Bug 1174955 (CVE-2020-15708)

Summary: VUL-0: CVE-2020-15708: libvirt: Arbitrary File Write Privilege Escalation Vulnerability in service file
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: jfehlig, meissner, rfrohl, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264730/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-15708:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: doc patch for libvirtd.conf

Description Robert Frohl 2020-08-06 10:08:15 UTC
CVE-2020-15708

Libvirt Service Arbitrary File Write Privilege Escalation Vulnerability

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15708
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15708.html
Comment 2 Robert Frohl 2020-08-06 10:17:20 UTC
only affects SLE15-SP2, Leap 15.2 and Tumbleweed.
Comment 3 James Fehlig 2020-08-07 15:29:07 UTC
(In reply to Robert Frohl from comment #2)
> only affects SLE15-SP2, Leap 15.2 and Tumbleweed.

SUSE distros are not affected since we use polkit auth out-of-the-box. Even RO operations like 'list' require root password when invoked by normal users

skifaster@virt82:~> virsh -c qemu:///system list --all
==== AUTHENTICATING FOR org.libvirt.unix.manage ====
System policy prevents management of local virtualized systems
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ====
 Id   Name        State
---------------------------
 2    rancherOS   running

The admin must disable polkit auth in /etc/libvirt/libvirtd.conf by setting auth_unix_{ro,rw} to 'none' to trigger the issue, at which point they should also set appropriate permissions on the sockets. IMO we can close this as INVALID.
Comment 4 James Fehlig 2020-08-08 03:31:09 UTC
FYI, a patch was posted upstream that for us (SUSE) provides a slight improvement in the comments regarding authorization and socket permissions in libvirtd.conf

https://www.redhat.com/archives/libvir-list/2020-August/msg00360.html

I can add the patch, which again would be a doc change only, to SLE15 SP2 and Factory if you would like.
Comment 5 James Fehlig 2020-08-25 16:47:41 UTC
I asked rather indirect questions in #3 and #4 but didn't set needinfo. I'll do so now and ask more directly: Should we add the patch mentioned in #4 (which is a doc-only patch for us) or just close the bug as invalid?
Comment 6 Robert Frohl 2020-09-09 13:14:35 UTC
(In reply to James Fehlig from comment #5)
> I asked rather indirect questions in #3 and #4 but didn't set needinfo. I'll
> do so now and ask more directly: Should we add the patch mentioned in #4
> (which is a doc-only patch for us) or just close the bug as invalid?

I think it would be a good idea to take that patch, so that users are aware of the risks involved with turning off polkit. 

I will go ahead and change our tracking, because we are not affected by default.
Comment 7 James Fehlig 2020-09-11 21:53:03 UTC
(In reply to Robert Frohl from comment #6)
> I think it would be a good idea to take that patch, so that users are aware
> of the risks involved with turning off polkit.

In the end what was committed upstream is a bit more involved

https://gitlab.com/libvirt/libvirt/-/commit/b196f8fcdddd08194f267b7a02d8541a653d894a

To backport all of the patch requires changing the meson bits to autotools. Upstream libvirt recently ditched autotools in favor of meson but all supported SLE products have older libvirt that still uses autotools. Even the improved comments in libvirtd.conf assume the build-time bits of the patch are present. Here are some options, please let me know what you prefer:

1. Backport full patch functionality by porting the meson parts to autotools
2. Write a downstream patch for the older libvirts in our supported products that simply warns of the perils of disabling polkit auth.
3. Do nothing for existing products and get the improvement in SLE15 SP3 as we update libvirt.

If 1 or 2 is preferred, follow up question: How far back do you want the fix? I mean, do we care about a doc patch for old LTSS stuff? :-)
Comment 8 Robert Frohl 2020-09-28 08:42:17 UTC
@Marcus: What do you think? Is it worth the effort for something that is not an issue by default ? Maybe just fixing it in newer versions of SLE/openSUSE would be sufficient ?
Comment 9 Marcus Meissner 2020-09-28 14:04:44 UTC
What the patch does is basically what we currently have,
and it only makes it adjustable. 

It does not mitigate the problem in another way, it just brings either polkit enabled with mode 666 or "no polkit" with user based access settings.


I think we can document that our current setup is safe, perhaps add some strong words to our libvirt.conf , similar to the referenced patch.

But no need to backport this meson thing.
Comment 11 James Fehlig 2020-10-08 22:47:13 UTC
Created attachment 842434 [details]
doc patch for libvirtd.conf
Comment 12 James Fehlig 2020-10-08 22:52:36 UTC
I've added the patch in #11 to the SLE12 SP5 and SLE15 SP{1,2} libvirt packages and submitted for maintenance. The Factory and SLE15 SP3 libvirt packages got the upstream variant referenced in #7. IMO it is sufficient to "fix" the bug in these distros, but feel free to reassign back to me if you disagree :-).
Comment 15 James Fehlig 2020-10-13 20:28:25 UTC
While working on CVE-2020-25637, I continued backporting the doc fix in this bug to SLE15 GA and SLE12 SP{2,3,4}. All submitted now. Enjoy! :-)
Comment 19 Swamp Workflow Management 2020-10-20 19:18:05 UTC
SUSE-SU-2020:2969-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1171701,1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise Server 15-LTSS (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libvirt-4.0.0-9.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2020-10-20 19:19:20 UTC
SUSE-SU-2020:2970-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1173157,1174139,1174955,1175465,1176430,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    libvirt-6.0.0-13.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libvirt-6.0.0-13.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-10-26 20:13:37 UTC
SUSE-SU-2020:3037-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1174955,1175465,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    libvirt-5.1.0-8.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libvirt-5.1.0-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-10-27 11:15:53 UTC
SUSE-SU-2020:3038-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1171701,1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libvirt-4.0.0-8.23.1
SUSE OpenStack Cloud 9 (src):    libvirt-4.0.0-8.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libvirt-4.0.0-8.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libvirt-4.0.0-8.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-10-27 11:16:54 UTC
SUSE-SU-2020:3039-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1174955,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libvirt-5.1.0-13.19.1
SUSE Linux Enterprise Server 12-SP5 (src):    libvirt-5.1.0-13.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-10-29 20:16:26 UTC
SUSE-SU-2020:3095-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libvirt-3.3.0-5.46.1
SUSE OpenStack Cloud 8 (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libvirt-3.3.0-5.46.1
SUSE Enterprise Storage 5 (src):    libvirt-3.3.0-5.46.1
HPE Helion Openstack 8 (src):    libvirt-3.3.0-5.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-10-30 23:14:50 UTC
openSUSE-SU-2020:1778-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1174955,1175465,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    libvirt-5.1.0-lp151.7.10.1
Comment 26 Swamp Workflow Management 2020-10-30 23:16:33 UTC
openSUSE-SU-2020:1777-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1173157,1174139,1174955,1175465,1176430,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libvirt-6.0.0-lp152.9.6.2
Comment 27 Swamp Workflow Management 2020-11-03 20:14:54 UTC
SUSE-SU-2020:3143-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Alexandros Toptsoglou 2021-01-27 17:05:41 UTC
DONE