Bugzilla – Bug 1174955
VUL-0: CVE-2020-15708: libvirt: Arbitrary File Write Privilege Escalation Vulnerability in service file
Last modified: 2021-01-27 17:05:41 UTC
CVE-2020-15708 Libvirt Service Arbitrary File Write Privilege Escalation Vulnerability References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15708 http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15708.html
ubuntu patch: https://git.launchpad.net/ubuntu/+source/libvirt/commit/?id=d6e88be2ac27a510efdd21c3917621730c9d8c78
only affects SLE15-SP2, Leap 15.2 and Tumbleweed.
(In reply to Robert Frohl from comment #2) > only affects SLE15-SP2, Leap 15.2 and Tumbleweed. SUSE distros are not affected since we use polkit auth out-of-the-box. Even RO operations like 'list' require root password when invoked by normal users skifaster@virt82:~> virsh -c qemu:///system list --all ==== AUTHENTICATING FOR org.libvirt.unix.manage ==== System policy prevents management of local virtualized systems Authenticating as: root Password: ==== AUTHENTICATION COMPLETE ==== Id Name State --------------------------- 2 rancherOS running The admin must disable polkit auth in /etc/libvirt/libvirtd.conf by setting auth_unix_{ro,rw} to 'none' to trigger the issue, at which point they should also set appropriate permissions on the sockets. IMO we can close this as INVALID.
FYI, a patch was posted upstream that for us (SUSE) provides a slight improvement in the comments regarding authorization and socket permissions in libvirtd.conf https://www.redhat.com/archives/libvir-list/2020-August/msg00360.html I can add the patch, which again would be a doc change only, to SLE15 SP2 and Factory if you would like.
I asked rather indirect questions in #3 and #4 but didn't set needinfo. I'll do so now and ask more directly: Should we add the patch mentioned in #4 (which is a doc-only patch for us) or just close the bug as invalid?
(In reply to James Fehlig from comment #5) > I asked rather indirect questions in #3 and #4 but didn't set needinfo. I'll > do so now and ask more directly: Should we add the patch mentioned in #4 > (which is a doc-only patch for us) or just close the bug as invalid? I think it would be a good idea to take that patch, so that users are aware of the risks involved with turning off polkit. I will go ahead and change our tracking, because we are not affected by default.
(In reply to Robert Frohl from comment #6) > I think it would be a good idea to take that patch, so that users are aware > of the risks involved with turning off polkit. In the end what was committed upstream is a bit more involved https://gitlab.com/libvirt/libvirt/-/commit/b196f8fcdddd08194f267b7a02d8541a653d894a To backport all of the patch requires changing the meson bits to autotools. Upstream libvirt recently ditched autotools in favor of meson but all supported SLE products have older libvirt that still uses autotools. Even the improved comments in libvirtd.conf assume the build-time bits of the patch are present. Here are some options, please let me know what you prefer: 1. Backport full patch functionality by porting the meson parts to autotools 2. Write a downstream patch for the older libvirts in our supported products that simply warns of the perils of disabling polkit auth. 3. Do nothing for existing products and get the improvement in SLE15 SP3 as we update libvirt. If 1 or 2 is preferred, follow up question: How far back do you want the fix? I mean, do we care about a doc patch for old LTSS stuff? :-)
@Marcus: What do you think? Is it worth the effort for something that is not an issue by default ? Maybe just fixing it in newer versions of SLE/openSUSE would be sufficient ?
What the patch does is basically what we currently have, and it only makes it adjustable. It does not mitigate the problem in another way, it just brings either polkit enabled with mode 666 or "no polkit" with user based access settings. I think we can document that our current setup is safe, perhaps add some strong words to our libvirt.conf , similar to the referenced patch. But no need to backport this meson thing.
Created attachment 842434 [details] doc patch for libvirtd.conf
I've added the patch in #11 to the SLE12 SP5 and SLE15 SP{1,2} libvirt packages and submitted for maintenance. The Factory and SLE15 SP3 libvirt packages got the upstream variant referenced in #7. IMO it is sufficient to "fix" the bug in these distros, but feel free to reassign back to me if you disagree :-).
While working on CVE-2020-25637, I continued backporting the doc fix in this bug to SLE15 GA and SLE12 SP{2,3,4}. All submitted now. Enjoy! :-)
SUSE-SU-2020:2969-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1171701,1174955,1177155 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): libvirt-4.0.0-9.35.1 SUSE Linux Enterprise Server 15-LTSS (src): libvirt-4.0.0-9.35.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libvirt-4.0.0-9.35.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libvirt-4.0.0-9.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2970-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1173157,1174139,1174955,1175465,1176430,1177155 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): libvirt-6.0.0-13.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libvirt-6.0.0-13.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3037-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1174955,1175465,1175574,1176430,1177155,1177480 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): libvirt-5.1.0-8.24.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libvirt-5.1.0-8.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3038-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1171701,1174955,1177155 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): libvirt-4.0.0-8.23.1 SUSE OpenStack Cloud 9 (src): libvirt-4.0.0-8.23.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): libvirt-4.0.0-8.23.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): libvirt-4.0.0-8.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3039-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1174955,1175574,1176430,1177155,1177480 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libvirt-5.1.0-13.19.1 SUSE Linux Enterprise Server 12-SP5 (src): libvirt-5.1.0-13.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3095-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174955,1177155 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): libvirt-3.3.0-5.46.1 SUSE OpenStack Cloud 8 (src): libvirt-3.3.0-5.46.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): libvirt-3.3.0-5.46.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): libvirt-3.3.0-5.46.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): libvirt-3.3.0-5.46.1 SUSE Enterprise Storage 5 (src): libvirt-3.3.0-5.46.1 HPE Helion Openstack 8 (src): libvirt-3.3.0-5.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1778-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1174955,1175465,1175574,1176430,1177155,1177480 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: openSUSE Leap 15.1 (src): libvirt-5.1.0-lp151.7.10.1
openSUSE-SU-2020:1777-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1173157,1174139,1174955,1175465,1176430,1177155 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: openSUSE Leap 15.2 (src): libvirt-6.0.0-lp152.9.6.2
SUSE-SU-2020:3143-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1174955,1177155 CVE References: CVE-2020-15708,CVE-2020-25637 JIRA References: Sources used: SUSE OpenStack Cloud 7 (src): libvirt-2.0.0-27.64.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): libvirt-2.0.0-27.64.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): libvirt-2.0.0-27.64.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): libvirt-2.0.0-27.64.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
DONE