Libvirt Security Notice: LSN-2011-0001
Missing checks for read only connections on many APIs
Lifecycle
| Reported on: |
20110303 |
| Published on: |
20110303 |
| Fixed on: |
20110314 |
Credits
See also
- CVE-2011-1146
- redhat bug #681730
Description
The APIs virConnectDomainXMLToNative,
virNodeDeviceDettach, virNodeDeviceReAttach, virNodeDeviceReset,
virDomainRevertToSnapshot, virDomainSnapshotDelete did not check
the read-only flag of the connection. This allowed unprivileged
users to invoke APIs that they should not have access to.
Impact
The default libvirt configuration allows all local user
accounts read-only access to the libvirtd daemon. Any local
user is able to detach arbitrary PCI host devices from their kernel
drivers via the virNodeDeviceReAttach API. They can cause a kernel
crash by resetting PCI devices via the virNodeDeviceReset APIs.
They can manipulate, corrupt or destroy the state of guest machine
snapshots via virDomainRevertToSnapshot or virDomainSnapshotDelete.
They can run arbitrary commands as root by specifying a custom
emulator in the XML passed to virConnectdomainXMLToNative
Workaround
Edit the /etc/libvirt/libvirtd.conf configuration file,
to set the 'unix_sock_ro_perms = "0700"' to prevent local users
from connecting to libvirt. Alternatively setup a policy kit
rule to prevent them access without first authenticating as root.
Affected product: libvirt
Alternative formats:
[xml] [text]