Libvirt Security Notice: LSN-2019-0007

virConnect*HypervisorCPU do not check for read-only connection

Lifecycle

Reported on: 20190604
Published on: 20190620
Fixed on: 20190620

Credits

Reported by: Ján Tomko
Patched by: Ján Tomko

See also

Description

The virConnect*HypervisorCPU APIs allow reporting CPU capabilities from arbitrary emulator binaries without checking for a read-only connection. This allows unprivileged users to execute arbitrary binaries with elevated privileges.

Impact

The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can provide an arbitrary emulator, executing arbitrary binaries as the configured QEMU user. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges.

Workaround

Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.

Affected product: libvirt

Branch master
Broken in: v4.4.0
Broken in: v4.5.0
Broken in: v4.6.0
Broken in: v4.7.0
Broken in: v4.8.0
Broken in: v4.9.0
Broken in: v4.10.0
Broken in: v5.0.0
Broken in: v5.1.0
Broken in: v5.2.0
Broken in: v5.3.0
Broken in: v5.4.0
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: bf6c2830b6c338b1f5699b095df36f374777b291
Branch v4.4-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: a6116fc8618300f6e2a082396812363310d1420f
Branch v4.5-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 415cc5c0644304fd1e1bb721a092cf65e07be79f
Branch v4.6-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 890965e8943a8837b41c3c6f366135ccfef48fb3
Branch v4.7-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: f5ace9c05d59b70d4899199a187cb32ec6f600d8
Branch v4.8-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: fc30929ffdf339d920b2e2183faf4373920bff6f
Branch v4.9-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c
Branch v4.10-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 09c2635d0deec198de0f250abc2958f2d1c09eaa
Branch v5.0-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 1ef98539a655109480628c91feac48c3c69675ef
Branch v5.1-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 2a3f95a40725f743b5189868bcc1a78d922517f6
Branch v5.1.0-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Branch v5.2-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: 45ae5e529d4e886f47dacca9dfe5a08d95a3425a
Branch v5.3-maint
Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2
Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a
Fixed by: d8e4d13446a0b04b757bd28c242a4cfecaaa8f1e

Alternative formats: [xml] [text]