| Reported on: | 20190604 |
|---|---|
| Published on: | 20190620 |
| Fixed on: | 20190620 |
| Reported by: | Matthias Gerstner |
|---|---|
| Patched by: | Ján Tomko |
The virDomainSaveImageGetXMLDesc accesses and parses arbitrary files without checking for the read-only connection. This allows unprivileged users to check for existence of arbitrary files or executing arbitrary binaries with elevated privileges.
The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can check for the existence of an arbitrary file by watching for a different error message. Additionally, since v1.2.19, by providing a crafted save file pointing to an arbitrary emulator, executing arbitrary binaries as the configured QEMU user is possible. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges.
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.