Bug 1187871 (CVE-2021-3631)

Summary: VUL-1: CVE-2021-3631: libvirt: insecure sVirt label generation
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: gianluca.gabrielli, jfehlig, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/303252/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3631:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-06-30 13:53:46 UTC
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw may allow one exploited guest to access files labelled for another guest, thus breaking out of sVirt confinement.

Upstream issue:
https://gitlab.com/libvirt/libvirt/-/issues/153

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1977726
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3631
Comment 1 Gianluca Gabrielli 2021-06-30 13:54:42 UTC
This vulnerability has not yet been addressed by the upstream. As soon as a patch will be ready I will update this issue.
Comment 2 James Fehlig 2021-06-30 14:07:03 UTC
In theory this vulnerability does not affect SUSE since we don't use selinux. In practice we provide enough selinux that someone could piece together an environment protected by selinux, but I'm not aware of any such environments and have never seen a libvirt+selinux bug against SUSE distros.
Comment 3 James Fehlig 2021-06-30 14:21:35 UTC
The fix for this issue should be pushed to libvirt.git master shortly

https://listman.redhat.com/archives/libvir-list/2021-June/msg00831.html
Comment 4 Gianluca Gabrielli 2021-06-30 15:15:29 UTC
Affected packages:
 - SUSE:SLE-15-SP2:Update/libvirt  6.0.0
 - SUSE:SLE-15-SP3:Update/libvirt  7.1.0
 - openSUSE:Factory/libvirt        7.4.0

Upstream patch [0].

[0] https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2.patch
Comment 5 James Fehlig 2021-06-30 16:11:27 UTC
Do we even care about this fix? As per my comment in #2, it seems more like a WONTFIX or INVALID.
Comment 6 Gianluca Gabrielli 2021-07-01 09:29:35 UTC
(In reply to James Fehlig from comment #5)
> Do we even care about this fix? As per my comment in #2, it seems more like
> a WONTFIX or INVALID.

Hi James,

Since we can't be sure about our customer's environments and because we do ship both SELinux and libvirt, then we need to ensure its safety in any possible configuration. Please submit the patch for the affected packages I mentioned in comment 4.
Comment 7 Gianluca Gabrielli 2021-07-01 09:30:14 UTC
This bugs has been fixed in version 7.5.0.
Comment 8 James Fehlig 2021-07-07 17:37:24 UTC
7.5.0 has already hit Factory. I've submitted MR for SLE15 SP2 (#244295) and SLE15 SP3 (#244296). Passing the bug to security-team now...
Comment 10 Swamp Workflow Management 2021-07-27 13:25:49 UTC
SUSE-SU-2021:2471-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1184253,1187871
CVE References: CVE-2021-3631
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    libvirt-6.0.0-13.16.2
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    libvirt-6.0.0-13.16.2
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libvirt-6.0.0-13.16.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-08-10 07:29:32 UTC
openSUSE-SU-2021:1119-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1184253,1187871
CVE References: CVE-2021-3631
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libvirt-6.0.0-lp152.9.12.1
Comment 14 Swamp Workflow Management 2021-08-23 13:21:48 UTC
# maintenance_jira_update_notice
openSUSE-SU-2021:2812-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1184253,1187871,1188232,1188843
CVE References: CVE-2021-3631,CVE-2021-3667
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libvirt-7.1.0-6.5.1
Comment 15 Swamp Workflow Management 2021-08-23 13:27:05 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:2812-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1184253,1187871,1188232,1188843
CVE References: CVE-2021-3631,CVE-2021-3667
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    libvirt-7.1.0-6.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libvirt-7.1.0-6.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Gianluca Gabrielli 2021-11-12 10:21:01 UTC
released