Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option

Related Vulnerabilities: CVE-2021-20263  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Mauro Matteo Cascella &lt;mcascell () redhat com&gt;

Date: Mon, 8 Mar 2021 15:35:38 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hello,

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

For the problem to happen virtiofsd needs to be running with '-o
xattr' and '-o xattrmap' (to enable and rename xattrs, respectively).
The problem only occurs if 'security.capability' is one of the xattrs
that's being renamed. Different caching modes cause different guest
behavior: '-o cache=none' makes the issue easy to reproduce. There's a
suspicion the flaw could be reproduced with the default option '-o
cache=auto' as well.

The impact of this flaw is limited by the fact that xattrmap is a
recent feature that's little used so far. Additionally, unprivileged
users shouldn't be granted write permission on privileged executables
in the first place.

Virtiofsd 'xattrmap' feature in QEMU 5.2:
https://gitlab.com/virtio-fs/qemu/-/commit/6084633dff3a05d6317

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html

This issue was reported by Dr. David Alan Gilbert (CC'd).

CVE-2021-20263 assigned by Red Hat, Inc.

Best regards.
-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option Mauro Matteo Cascella (Mar 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started