Libvirt Security Notice: LSN-2015-0003

denial of service through root-squash NFS storage pools

Lifecycle

Reported on: 20150814
Published on: 20150903
Fixed on: 20150903

Credits

Reported by: Han Han
Patched by: John Ferlan

See also

Description

The virStorageVolCreateXML API had a bug where it could create a volume on a root-squash NFS mount, but then fail to remove that volume if later steps during the API encountered problems. This was further compounded by code which used a wrong conditional on whether the new volume needed to have permissions changed, making it more likely to trigger the failed unlink attempt. Poor error handling after a failed unlink left libvirt with an inconsistent view of the storage volume that could then result in a libvirtd crash. While the libvirtd crash might be delayed until by subsequent actions from a read-only connection, the conditions that set up the crash can only be triggered by a client with a read-write connection.

Impact

When using fine-grained Access Control Lists (ACL), the virStorageVolCreateXML API only requires the storage_vol:create permission. A client with this privilege but lacking the more-powerful domain:write permission could exploit the API bugs to cause a denial-of-service attack by taking down libvirtd through a crash. It can also be argued that the ability to cause libvirt to create files which it cannot delete can be used as a denial-of-service attack on storage resources.

Workaround

The problems with libvirt creating a file which it does not then clean up on error is specific to root-squash NFS, so one mitigation is avoiding the use of the root-squash option when exporting NFS volumes for use by libvirt storage pools. Note that in general, the use of root-squash NFS does not add any real security (it makes certain tasks harder for a root user, but the root user can trivially change ids to another user to still perform those tasks). Furthermore, it is possible to prevent the denial of service attacks by stopping the use of the fine grained access control mechanism (while this does not prevent a crash, such a crash is no longer a security problem as there is no longer a privilege boundary between a user creating a volume and a user with full system access).

Affected product: libvirt

Branch master
Broken in: v1.2.14
Broken in: v1.2.15
Broken in: v1.2.16
Broken in: v1.2.17
Broken in: v1.2.18
Broken in: v1.2.19
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: db9277a39bc364806e8d3e08a08fc128d59b7094
Fixed by: 691dd388aee99f8b06177540303b690586d5f5b3
Fixed by: 35847860f65f92e444db9730e00cdaef45198e0c
Branch v1.2.14-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Fixed by: 605b12068392d29beb44a8ab7d6ec176d6b05237
Fixed by: 454cb7c40dbcff84192094963d71369ac7d94546
Branch v1.2.15-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Fixed by: 3c41b3ea5e68f391b8ff901082608bda5f7f3fbc
Fixed by: fe2cf73800e3be87d1d4d811facb3f2be48126e5
Branch v1.2.16-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: 9e48400f4606bac16b7e4db195f610928c3d5a04
Fixed by: 2f4b41861c1729ff4b754986782d7428ccdca455
Fixed by: 7f0505705c70f7eb1e435a2e7732d1a74abfadfd
Branch v1.2.17-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: d055989083df4bf68eb1388d327ebffb3501bb83
Fixed by: 98242f94cd181f0257535479369054f07f951b21
Fixed by: a3ee6885d95a2ce6fb7e58bb0737cfb1612e0fb7
Branch v1.2.18-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: e63b32e22dafd99547f82f5383fdbf58b5f651a1
Fixed by: 075eb526c9817d9d8e3a759e3fbe180d8d326dcf
Fixed by: 966cc922221be2b8cc6a9842ed0dc4cf1568a7b3
Branch v1.2.19-maint
Broken by: 155ca616eb231181f6978efc9e3a1eb0eb60af8a
Broken by: 7c2d65dde2595c07d56aad1e043f7b1836592d89
Fixed by: e0025d2967bbe3f283937216c9e2c12b6e9d1010
Fixed by: 8b1d84e640f1a6e6ebb47caf23a664e2f651b32d
Fixed by: 3468542f06f6f5dc94defa1603c6a6adea3e2da8

Alternative formats: [xml] [text]