Libvirt Security Notice: LSN-2015-0004

ACL bypass using ../ to access beyond storage pool

Lifecycle

Reported on: 20151030
Published on: 20151211
Fixed on: 20151211

Credits

Reported by: Ossi Herrala
Joonas Kuorilehto
Patched by: Eric Blake

See also

Description

Various virStorageVol* API operate on user-supplied volume names by concatenating the volume name to the pool location. Note that the virStoragePoolListVolumes API, when used on a storage pool backed by a directory in a file system, will only list volumes immediately in that directory (there is no traversal into subdirectories). However, other APIs such as virStorageVolCreateXML were not checking if a potential volume name represented one of the volumes that could be returned by virStoragePoolListVolumes; because they were not rejecting the use of '/' in a volume name.

Impact

Because no checking was done on volume names, a user could supply a potential volume name of something like '../../../etc/passwd' to attempt to access a file not belonging to the storage pool. When fine-grained Access Control Lists (ACL) are in effect, a user with storage_vol:create ACL permission but lacking domain:write permssion could thus abuse virStorageVolCreateXML and similar APIs to gain access to files not normally permitted to that user. Fortunately, it appears that the only APIs that could leak information or corrupt files require read-write connection to libvirtd; and when ACLs are not in use (the default without any further configuration), a user with read-write access can already be considered to have full access to the machine, and without an escalation of privilege there is no security problem.

Workaround

If fine-grained ACLs must be used, administrators must consider all of the storage_vol:* permissions as equivalent to domain:write when running an impacted version of libvirt. The easiest way to prevent untrusted users from gaining unauthorized access to volumes outside of permitted pools is by disabling the use of fine-graned ACLs, and ensuring that such users do not have read-write access to libvirtd.

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Broken in: v1.2.11
Broken in: v1.2.12
Broken in: v1.2.13
Broken in: v1.2.14
Broken in: v1.2.15
Broken in: v1.2.16
Broken in: v1.2.17
Broken in: v1.2.18
Broken in: v1.2.19
Broken in: v1.2.20
Broken in: v1.2.20
Broken in: v1.3.0
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 034e47c338b13a95cf02106a3af912c1c5f818d7
Branch v1.1.0-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 14828a59eadc7221326198a8d7af817a6b8b8c13
Branch v1.1.1-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 692ce509efa0a07f2811d0fe3b7202b020c874e0
Branch v1.1.2-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: e8643ef68c99e9f5068f6ff64ea0acab94cac7f6
Branch v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken in: v1.1.3.7
Broken in: v1.1.3.8
Broken in: v1.1.3.9
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: dcce665904b8ebc9ac3e5109db179a567b33e1a2
Branch v1.1.4-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: dc2db111a9ba074589c54b90c89f33c01b1e4941
Branch v1.2.0-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: d414ecb8e1714704e6515ab01ef9386d89b8051e
Branch v1.2.1-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 02d365dae595a3453fe0e438bc274ccf3c18e20d
Branch v1.2.2-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 6542e643024ca4272f14e9052b3786378f6eec62
Branch v1.2.3-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 91898c606496b14e0891af31dfca7eb77ba9fee3
Branch v1.2.4-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: c9450f4f855736ef3024dfbab403a849110d8bb5
Branch v1.2.5-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 890fc0f1ffcc479b08b9fd01de31b62e3d9e7427
Branch v1.2.6-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 6ae433938377e1b7e657c34cca39e52426347cb4
Branch v1.2.7-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 4ed8074672f9b847a10464d9c6be77d428c1eb1c
Branch v1.2.8-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 54be99a717873524798d39f8baf49e45054192c8
Branch v1.2.9-maint
Broken in: v1.2.9.1
Broken in: v1.2.9.2
Broken in: v1.2.9.3
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: b0f88836e5eb5b7156bda99c005cf4aa0456ed0d
Branch v1.2.10-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 53ae31bf4df364a2110f636d5482b21af4e4a0cc
Branch v1.2.11-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 0060c4ee9e70a9f6f297373cb4fd2ace6c187be0
Branch v1.2.12-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: b5ddfbc0fe13a7910c2303056ddd5df749bcf8b0
Branch v1.2.13-maint
Broken in: v1.2.13.1
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: b553ec764f7ecdf8962efbf849a0e8524bae610c
Branch v1.2.14-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 6410a22743fadc3b554b2f0866c9ab8008ff4908
Branch v1.2.15-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 01cbfeb7d81498db3c644404980c9c1aa9cac048
Branch v1.2.16-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 3e6b40e5aa3edf47443f017a42ec7b87855ed847
Branch v1.2.17-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 08acad56ce2e5bcfcca8600a4e4074d3aaeb44dd
Branch v1.2.18-maint
Broken in: v1.2.18.1
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: d035796675ca42795953828d11f902f691fa6b29
Branch v1.2.19-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 69548d200409d2b0dd6356fccfd59570fb58e23a
Branch v1.2.20-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: edeef640db625d23700011dc94adff6e29b85cd3
Branch v1.2.21-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 29b4ce46798519b93a6a17a5e3734ea4f68ea69d
Branch v1.3.0-maint
Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
Fixed by: 1d8bcbb7c68d3f35689daf727bc74fcf80a3a6b1

Alternative formats: [xml] [text]