Libvirt Security Notice: LSN-2019-0006

virConnectGetDomainCapabilities does not check for read-only connection

Lifecycle

Reported on: 20190604
Published on: 20190620
Fixed on: 20190620

Credits

Reported by: Ján Tomko
Patched by: Ján Tomko

See also

Description

The virConnectGetDomainCapabilities API reports the domain capabilities XML without checking for a read-only connection. This allows unprivileged users to execute arbitrary binaries with elevated privileges.

Impact

The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can provide an arbitrary emulator, executing arbitrary binaries as the configured QEMU user. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges.

Workaround

Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.

Affected product: libvirt

Branch master
Broken in: v1.2.19
Broken in: v1.2.20
Broken in: v1.2.21
Broken in: v1.3.0
Broken in: v1.3.1
Broken in: v1.3.2
Broken in: v1.3.3
Broken in: v1.3.4
Broken in: v1.3.5
Broken in: v2.0.0
Broken in: v2.1.0
Broken in: v2.2.0
Broken in: v2.3.0
Broken in: v2.4.0
Broken in: v2.5.0
Broken in: v3.0.0
Broken in: v3.1.0
Broken in: v3.2.0
Broken in: v3.3.0
Broken in: v3.4.0
Broken in: v3.5.0
Broken in: v3.6.0
Broken in: v3.7.0
Broken in: v3.8.0
Broken in: v3.9.0
Broken in: v3.10.0
Broken in: v4.0.0
Broken in: v4.1.0
Broken in: v4.2.0
Broken in: v4.3.0
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 8afa68bac0cf99d1f8aaa6566685c43c22622f26
Branch v1.2.19-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 7d3b95b03880c8ade5f908dcb3d3c8b2d8e82a8f
Branch v1.2.20-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: c5cc88c32320d46f27521aac69027baa3d426ff2
Branch v1.2.21-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: badcb3662a5b28d3ed01c8ceff496e6197d12e3c
Branch v1.3.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 6ba6bb236a7e293007eb21013d69f42dd1fb21c8
Branch v1.3.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: be5d96d547ec54bc35e5eab6472ec900184ae837
Branch v1.3.2-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: e433008df4867b43085961a0f8181ac9401e707b
Branch v1.3.3-maint
Broken in: v1.3.3.1
Broken in: v1.3.3.2
Broken in: v1.3.3.3
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: a663e28410aa853675b8b090a1ffafa7c8711ead
Branch v1.3.4-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: ab728b5658b307bcde90cf9e9d2e9c2cfb3e9de0
Branch v1.3.5-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 5632ca00ef8b75ce600ebb7255d392339c07b967
Branch v2.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 1e51b78a92fa2b381a5741599f4909c2516c0481
Branch v2.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: e322b6f73dc2fb5eaab14406cc786361d17ffdc3
Branch v2.2-maint
Broken in: v2.2.1
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: c97b296cf8b336ed1a3260af8c8bd79746cb2971
Branch v3.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: bfea7de821a224782253061309e5005486b1b2f6
Branch v3.2-maint
Broken in: v3.2.1
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 452fa3ae558bc842a88753fcdf0d1141a2fd212c
Branch v3.7-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: d47a396e995180fd54a0f84cf137f024159b7967
Branch v4.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 585be8edbef5ce4ef30e6c20386358ca1ba8e344
Branch v4.2-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 4ce590b007d80b41abd00aba95f73c04e71ff53b
Branch v4.3-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: f9b65fa812f6f121b7c5f5daa642f05310b4123c
Branch v4.4-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 15502d85dd21d7badeb230285898fa28f67cba9d
Branch v4.5-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: fd16bd525afeac6870ab3b747d9ee16002e2f1b2
Branch v4.6-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 93edb0ea630556569320de83d45b100718f1391f
Branch v4.7-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 5441f05a42a90779b0df86518286bf527e94aafb
Branch v4.8-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 38a16f786794887cb2fd8e82d4b52e07a77d9f50
Branch v4.9-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 6452b9fdff7988024a6157ca0a973ac3abf54468
Branch v4.10-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: d238f132e6e0432a42d3cdff4571730dae3a85eb
Branch v5.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 58f237d696310f3ac62e98b3b5e9cb98e13064e9
Branch v5.1-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: c5085b7a9031f899c7bef0d2630aa77c461b92a6
Branch v5.1.0-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Branch v5.2-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 4f50f36c0004af0faf0f535b46e2a1841c2443d8
Branch v5.3-maint
Broken by: e8d55172544c1fafe31a9e09346bdebca4f0d6f9
Fixed by: 97a737c58ff6080bd0e149830b860ef32b3d2acb

Alternative formats: [xml] [text]