Bug 1174458 (CVE-2020-14339) - VUL-0: CVE-2020-14339: libvirt: leak of /dev/mapper/control into QEMU guests
Summary: VUL-0: CVE-2020-14339: libvirt: leak of /dev/mapper/control into QEMU guests
Status: RESOLVED FIXED
Alias: CVE-2020-14339
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/264154/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-14339:8.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-24 06:32 UTC by Wolfgang Frisch
Modified: 2024-05-10 08:00 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-07-24 06:32:34 UTC
CVE-2020-14339

It was discovered that libvirt is accidentally leaking a file descriptor for /dev/mapper/control into the QEMU process. This file descriptor allows for privileged operations to be made against device mapper on the host. Thus a malicious QEMU has the potential to do serious damage to the host OS.

Upstream fix:
https://www.redhat.com/archives/libvir-list/2020-July/msg01500.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1860069
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14339
Comment 1 Wolfgang Frisch 2020-07-24 06:33:59 UTC
virDevMapperGetTargets was introduced in libvirt-4.3:
https://github.com/libvirt/libvirt/commit/fd9d1e686db64fa9481b9eab4dabafa46713e2cf

SUSE:SLE-12-SP5:Update   Affected
SUSE:SLE-15-SP1:Update   Affected
SUSE:SLE-15-SP2:Update   Affected
Comment 2 James Fehlig 2020-07-27 19:20:45 UTC
(In reply to Wolfgang Frisch from comment #0)
> Upstream fix:
> https://www.redhat.com/archives/libvir-list/2020-July/msg01500.html

In the end it was decided to drop the use of libdevmapper and perform the necessary ioctl's from libvirt. libdevmapper is not thread safe and uses global variables - yuk. So thankfully that huge patch series was dropped in favor of this

https://www.redhat.com/archives/libvir-list/2020-July/msg01743.html

I've backported patches 2-4 to SLE15 SP2 and will look at the other next.
Comment 3 James Fehlig 2020-07-27 22:35:23 UTC
(In reply to James Fehlig from comment #2)
> I've backported patches 2-4 to SLE15 SP2 and will look at the other next.

Although skipping patch 2 made backporting 3 a bit harder, I decided to drop patches 2 and 4 since they are unrelated to the CVE. Backporting to libvirt 5.1.0 (the version in 15 SP1 and 12 SP5) was a real PITA due to the move to glib that occurred after 5.1.0.

I'm going to post the backported patch for 15 SP1 in the bug that triggered this issue - bug#1161883. Since the backport was non-trivial, I'll have Lin review it and the customer test it in that bug.
Comment 4 James Fehlig 2020-07-30 15:12:04 UTC
(In reply to Wolfgang Frisch from comment #1)
> SUSE:SLE-12-SP5:Update   Affected
> SUSE:SLE-15-SP1:Update   Affected
> SUSE:SLE-15-SP2:Update   Affected

I've backported commit 22494556 to all of these code bases and have submitted maintenance requests. FYI a customer reported positive test results on SLE15 SP1 in bug#1161883. Passing the bug to security now...
Comment 6 Swamp Workflow Management 2020-08-13 13:22:17 UTC
SUSE-SU-2020:2233-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1161883,1171946,1172052,1174458
CVE References: CVE-2020-14339
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libvirt-5.1.0-13.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    libvirt-5.1.0-13.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-08-14 13:15:08 UTC
SUSE-SU-2020:2237-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (important)
Bug References: 1161883,1167007,1171946,1172052,1174458
CVE References: CVE-2020-14339
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    libvirt-5.1.0-8.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libvirt-5.1.0-8.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-08-18 19:14:06 UTC
SUSE-SU-2020:2269-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1161883,1174458
CVE References: CVE-2020-14339
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    libvirt-6.0.0-13.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libvirt-6.0.0-13.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Alexandros Toptsoglou 2020-08-27 13:46:55 UTC
Done
Comment 10 Swamp Workflow Management 2020-09-19 16:18:54 UTC
openSUSE-SU-2020:1455-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1161883,1174458
CVE References: CVE-2020-14339
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libvirt-6.0.0-lp152.9.3.1