Bugzilla – Bug 1140402
VUL-1: CVE-2019-13164: kvm,qemu: qemu-bridge-helper ACL can be bypassed when names are too long
Last modified: 2021-05-27 12:47:57 UTC
CVE-2019-13164 It was discovered that the Access Control List (ACL) implemented by qemu-bridge-helper program could be bypassed in particular cases when the bridge interface names are as long as IFNAMSIZ-1, ie 15 characters. If the ACL specified in the /etc/qemu-kvm/bridge.conf file denies access to a bridge interface with a name long IFNAMSIZ-1, but it allows all other interfaces, it is possible for a local attacker to use qemu-bridge-helper to create a tap device and attach it to a denied bridge interface, thus bypassing the ACL. This could be used by the attacker to get access to confidential data transmitted on the bridge. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html Reference: ---------- -> https://www.openwall.com/lists/oss-security/2019/07/02/2 References: https://bugzilla.redhat.com/show_bug.cgi?id=1722559 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13164 http://seclists.org/oss-sec/2019/q3/4 http://www.openwall.com/lists/oss-security/2019/07/02/2 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13164.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13164 https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00145.html
The fix for this issue can be found in comment 0. It consists of 3 patches. It seems that the issue introduced with the commit at [1]. Based on this all the versions of qemu from version 1.1 are affected. Tracked the following codestreams as affected: KVM: SLE11-SP3 and SLE11-SP4 QEMU: SLE12-GA,SP1,SP2,SP3,SP4 SLE15-GA,SP1 [1] https://github.com/qemu/qemu/commit/bdef79a2994d6f0383e07e9597675711662b3031
Steps to reproduce on openSUSE Tumbleweed: 1. Add network bridges: brctl addbr testbridge brctl addbr verylongbridgename 2. /etc/qemu/bridge.conf allow all deny testbridge deny verylongbridgename 3. As a user in the group "kvm", launch qemu 3.1. qemu-kvm -net bridge,br=testbridge [...] OKAY. This fails, as it should. 3.2. qemu-kvm -net bridge,br=verylongbridgename [...] BAD. This succeeds, but it shouldn't. The user now has a VM attached to the bridge "verylongbridgename" and can listen in on traffic.
The fix is not merged into upstream yet, but I will start a downstream backport since the fix code is minimum and quite independent with other parts.
Backport have been merged into our SLE11 SP3-SP4 SLE12 GA-SP4 SLE15 GA-SP1 Virt Still waiting for upstream version though.
SUSE-SU-2019:2192-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1128106,1133031,1134883,1135210,1135902,1136540,1136778,1138534,1140402,1143794,1144087 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378,CVE-2019-5008 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): qemu-3.1.1-9.3.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): qemu-3.1.1-9.3.3, qemu-linux-user-3.1.1-9.3.2, qemu-testsuite-3.1.1-9.3.4 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): qemu-3.1.1-9.3.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:14151-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1135902,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): kvm-1.4.2-60.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fix is merged into upstream now, same as the fix I used in our branch, so move it to seurity team. commit 6f5d8671225dc77190647f18a27a0d156d4ca97a Author: Prasad J Pandit <pjp@fedoraproject.org> Date: Tue Jul 23 16:17:52 2019 +0530 qemu-bridge-helper: restrict interface name to IFNAMSIZ The network interface name in Linux is defined to be of size IFNAMSIZ(=16), including the terminating null('\0') byte. The same is applied to interface names read from 'bridge.conf' file to form ACL rules. If user supplied '--br=bridge' name is not restricted to the same length, it could lead to ACL bypass issue. Restrict interface name to IFNAMSIZ, including null byte.
SUSE-SU-2019:2221-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1135902,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): qemu-2.3.1-33.26.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): qemu-2.3.1-33.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2246-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1079730,1098403,1111025,1119115,1134883,1135902,1136540,1136778,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): qemu-2.11.2-9.28.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): qemu-2.11.2-9.28.3, qemu-linux-user-2.11.2-9.28.2 SUSE Linux Enterprise Module for Basesystem 15 (src): qemu-2.11.2-9.28.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2041-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1128106,1133031,1134883,1135210,1135902,1136540,1136778,1138534,1140402,1143794,1144087 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378,CVE-2019-5008 Sources used: openSUSE Leap 15.1 (src): qemu-3.1.1-lp151.7.3.3, qemu-linux-user-3.1.1-lp151.7.3.2, qemu-testsuite-3.1.1-lp151.7.3.3
openSUSE-SU-2019:2059-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1079730,1098403,1111025,1119115,1134883,1135902,1136540,1136778,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: openSUSE Leap 15.0 (src): qemu-2.11.2-lp150.7.25.1
SUSE-SU-2019:2278-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1127077,1135902,1139926,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE CaaS Platform 3.0 (src): qemu-2.9.1-6.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2157-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1135902,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE OpenStack Cloud 7 (src): qemu-2.6.2-41.55.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): qemu-2.6.2-41.55.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): qemu-2.6.2-41.55.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): qemu-2.6.2-41.55.1 SUSE Enterprise Storage 4 (src): qemu-2.6.2-41.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2353-1: An update that solves three vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 1079730,1098403,1111025,1127077,1134880,1135902,1136528,1136777,1139926,1140402,1141043,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Server 12-SP4 (src): qemu-2.11.2-5.18.1 SUSE Linux Enterprise Desktop 12-SP4 (src): qemu-2.11.2-5.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.