From ${URL} : Public debian bug #732394 points out a vulnerability where a malicious guest can use symlinks to cause the LXC driver to manipulate unintended files in the host during the virDomainShutdown, virDomainReboot, virDomainDeviceAttach, and virDomainDeviceDettach APIs. The libvirt-security list has been notified (private archives: https://www.redhat.com/mailman/private/libvirt-security/2013-December/msg00018.html), and we are now awaiting assignment of a CVE to cover this issue. Public patches are underway for the virDomainShutdown/virDomainReboot issues (v4 is incomplete, v5 not posted yet: https://www.redhat.com/archives/libvir-list/2013-December/msg01182.html), at the time of this BZ, the virDomainDevice{Attach,Dettach} issue still needs work. Version-Release number of selected component (if applicable): libvirt-1.1.1-16.el7 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Description ----------- The LXC driver will open paths under /proc/$PID/root for some operations it performs on running guests. For the virDomainShutdown and virDomainReboot APIs it will use this to access the /dev/initctl path in the container. For the virDomainDeviceAttach / virDomainDeviceDettach APIs it will use this to create device nodes in the container's /dev filesystem. If any of the path components under control of the container are symlinks the container can cause the libvirtd daemon to access the incorrect files. Impact ------ A container can cause the administrator to shutdown or reboot the host OS if /dev/initctl in the container is made to be an absolute symlink back to itself or /run/initctl. A container can cause the host administrator to mknod in an arbitrary host directory when invoking the virDomainDeviceAttach API by replacing '/dev' with an absolute symlink. A container can cause the host administrator to delete host device when invoking the virDomainDeviceDettach API by replacing '/dev' with an absolute symlink. Workaround ---------- Do not use the virDomainShutdown or virDomainReboot APIs without also passing the VIR_DOMAIN_SHUTDOWN_SIGNAL or VIR_DOMAIN_REBOOT_SIGNAL flags respectively. These will cause the LXC driver to send a SIGTERM or SIGHUP signal respectively, to the init process instead of using /dev/initct.. Do not use the virDomainDeviceAttach or virDomainDeviceDetach APIs at all unless the guest OS is trusted. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This was fixed for the 1.2.2 release and the 1.1.3.4 release. The following need to go stable to fix this: - 1.1.3.4 - 1.2.3
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version.
Maintainer(s), Thank you for cleanup!
CVE-2013-6456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6456): The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through 1.2.1 allows local users to (1) delete arbitrary host devices via the virDomainDeviceDettach API and a symlink attack on /dev in the container; (2) create arbitrary nodes (mknod) via the virDomainDeviceAttach API and a symlink attack on /dev in the container; and cause a denial of service (shutdown or reboot host OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a symlink attack on /dev/initctl in the container, related to "paths under /proc/$PID/root" and the virInitctlSetRunLevel function.
This issue was resolved and addressed in GLSA 201412-04 at http://security.gentoo.org/glsa/glsa-201412-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
