Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2044863 (CVE-2022-0358) - CVE-2022-0358 QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405
Summary: CVE-2022-0358 QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2046198 2046199 2046200 2046201 2046202 2048618 2048619 2048625 2048627
Blocks: 2044890
TreeView+ depends on / blocked
 
Reported: 2022-01-25 10:31 UTC by Mauro Matteo Cascella
Modified: 2022-08-09 10:55 UTC (History)
31 users (show)

Fixed In Version: qemu 6.2.0-7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
Clone Of:
Environment:
Last Closed: 2022-03-21 11:01:41 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0759 0 None None None 2022-03-07 15:04:27 UTC
Red Hat Product Errata RHSA-2022:0886 0 None None None 2022-03-15 10:04:31 UTC
Red Hat Product Errata RHSA-2022:0949 0 None None None 2022-03-16 14:08:00 UTC
Red Hat Product Errata RHSA-2022:0971 0 None None None 2022-03-21 07:52:10 UTC
Red Hat Product Errata RHSA-2022:0973 0 None None None 2022-03-21 08:04:12 UTC

Description Mauro Matteo Cascella 2022-01-25 10:31:30 UTC
Virtiofs is still vulnerable to CVE-2018-13405 even with an upstream host and guest kernel which has fixed this CVE. A local user in the guest can still create files in the directories shared by virtiofs with unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. Here, the non-member can trigger the creation of a plain file whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.

Comment 2 Mauro Matteo Cascella 2022-01-25 17:03:37 UTC
Acknowledgments:

Red Hat would like to thank Jietao Xiao (shawtao1125), Jinku Li (jkli.cn), Wenbo Shen (shenwenbo.cn), Nanzi Yang (nzyang.edu.cn) for reporting this issue.

Comment 3 Mauro Matteo Cascella 2022-01-26 09:29:34 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg05364.html

Comment 4 Dr. David Alan Gilbert 2022-01-26 11:14:53 UTC
Qemu pull sent:
https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg05447.html

Comment 8 Mauro Matteo Cascella 2022-01-26 11:57:19 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2046202]

Comment 9 Dr. David Alan Gilbert 2022-01-26 15:57:43 UTC
Merged in upstream qemu / virtiofsd c code:
449e8171f96a6a944d1f - virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)

Comment 11 Dr. David Alan Gilbert 2022-02-02 12:44:20 UTC
I think I've POSTed all the RHEL and c9s bugs now; not done the fedora one - I'll leave that to someone who knows Fedora process.

Comment 13 Mauro Matteo Cascella 2022-02-07 15:13:22 UTC
Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca

Comment 15 errata-xmlrpc 2022-03-07 15:04:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0759 https://access.redhat.com/errata/RHSA-2022:0759

Comment 16 errata-xmlrpc 2022-03-15 10:04:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0886 https://access.redhat.com/errata/RHSA-2022:0886

Comment 17 errata-xmlrpc 2022-03-16 14:07:56 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0949 https://access.redhat.com/errata/RHSA-2022:0949

Comment 18 errata-xmlrpc 2022-03-21 07:52:07 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.4.0.EUS

Via RHSA-2022:0971 https://access.redhat.com/errata/RHSA-2022:0971

Comment 19 errata-xmlrpc 2022-03-21 08:04:09 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2022:0973 https://access.redhat.com/errata/RHSA-2022:0973

Comment 20 Product Security DevOps Team 2022-03-21 11:01:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0358


Note You need to log in before you can comment on or make changes to this bug.