oss-sec mailing list archives
CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option
From: Mauro Matteo Cascella <mcascell () redhat com>
Date: Mon, 8 Mar 2021 15:35:38 +0100
Hello, A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. Virtio-fs is meant to share a host file system directory with a guest virtual machine. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. For the problem to happen virtiofsd needs to be running with '-o xattr' and '-o xattrmap' (to enable and rename xattrs, respectively). The problem only occurs if 'security.capability' is one of the xattrs that's being renamed. Different caching modes cause different guest behavior: '-o cache=none' makes the issue easy to reproduce. There's a suspicion the flaw could be reproduced with the default option '-o cache=auto' as well. The impact of this flaw is limited by the fact that xattrmap is a recent feature that's little used so far. Additionally, unprivileged users shouldn't be granted write permission on privileged executables in the first place. Virtiofsd 'xattrmap' feature in QEMU 5.2: https://gitlab.com/virtio-fs/qemu/-/commit/6084633dff3a05d6317 Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html This issue was reported by Dr. David Alan Gilbert (CC'd). CVE-2021-20263 assigned by Red Hat, Inc. Best regards. -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0
Current thread:
- CVE-2021-20263 QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option Mauro Matteo Cascella (Mar 08)