859051 – (CVE-2014-0028) VUL-0: CVE-2014-0028: libvirt: event registration bypasses domain:getattr ACL

Bug 859051 (CVE-2014-0028) - VUL-0: CVE-2014-0028: libvirt: event registration bypasses domain:getattr ACL

Summary: VUL-0: CVE-2014-0028: libvirt: event registration bypasses domain:getattr ACL

Status:	RESOLVED FIXED

Alias:	CVE-2014-0028

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-02-11
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:56039:moderate
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-01-16 16:03 UTC by Alexander Bergmann
Modified:	2014-09-01 10:04 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-01-16 16:03:51 UTC

CVE-2014-0028

Eric Blake from Red Hat reports that ever since libvirt 1.1.1 added ACL domain:getattr filtering for commands like virConnectListAllDomains, we have had a latent problem that the use of virConnectDomainEventRegister() and virConnectDomainEventRegisterAny() can be used to learn about virDomainPtr objects that should have been inaccessible to the user. It is not a problem if you are not using ACLs; also, it is partially mitigated by the fact that any domain that does not trigger an event in the timeframe where the attacker maintains their event callback will not be leaked.

Once an attacker has learned about a domain by bypassing domain:getattr, they could perform other actions on the domain if there were not ACLs to filter those actions too, such as starting and stopping the domain.

Upstream fix:
https://www.redhat.com/archives/libvir-list/2014-January/msg00684.html

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0028
https://bugzilla.redhat.com/show_bug.cgi?id=1048637

Comment 1 Swamp Workflow Management 2014-01-16 23:00:21 UTC

bugbot adjusting priority

Comment 2 James Fehlig 2014-01-22 23:32:27 UTC

This issue only affects libvirt versions 1.1.0 through 1.2.0 inclusive, meaning openSUSE13.1, Factory, and SLE12.  For Factory and SLE12, the issue is fixed by updating to libvirt 1.2.1.  For openSUSE13.1, I've backported the fixes and have them queued for a future maintenance update in

https://build.opensuse.org/package/show/Virtualization:openSUSE13.1/libvirt

Reassinging to the security-team...

Comment 3 Swamp Workflow Management 2014-01-28 08:26:46 UTC

The SWAMPID for this issue is 56039.
This issue was rated as moderate.
Please submit fixed packages until 2014-02-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 4 Swamp Workflow Management 2014-02-21 17:05:58 UTC

openSUSE-SU-2014:0268-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 817407,857271,857492,858817,858824,859041,859051
CVE References: CVE-2013-6457,CVE-2013-6458,CVE-2014-0028,CVE-2014-1447
Sources used:
openSUSE 13.1 (src):    libvirt-1.1.2-2.18.3

Comment 5 Marcus Meissner 2014-09-01 10:04:19 UTC

released