Bug 1134348 (CVE-2019-10132) - VUL-0: CVE-2019-10132: libvirt: too lax systemd socket permissions
Summary: VUL-0: CVE-2019-10132: libvirt: too lax systemd socket permissions
Status: RESOLVED FIXED
Alias: CVE-2019-10132
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/232334/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-07 15:58 UTC by Marcus Meissner
Modified: 2020-05-06 14:45 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch (1.90 KB, patch)
2019-05-07 15:58 UTC, Marcus Meissner
Details | Diff
0002-locking-restrict-sockets-to-mode-0600.patch (1.57 KB, patch)
2019-05-07 15:58 UTC, Marcus Meissner
Details | Diff
0003-logging-restrict-sockets-to-mode-0600.patch (1.56 KB, patch)
2019-05-07 15:58 UTC, Marcus Meissner
Details | Diff
0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch (1.91 KB, patch)
2019-05-10 14:14 UTC, Marcus Meissner
Details | Diff
0002-locking-restrict-sockets-to-mode-0600.patch (1.62 KB, patch)
2019-05-10 14:15 UTC, Marcus Meissner
Details | Diff
0003-logging-restrict-sockets-to-mode-0600.patch (1.60 KB, patch)
2019-05-10 14:15 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-05-07 15:58:01 UTC
via libvirt-security@redhat.com from Daniel Berrangé

CRD: 2019-05-21 12:00UTC


Hi Folks,

We have a significant security flaw in systemd socket config

Libvirt >= 4.1.0 ships two systemd units

   virtlockd-admin.socket
   virtlogd-admin.socket

Unfortunately the SocketMode parameter is not set in these .socket
units, and thus they are mode 0666. Double unfortunately is that
the code doesn't do any checking on the clients either.

The missing SocketMode parameter also applies to the main sockets

   virtlockd.socket
   virtlogd.socket

however in this case the code does validate the client UID and
drops unexpected users.

IOW, any user on the host can connect to

  /var/run/libvirt/virtlockd-admin-sock
  /var/run/libvirt/virtlogd-admin-sock

These are for performing administrative actions against the virtlockd
and virtlogd daemons. These sockets allow changing logging settings,
force disconnecting clients, changing client limits amongst other
things.

The logging setting is a big problem - you can tell the daemon to
open an arbitrary file and write to it:

$ id -u
501
$ virt-admin -c virtlogd:///system
Welcome to virt-admin, the administrating virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virt-admin # daemon-log-outputs 1:file:/root/wibble.txt

virt-admin # daemon-log-filters 1:event

$ su -
Password:
# ls -al wibble.txt
-rw-------. 1 root root 10784 Apr 30 17:39 wibble.txt

The only plus side is that our SELinux policy appears to block the
exploitation of this in virtlogd.

eg if i put in enforcing mode, I'm unable to succesfully connect

  $ virt-admin -c virtlogd:///system
  error: Failed to connect to the admin server
  error: Failed to open file '/proc/23763/stat': Permission denied

SELinux would also restrict what could be opened as a log file
for the virtlogd service. The policy for virtlockd is not so
strict iiuc though, so doesn't block it.

Note that virtlogd-admin.socket is not active by default, but
gets started automatically when virtlogd.service is triggered
which will happen when any guest VM is started.

virtlockd-admin.socket is similarly activated by virtlockd.service,
fortunately usage of virtlockd is not enabled in libvirt by default
so nothing will activate it unless the admin explicitly turned on
use of virtlockd.

In keeping with our policy I'm suggesting no more than 2 weeks
embargo time.

So a "go public" date of May 21st, 1200 UTC

I'm attaching my three proposed patches for review. The first patch fixes
the root cause security hole in the admin service. The second and third
patches provide a second line of defence.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
Comment 1 Marcus Meissner 2019-05-07 15:58:17 UTC
Created attachment 804397 [details]
0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch

0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch
Comment 2 Marcus Meissner 2019-05-07 15:58:30 UTC
Created attachment 804398 [details]
0002-locking-restrict-sockets-to-mode-0600.patch

0002-locking-restrict-sockets-to-mode-0600.patch
Comment 3 Marcus Meissner 2019-05-07 15:58:44 UTC
Created attachment 804399 [details]
0003-logging-restrict-sockets-to-mode-0600.patch

0003-logging-restrict-sockets-to-mode-0600.patch
Comment 4 James Fehlig 2019-05-09 16:29:26 UTC
The damage isn't too bad since only SLE15 SP1, SLE12 SP5, and Factory are affected.

I'll prepare the patches (which in the meantime have been ACKed on the libvirt-security list) now since the CRD is shortly after I return from vacation.
Comment 6 Marcus Meissner 2019-05-10 14:13:17 UTC
        Libvirt Security Notice: LSN-2019-0003                                                                                                                                               
        ======================================                                                                                                                                               
                                                                                                                                                                                             
       Summary: Insecure permissions for systemd socket for                                                                                                                                  
                virtlockd/virtlogd                                                                                                                                                           
   Reported on: 20190430                                                                                                                                                                     
  Published on: 20190421                                                                                                                                                                     
      Fixed on: 20190421                                                                                                                                                                     
   Reported by: Daniel P. Berrangé <berrange@redhat.com>                                                                                                                                     
    Patched by: Daniel P. Berrangé <berrange@redhat.com>                                                                                                                                     
      See also: CVE-2019-10132                                                                                                                                                               
                                                                                                                                                                                             
Description                                                                                                                                                                                  
-----------                                                                                                                                                                                  
                                                                                                                                                                                             
The virtlockd-admin.socket and virtlogd-admin.socket unit files do                                                                                                                           
not set the SocketMode parameter and thus create a world accessible                                                                                                                          
UNIX domain socket. Furthermore the code fails to validate the                                                                                                                               
identity of clients connecting to these sockets.                                                                                                                                             
                                                                                                                                                                                             
Impact                                                                                                                                                                                       
------                                                                                                                                                                                       
                                                                                                                                                                                             
An unprivileged user is able to connect to the virtlockd or virtlogd                                                                                                                         
daemons and use the administrative RPC commands to elevate their                                                                                                                             
privileges                                                                                                                                                                                   
                                                                                                                                                                                             
Workaround                                                                                                                                                                                   
----------                                                                                                                                                                                   
                                                                                                                                                                                             
Disable the virtlockd-admin.socket and virtlogd-admin.socket units                                                                                                                           
in systemd. Alternative customize them to add SocketMode=0600                                                                                                                                
locally.                                                                                                                                                                                     
                                                                                                                                                                                             
Affected product                                                                                                                                                                             
----------------                                                                                                                                                                             
                                                                                                                                                                                             
        Name: libvirt                                                                                                                                                                        
  Repository: git://libvirt.org/git/libvirt.git                                                                                                                                              
              http://libvirt.org/git/?p=libvirt.git                                                                                                                                          
                                                                                                                                                                                             
      Branch: master                                                                                                                                                                         
   Broken in: v4.1.0                                                                                                                                                                         
   Broken in: v4.2.0                                                                                                                                                                         
   Broken in: v4.3.0                                                                                                                                                                         
   Broken in: v4.4.0                                                                                                                                                                         
   Broken in: v4.5.0                                                                                                                                                                         
   Broken in: v4.6.0                                                                                                                                                                         
   Broken in: v4.7.0                                                                                                                                                                         
   Broken in: v4.8.0                                                                                                                                                                         
   Broken in: v4.9.0                                                                                                                                                                         
   Broken in: v4.10.0                                                                                                                                                                        
   Broken in: v5.0.0                                                                                                                                                                         
   Broken in: v5.1.0                                                                                                                                                                         
   Broken in: v5.2.0                                                                                                                                                                         
   Broken in: v5.3.0                                                                                                                                                                         
   Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e                                                                                                                                       
   Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f                                                                                                                                       
                                                                                                                                                                                             
      Branch: v4.1-maint                                                                                                                                                                     
   Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e                                                                                                                                       
   Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f                                                                                                                                       
                                                                                                                                                                                             
      Branch: v4.5-maint                                                                                                                                                                     
   Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e                                                                                                                                       
   Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f                                                                                                                                       
                                                                                                                                                                                             
      Branch: v5.1.0-maint                                                                                                                                                                   
   Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e                                                                                                                                       
   Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f
Comment 7 Marcus Meissner 2019-05-10 14:14:55 UTC
Created attachment 804745 [details]
0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch

0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch

last version
Comment 8 Marcus Meissner 2019-05-10 14:15:18 UTC
Created attachment 804746 [details]
0002-locking-restrict-sockets-to-mode-0600.patch

0002-locking-restrict-sockets-to-mode-0600.patch 

current version
Comment 9 Marcus Meissner 2019-05-10 14:15:33 UTC
Created attachment 804747 [details]
0003-logging-restrict-sockets-to-mode-0600.patch

0003-logging-restrict-sockets-to-mode-0600.patch
Comment 11 James Fehlig 2019-05-21 17:20:09 UTC
No longer embargoed.
Comment 12 James Fehlig 2019-05-21 17:52:14 UTC
Patches have been submitted for SLE12 SP5, SLE15 SP1, and Factory. Bug is done from my perspective.
Comment 16 Swamp Workflow Management 2019-06-13 16:11:54 UTC
SUSE-SU-2019:1490-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1133229,1134348,1135273,1136109
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2019-10132,CVE-2019-11091
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    libvirt-5.1.0-8.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libvirt-5.1.0-8.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libvirt-5.1.0-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Alexandros Toptsoglou 2020-05-06 14:45:36 UTC
Done