Bugzilla – Bug 1134348
VUL-0: CVE-2019-10132: libvirt: too lax systemd socket permissions
Last modified: 2020-05-06 14:45:36 UTC
via libvirt-security@redhat.com from Daniel Berrangé CRD: 2019-05-21 12:00UTC Hi Folks, We have a significant security flaw in systemd socket config Libvirt >= 4.1.0 ships two systemd units virtlockd-admin.socket virtlogd-admin.socket Unfortunately the SocketMode parameter is not set in these .socket units, and thus they are mode 0666. Double unfortunately is that the code doesn't do any checking on the clients either. The missing SocketMode parameter also applies to the main sockets virtlockd.socket virtlogd.socket however in this case the code does validate the client UID and drops unexpected users. IOW, any user on the host can connect to /var/run/libvirt/virtlockd-admin-sock /var/run/libvirt/virtlogd-admin-sock These are for performing administrative actions against the virtlockd and virtlogd daemons. These sockets allow changing logging settings, force disconnecting clients, changing client limits amongst other things. The logging setting is a big problem - you can tell the daemon to open an arbitrary file and write to it: $ id -u 501 $ virt-admin -c virtlogd:///system Welcome to virt-admin, the administrating virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virt-admin # daemon-log-outputs 1:file:/root/wibble.txt virt-admin # daemon-log-filters 1:event $ su - Password: # ls -al wibble.txt -rw-------. 1 root root 10784 Apr 30 17:39 wibble.txt The only plus side is that our SELinux policy appears to block the exploitation of this in virtlogd. eg if i put in enforcing mode, I'm unable to succesfully connect $ virt-admin -c virtlogd:///system error: Failed to connect to the admin server error: Failed to open file '/proc/23763/stat': Permission denied SELinux would also restrict what could be opened as a log file for the virtlogd service. The policy for virtlockd is not so strict iiuc though, so doesn't block it. Note that virtlogd-admin.socket is not active by default, but gets started automatically when virtlogd.service is triggered which will happen when any guest VM is started. virtlockd-admin.socket is similarly activated by virtlockd.service, fortunately usage of virtlockd is not enabled in libvirt by default so nothing will activate it unless the admin explicitly turned on use of virtlockd. In keeping with our policy I'm suggesting no more than 2 weeks embargo time. So a "go public" date of May 21st, 1200 UTC I'm attaching my three proposed patches for review. The first patch fixes the root cause security hole in the admin service. The second and third patches provide a second line of defence. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Created attachment 804397 [details] 0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch 0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch
Created attachment 804398 [details] 0002-locking-restrict-sockets-to-mode-0600.patch 0002-locking-restrict-sockets-to-mode-0600.patch
Created attachment 804399 [details] 0003-logging-restrict-sockets-to-mode-0600.patch 0003-logging-restrict-sockets-to-mode-0600.patch
The damage isn't too bad since only SLE15 SP1, SLE12 SP5, and Factory are affected. I'll prepare the patches (which in the meantime have been ACKed on the libvirt-security list) now since the CRD is shortly after I return from vacation.
Libvirt Security Notice: LSN-2019-0003 ====================================== Summary: Insecure permissions for systemd socket for virtlockd/virtlogd Reported on: 20190430 Published on: 20190421 Fixed on: 20190421 Reported by: Daniel P. Berrangé <berrange@redhat.com> Patched by: Daniel P. Berrangé <berrange@redhat.com> See also: CVE-2019-10132 Description ----------- The virtlockd-admin.socket and virtlogd-admin.socket unit files do not set the SocketMode parameter and thus create a world accessible UNIX domain socket. Furthermore the code fails to validate the identity of clients connecting to these sockets. Impact ------ An unprivileged user is able to connect to the virtlockd or virtlogd daemons and use the administrative RPC commands to elevate their privileges Workaround ---------- Disable the virtlockd-admin.socket and virtlogd-admin.socket units in systemd. Alternative customize them to add SocketMode=0600 locally. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v4.1.0 Broken in: v4.2.0 Broken in: v4.3.0 Broken in: v4.4.0 Broken in: v4.5.0 Broken in: v4.6.0 Broken in: v4.7.0 Broken in: v4.8.0 Broken in: v4.9.0 Broken in: v4.10.0 Broken in: v5.0.0 Broken in: v5.1.0 Broken in: v5.2.0 Broken in: v5.3.0 Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Branch: v4.1-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Branch: v4.5-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f Branch: v5.1.0-maint Broken by: 85d45ff05db4a41ac3678ee0d4457b6b3323597e Broken by: ce7ae55ea1113bc574c5b5a61828e67fbd0e506f
Created attachment 804745 [details] 0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch 0001-admin-reject-clients-unless-their-UID-matches-the-cu.patch last version
Created attachment 804746 [details] 0002-locking-restrict-sockets-to-mode-0600.patch 0002-locking-restrict-sockets-to-mode-0600.patch current version
Created attachment 804747 [details] 0003-logging-restrict-sockets-to-mode-0600.patch 0003-logging-restrict-sockets-to-mode-0600.patch
No longer embargoed.
Patches have been submitted for SLE12 SP5, SLE15 SP1, and Factory. Bug is done from my perspective.
SUSE-SU-2019:1490-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1111331,1133229,1134348,1135273,1136109 CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2019-10132,CVE-2019-11091 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): libvirt-5.1.0-8.3.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): libvirt-5.1.0-8.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libvirt-5.1.0-8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done