[libvirt] LSN-2015-0004: CVE-2015-5313: ACL bypass using ../ to access beyond storage pool

Eric Blake eblake at redhat.com
Wed Dec 16 20:53:51 UTC 2015 

        Libvirt Security Notice: LSN-2015-0004
        ======================================

       Summary: ACL bypass using ../ to access beyond storage pool
   Reported on: 20151030
  Published on: 20151211
      Fixed on: 20151211
   Reported by: Ossi Herrala <vulncoord at ficora.fi>
                Joonas Kuorilehto <vulncoord at ficora.fi>
    Patched by: Eric Blake <eblake at redhat.com>
      See also: CVE-2015-5313, FICORA bug #876194

Description
-----------

Various virStorageVol* API operate on user-supplied volume names by
concatenating the volume name to the pool location. Note that the
virStoragePoolListVolumes API, when used on a storage pool backed by
a directory in a file system, will only list volumes immediately in
that directory (there is no traversal into subdirectories). However,
other APIs such as virStorageVolCreateXML were not checking if a
potential volume name represented one of the volumes that could be
returned by virStoragePoolListVolumes; because they were not
rejecting the use of '/' in a volume name.

Impact
------

Because no checking was done on volume names, a user could supply a
potential volume name of something like '../../../etc/passwd' to
attempt to access a file not belonging to the storage pool. When
fine-grained Access Control Lists (ACL) are in effect, a user with
storage_vol:create ACL permission but lacking domain:write permssion
could thus abuse virStorageVolCreateXML and similar APIs to gain
access to files not normally permitted to that user. Fortunately, it
appears that the only APIs that could leak information or corrupt
files require read-write connection to libvirtd; and when ACLs are
not in use (the default without any further configuration), a user
with read-write access can already be considered to have full access
to the machine, and without an escalation of privilege there is no
security problem.

Workaround
----------

If fine-grained ACLs must be used, administrators must consider all
of the storage_vol:* permissions as equivalent to domain:write when
running an impacted version of libvirt. The easiest way to prevent
untrusted users from gaining unauthorized access to volumes outside
of permitted pools is by disabling the use of fine-graned ACLs, and
ensuring that such users do not have read-write access to libvirtd.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
   Broken in: v1.2.9
   Broken in: v1.2.10
   Broken in: v1.2.11
   Broken in: v1.2.12
   Broken in: v1.2.13
   Broken in: v1.2.14
   Broken in: v1.2.15
   Broken in: v1.2.16
   Broken in: v1.2.17
   Broken in: v1.2.18
   Broken in: v1.2.19
   Broken in: v1.2.20
   Broken in: v1.2.20
   Broken in: v1.3.0
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 034e47c338b13a95cf02106a3af912c1c5f818d7

      Branch: v1.1.0-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 14828a59eadc7221326198a8d7af817a6b8b8c13

      Branch: v1.1.1-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 692ce509efa0a07f2811d0fe3b7202b020c874e0

      Branch: v1.1.2-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: e8643ef68c99e9f5068f6ff64ea0acab94cac7f6

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken in: v1.1.3.7
   Broken in: v1.1.3.8
   Broken in: v1.1.3.9
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: dcce665904b8ebc9ac3e5109db179a567b33e1a2

      Branch: v1.1.4-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: dc2db111a9ba074589c54b90c89f33c01b1e4941

      Branch: v1.2.0-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: d414ecb8e1714704e6515ab01ef9386d89b8051e

      Branch: v1.2.1-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 02d365dae595a3453fe0e438bc274ccf3c18e20d

      Branch: v1.2.2-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 6542e643024ca4272f14e9052b3786378f6eec62

      Branch: v1.2.3-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 91898c606496b14e0891af31dfca7eb77ba9fee3

      Branch: v1.2.4-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: c9450f4f855736ef3024dfbab403a849110d8bb5

      Branch: v1.2.5-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 890fc0f1ffcc479b08b9fd01de31b62e3d9e7427

      Branch: v1.2.6-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 6ae433938377e1b7e657c34cca39e52426347cb4

      Branch: v1.2.7-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 4ed8074672f9b847a10464d9c6be77d428c1eb1c

      Branch: v1.2.8-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 54be99a717873524798d39f8baf49e45054192c8

      Branch: v1.2.9-maint
   Broken in: v1.2.9.1
   Broken in: v1.2.9.2
   Broken in: v1.2.9.3
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: b0f88836e5eb5b7156bda99c005cf4aa0456ed0d

      Branch: v1.2.10-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 53ae31bf4df364a2110f636d5482b21af4e4a0cc

      Branch: v1.2.11-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 0060c4ee9e70a9f6f297373cb4fd2ace6c187be0

      Branch: v1.2.12-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: b5ddfbc0fe13a7910c2303056ddd5df749bcf8b0

      Branch: v1.2.13-maint
   Broken in: v1.2.13.1
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: b553ec764f7ecdf8962efbf849a0e8524bae610c

      Branch: v1.2.14-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 6410a22743fadc3b554b2f0866c9ab8008ff4908

      Branch: v1.2.15-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 01cbfeb7d81498db3c644404980c9c1aa9cac048

      Branch: v1.2.16-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 3e6b40e5aa3edf47443f017a42ec7b87855ed847

      Branch: v1.2.17-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 08acad56ce2e5bcfcca8600a4e4074d3aaeb44dd

      Branch: v1.2.18-maint
   Broken in: v1.2.18.1
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: d035796675ca42795953828d11f902f691fa6b29

      Branch: v1.2.19-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 69548d200409d2b0dd6356fccfd59570fb58e23a

      Branch: v1.2.20-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: edeef640db625d23700011dc94adff6e29b85cd3

      Branch: v1.2.21-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 29b4ce46798519b93a6a17a5e3734ea4f68ea69d

      Branch: v1.3.0-maint
   Broken by: c930410bebae0a45889b992a7932c663b06cbbcd
    Fixed by: 1d8bcbb7c68d3f35689daf727bc74fcf80a3a6b1


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20151216/fe5b9b16/attachment-0001.sig>

More information about the libvir-list mailing list