Libvirt Security Notice: LSN-2015-0003 ====================================== Summary: denial of service through root-squash NFS storage pools Reported on: 20150814 Published on: 20150903 Fixed on: 20150903 Reported by: Han Han <hhan@redhat.com> Patched by: John Ferlan <jferlan@redhat.com> See also: CVE-2015-5247 Description ----------- The virStorageVolCreateXML API had a bug where it could create a volume on a root-squash NFS mount, but then fail to remove that volume if later steps during the API encountered problems. This was further compounded by code which used a wrong conditional on whether the new volume needed to have permissions changed, making it more likely to trigger the failed unlink attempt. Poor error handling after a failed unlink left libvirt with an inconsistent view of the storage volume that could then result in a libvirtd crash. While the libvirtd crash might be delayed until by subsequent actions from a read-only connection, the conditions that set up the crash can only be triggered by a client with a read-write connection. Impact ------ When using fine-grained Access Control Lists (ACL), the virStorageVolCreateXML API only requires the storage_vol:create permission. A client with this privilege but lacking the more-powerful domain:write permission could exploit the API bugs to cause a denial-of-service attack by taking down libvirtd through a crash. It can also be argued that the ability to cause libvirt to create files which it cannot delete can be used as a denial-of-service attack on storage resources. Workaround ---------- The problems with libvirt creating a file which it does not then clean up on error is specific to root-squash NFS, so one mitigation is avoiding the use of the root-squash option when exporting NFS volumes for use by libvirt storage pools. Note that in general, the use of root-squash NFS does not add any real security (it makes certain tasks harder for a root user, but the root user can trivially change ids to another user to still perform those tasks). Furthermore, it is possible to prevent the denial of service attacks by stopping the use of the fine grained access control mechanism (while this does not prevent a crash, such a crash is no longer a security problem as there is no longer a privilege boundary between a user creating a volume and a user with full system access). Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v1.2.14 Broken in: v1.2.15 Broken in: v1.2.16 Broken in: v1.2.17 Broken in: v1.2.18 Broken in: v1.2.19 Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89 Fixed by: db9277a39bc364806e8d3e08a08fc128d59b7094 Fixed by: 691dd388aee99f8b06177540303b690586d5f5b3 Fixed by: 35847860f65f92e444db9730e00cdaef45198e0c Branch: v1.2.14-maint Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Fixed by: 605b12068392d29beb44a8ab7d6ec176d6b05237 Fixed by: 454cb7c40dbcff84192094963d71369ac7d94546 Branch: v1.2.15-maint Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Fixed by: 3c41b3ea5e68f391b8ff901082608bda5f7f3fbc Fixed by: fe2cf73800e3be87d1d4d811facb3f2be48126e5 Branch: v1.2.16-maint Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89 Fixed by: 9e48400f4606bac16b7e4db195f610928c3d5a04 Fixed by: 2f4b41861c1729ff4b754986782d7428ccdca455 Fixed by: 7f0505705c70f7eb1e435a2e7732d1a74abfadfd Branch: v1.2.17-maint Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89 Fixed by: d055989083df4bf68eb1388d327ebffb3501bb83 Fixed by: 98242f94cd181f0257535479369054f07f951b21 Fixed by: a3ee6885d95a2ce6fb7e58bb0737cfb1612e0fb7 Branch: v1.2.18-maint Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89 Fixed by: e63b32e22dafd99547f82f5383fdbf58b5f651a1 Fixed by: 075eb526c9817d9d8e3a759e3fbe180d8d326dcf Fixed by: 966cc922221be2b8cc6a9842ed0dc4cf1568a7b3 Branch: v1.2.19-maint Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89 Fixed by: e0025d2967bbe3f283937216c9e2c12b6e9d1010 Fixed by: 8b1d84e640f1a6e6ebb47caf23a664e2f651b32d Fixed by: 3468542f06f6f5dc94defa1603c6a6adea3e2da8 -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org