Libvirt Security Notice: LSN-2011-0001 ====================================== Summary: Missing checks for read only connections on many APIs Reported on: 20110303 Published on: 20110303 Fixed on: 20110314 Reported by: Jason Chen Patched by: Guido Günther See also: CVE-2011-1146, redhat bug #681730 Description ----------- The APIs virConnectDomainXMLToNative, virNodeDeviceDettach, virNodeDeviceReAttach, virNodeDeviceReset, virDomainRevertToSnapshot, virDomainSnapshotDelete did not check the read-only flag of the connection. This allowed unprivileged users to invoke APIs that they should not have access to. Impact ------ The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user is able to detach arbitrary PCI host devices from their kernel drivers via the virNodeDeviceReAttach API. They can cause a kernel crash by resetting PCI devices via the virNodeDeviceReset APIs. They can manipulate, corrupt or destroy the state of guest machine snapshots via virDomainRevertToSnapshot or virDomainSnapshotDelete. They can run arbitrary commands as root by specifying a custom emulator in the XML passed to virConnectdomainXMLToNative Workaround ---------- Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v0.6.1 Broken in: v0.6.2 Broken in: v0.6.3 Broken in: v0.6.4 Broken in: v0.6.5 Broken in: v0.7.0 Broken in: v0.7.1 Broken in: v0.7.2 Broken in: v0.7.3 Broken in: v0.7.4 Broken in: v0.7.5 Broken in: v0.7.6 Broken in: v0.7.7 Broken in: v0.8.0 Broken in: v0.8.1 Broken in: v0.8.2 Broken in: v0.8.3 Broken in: v0.8.4 Broken in: v0.8.5 Broken in: v0.8.6 Broken in: v0.8.7 Broken in: v0.8.8 Fixed in: v0.9.0 Broken by: 737af2ea04aa1eb954635bd90d0dbcffdd7ff734 Broken by: 4d5383fd36c64a83520c9a6e09c946c4ba86cc29 Broken by: 2f992d4be4c6157feec4f88ac586f2c50a8fd466 Fixed by: 71753cb7f7a16ff800381c0b5ee4e99eea92fed3 Branch: v0.8.3-maint Broken by: 737af2ea04aa1eb954635bd90d0dbcffdd7ff734 Broken by: 4d5383fd36c64a83520c9a6e09c946c4ba86cc29 Broken by: 2f992d4be4c6157feec4f88ac586f2c50a8fd466