS does not add any real security (it makes
certain tasks harder for a root user, but the root user can
trivially change ids to another user to still perform those tasks).
Furthermore, it is possible to prevent the denial of service attacks
by stopping the use of the fine grained access control mechanism
(while this does not prevent a crash, such a crash is no longer a
security problem as there is no longer a privilege boundary between
a user creating a volume and a user with full system access).
Affected product
----------------
Name: libvirt
Repository:
git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v1.2.14
Broken in: v1.2.15
Broken in: v1.2.16
Broken in: v1.2.17
Broken in: v1.2.18
Broken in: v1.2.19
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: db9277a39bc364806e8d3e08a08fc128d59b7094
Fixed by: 691dd388aee99f8b06177540303b690586d5f5b3
Fixed by: 35847860f65f92e444db9730e00cdaef45198e0c
Branch: v1.2.14-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Fixed by: 605b12068392d29beb44a8ab7d6ec176d6b05237
Fixed by: 454cb7c40dbcff84192094963d71369ac7d94546
Branch: v1.2.15-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Fixed by: 3c41b3ea5e68f391b8ff901082608bda5f7f3fbc
Fixed by: fe2cf73800e3be87d1d4d811facb3f2be48126e5
Branch: v1.2.16-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: 9e48400f4606bac16b7e4db195f610928c3d5a04
Fixed by: 2f4b41861c1729ff4b754986782d7428ccdca455
Fixed by: 7f0505705c70f7eb1e435a2e7732d1a74abfadfd
Branch: v1.2.17-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: d055989083df4bf68eb1388d327ebffb3501bb83
Fixed by: 98242f94cd181f0257535479369054f07f951b21
Fixed by: a3ee6885d95a2ce6fb7e58bb0737cfb1612e0fb7
Branch: v1.2.18-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: e63b32e22dafd99547f82f5383fdbf58b5f651a1
Fixed by: 075eb526c9817d9d8e3a759e3fbe180d8d326dcf
Fixed by: 966cc922221be2b8cc6a9842ed0dc4cf1568a7b3
Branch: v1.2.19-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: e0025d2967bbe3f283937216c9e2c12b6e9d1010
Fixed by: 8b1d84e640f1a6e6ebb47caf23a664e2f651b32d
Fixed by: 3468542f06f6f5dc94defa1603c6a6adea3e2da8
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org