Libvirt Security Notice: LSN-2014-0003 ====================================== Summary: Unsafe parsing of XML documents allows arbitrary file read Reported on: 20140411 Published on: 20140506 Fixed on: 20140506 Reported by: Daniel P. Berrange Richard Jones Patched by: Daniel P. Berrange See also: CVE-2014-0179 Description ----------- When parsing XML documents, libvirt passes the XML_PARSE_NOENT flag to libxml2 which instructs it to expand all entities in the XML document during parsing. This can be used to insert the contents of host OS files in the resulting parsed content. Although the flaw was introduced in 0.0.5, it was dormant having no ill effects, since the APIs involved all required the user to authenticate with privileges equivalent to root. In version 0.7.5 or later the virConnectCompareCPU / virConnectBaselineCPU methods activate the dormant bug, allowing for denial of service. In version 1.0.0 or later, if the admin opts in to using the new fine grained access control feature, there is potential for unprivileged information disclosure. Impact ------ A malicious user can pass libvirt an XML document which contains an entity that points to an arbitrary file on the host. When libvirt parses this document, it will insert the contents of that host file, which could allow the user to read the contents of files that they otherwise do not have permission to view. It also has the potential to cause a denial of service / indefinite hang of libvirt, if the entity points to a named pipe with no writer connected or certain proc files. If the libvirt installation is not using fine grained access control then virConnectCompareCPU and virConnectBaselineCPU APIs can be used by a read-only user to inflict a denial of service attack. If the libvirt installation is using fine grained access control, then as well as the denial of service attack, one or more of the following APIs can be used for information disclosure of files: virDomainDefineXML, virNetworkCreateXML, virNetworkDefineXML, virStoragePoolCreateXML, virStoragePoolDefineXML, virStorageVolCreateXML, virDomainCreateXML, virNodeDeviceCreateXML, virInterfaceDefineXML, virStorageVolCreateXMLFrom, virConnectDomainXMLFromNative, virConnectDomainXMLToNative, virSecretDefineXML, virNWFilterDefineXML, virDomainSnapshotCreateXML, virDomainSaveImageDefineXML, virDomainCreateXMLWithFiles, virConnectCompareCPU, virConnectBaselineCPU. Workaround ---------- Stop use of the fine grained access control mechanism, and restrict access to all the libvirt TCP/UNIX sockets to only trusted authenticated users. Simply denying access to the affected APIs in the access control policy is insufficient to mitigate the bug, since the XML document typically needs to be parsed before the access control check is applied in order to extra the UUID/name of the object to check. Access to the readonly libvirt socket must also be revoked Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.0.5 Broken in: v0.1.0 Broken in: v0.1.1 Broken in: v0.1.3 Broken in: v0.1.4 Broken in: v0.1.6 Broken in: v0.1.7 Broken in: v0.1.8 Broken in: v0.1.9 Broken in: v0.1.10 Broken in: v0.1.11 Broken in: v0.2.0 Broken in: v0.2.1 Broken in: v0.2.2 Broken in: v0.2.3 Broken in: v0.3.0 Broken in: v0.3.1 Broken in: v0.3.2 Broken in: v0.3.3 Broken in: v0.4.1 Broken in: v0.4.2 Broken in: v0.4.4 Broken in: v0.4.6 Broken in: v0.5.0 Broken in: v0.5.1 Broken in: v0.6.0 Broken in: v0.6.1 Broken in: v0.6.2 Broken in: v0.6.3 Broken in: v0.6.4 Broken in: v0.6.5 Broken in: v0.7.0 Broken in: v0.7.1 Broken in: v0.7.2 Broken in: v0.7.3 Broken in: v0.7.4 Broken in: v0.7.5 Broken in: v0.7.6 Broken in: v0.7.7 Broken in: v0.8.0 Broken in: v0.8.1 Broken in: v0.8.2 Broken in: v0.8.3 Broken in: v0.8.4 Broken in: v0.8.5 Broken in: v0.8.6 Broken in: v0.8.7 Broken in: v0.8.8 Broken in: v0.9.0 Broken in: v0.9.1 Broken in: v0.9.2 Broken in: v0.9.3 Broken in: v0.9.4 Broken in: v0.9.5 Broken in: v0.9.6 Broken in: v0.9.7 Broken in: v0.9.8 Broken in: v0.9.9 Broken in: v0.9.10 Broken in: v0.9.11 Broken in: v0.9.12 Broken in: v0.9.13 Broken in: v0.10.0 Broken in: v0.10.1 Broken in: v0.10.2 Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Broken in: v1.2.4 Fixed in: v1.2.5 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: d6b27d3e4c40946efa79e91d134616b41b1666c4 Branch: v0.8.3-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Branch: v0.9.6-maint Broken in: v0.9.6.1 Broken in: v0.9.6.2 Broken in: v0.9.6.3 Broken in: v0.9.6.4 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: be7a5de9d0c406f36efae3230e1743c613ad6945 Branch: v0.9.11-maint Broken in: v0.9.11.1 Broken in: v0.9.11.2 Broken in: v0.9.11.3 Broken in: v0.9.11.4 Broken in: v0.9.11.5 Broken in: v0.9.11.6 Broken in: v0.9.11.7 Broken in: v0.9.11.8 Broken in: v0.9.11.9 Broken in: v0.9.11.10 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Branch: v0.9.12-maint Broken in: v0.9.12.1 Broken in: v0.9.12.2 Broken in: v0.9.12.3 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 022b34cee73f86b01724b5279cf626df9cca245f Branch: v0.10.2-maint Broken in: v0.10.2.1 Broken in: v0.10.2.2 Broken in: v0.10.2.3 Broken in: v0.10.2.4 Broken in: v0.10.2.5 Broken in: v0.10.2.6 Broken in: v0.10.2.7 Broken in: v0.10.2.8 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 16d55b311ad5c3c2e61494b848b1c6ee36897476 Branch: v1.0.0-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Branch: v1.0.1-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Branch: v1.0.2-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 66de726e2175333bc9e0153f9ffc5f2025b199de Branch: v1.0.3-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 16fc426a27d88bbdc96c307c7ef0cce25e8ae717 Branch: v1.0.4-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 040df62ae7fcbbead96c2f2191651daf35686986 Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Broken in: v1.0.5.9 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 4410a83e18c1b41f1f5d3f10a0b648fc9304bc35 Branch: v1.0.6-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 89538f57f4c2401d7c555299f15de17c539981c2 Branch: v1.1.0-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 6f4eae73a0bf3e1c5e9597e4f9a8078cad69b1e3 Branch: v1.1.1-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: cfc94140e5989c9f3cce0fdbb758730818cb2572 Branch: v1.1.2-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 8fd2005cc0594742dc6cfab07a62f9774798a56d Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Broken in: v1.1.3.5 Fixed in: v1.1.3.6 Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 46de45d079ae2622660fe147cf237ee617cc461c Branch: v1.1.4-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: e2b96d539f8a06e08cdf001627efe3f399db9c07 Branch: v1.2.0-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 9b1d09377492a4ce92498abb7cf830d693bc661c Branch: v1.2.1-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: 877388678a77bacf802f97de429b2b350b02eb41 Branch: v1.2.2-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: ab07ebeb22b1d724999dc6eabc33cd6266de496f Branch: v1.2.3-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: a45368839fb898feb6b634df2bf337697155ea74 Branch: v1.2.4-maint Broken by: 77e8b6c62c48b6346bbdb2df3e0d925852c6bf3e Broken by: 387941fb626d9362835aa216b4a871e18268f649 Broken by: 0b7d2ae653f583825f6d83bfb0744673648a9833 Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3 Fixed by: a8480e2bc0d0b1c5cd98ff7424cace3e82db5ace