Headline
CVE-2021-3667: Improper locking on ACL failure in virStoragePoolLookupByTargetPath API
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
Description Mauro Matteo Cascella 2021-07-26 16:31:37 UTC
A flaw was found in the libvirt virStoragePoolLookupByTargetPath API. The storagePoolLookupByTargetPath() function does not properly release a locked object (virStoragePoolObj) on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition.
Upstream fix: https://libvirt.org/git/?p=libvirt.git;a=commit;h=447f69dec47e1b0bd15ecd7cd49a9fd3b050fb87
Comment 3 Mauro Matteo Cascella 2021-07-26 17:25:08 UTC
Created libvirt tracking bugs for this issue:
Affects: fedora-all [bug 1986113]
Comment 8 Mauro Matteo Cascella 2021-08-02 09:47:07 UTC
By default no access control checks are done once a client has authenticated with libvirtd. An authenticated user is allowed access to all libvirt API calls. Libvirt provides support for fine grained per-API access control via polkit, by enabling the ‘polkit’ access control driver.
This issue allows a denial of service on a libvirt socket that has been configured with polkit fine grained access controls. The attack vector is “Network” since libvirt can be optionally enabled for remote access over TCP (together with polkit access control).