Does CVE-2011-4127 affect Red Hat Enterprise Linux and Red Hat Enterprise Virtualization Hypervisor?

Updated -

Issue

It was found that using the SG_IO IOCTL to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device.

In KVM virtualization environments that use raw format virtio disks backed by a partition or LVM volume, a privileged guest user could use this flaw to bypass intended access restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. Partition-based and LVM-based storage pools are not used by default. Refer to the "11. Storage pools" chapter of the Red Hat Enterprise Linux 6 "Virtualization Administration Guide", available from docs.redhat.com, for information about storage pools.

Any driver that uses the SCSI framework is vulnerable. A physical SCSI device is not required to exploit this issue.

CVE-2011-4127 is assigned to this issue.

Environment

  • Red Hat Enterprise Linux 5 and 6.
  • Red Hat Enterprise Virtualization Hypervisor 6.2.

The virtualization aspect of this issue (privileged guest users reading and writing data on the host and other guests on the same underlying block device) does not affect users of KVM (or the Xen hypervisor) on Red Hat Enterprise Linux 5.

Resolution

The Red Hat Security Advisories RHSA-2011:1849 (released on 2011-12-22), RHSA-2011:1850 (released on 2011-12-22), RHSA-2012:0107 (released on 2012-02-09), and RHSA-2012:0358 (released on 2012-03-06) corrected this issue for Red Hat Enterprise Linux 6, Red Hat Enterprise Virtualization Hypervisor 6.2, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 5.6 Extended Update Support, respectively.

It is not possible to use control groups (cgroups) or sVirt mandatory access control to mitigate this issue. For virtualization hosts (including Red Hat Enterprise Virtualization Hypervisor 6.2), before updates are applied, the following SystemTap script prevents privileged guest users from issuing read and write requests (and other SCSI commands) on the host and possibly accessing the data of other guests that reside on the same underlying block device.

1. On the host, save the following in a file with the .stp extension:

#!/usr/sbin/stap -g  
# Requires guru mode (-g) for target variable writes  
probe syscall.ioctl {  
SG_IO = 0x2285  
if($cmd == SG_IO && execname() == "qemu-kvm") {  
printf("filtering SG_IO ioctl request from qemu-kvm process %d\n",  
pid())  
$cmd = 0x0  
$fd = -1  
    }  
}

2. Install the systemtap package and any required dependencies. Refer to the "2. Using SystemTap" chapter in the Red Hat Enterprise Linux 5 and 6 "SystemTap Beginners Guide" documents, available from docs.redhat.com, for information on installing the required -debuginfo packages.

3. Run the stap -g [filename-from-step-1].stp command as root.

If the host is rebooted, the changes will be lost and the script must be run again.

Further assistance

If you require assistance with mitigating this issue, contact Red Hat Support: https://access.redhat.com/support/contact/technicalSupport.html

Revision history

2012-01-27: Article updated to reflect the release of RHSA-2011:1850 (released on 2011-12-22), which corrected this issue for Red Hat Enterprise Virtualization Hypervisor 6.2.

2012-02-10: Article updated to reflect the release of RHSA-2012:0107 (released on 2012-02-09), which corrected this issue for Red Hat Enterprise Linux 5.

2012-03-07: Article updated to reflect the release of RHSA-2012:0358 (released on 2012-03-06), which corrected this issue for Red Hat Enterprise Linux 5.6 Extended Update Support.

Comments