CVE-2022-0358 Overview
A privilege escalation vulnerability was discovered in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405 and affects how file ownership is handled when creating files in SGID directories. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group.
Critical Impact
This vulnerability could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. Additionally, a malicious local user on the host might leverage unexpected executable files created by the guest to escalate their privileges on the host system.
Affected Products
- QEMU (all versions prior to the security patch)
- Red Hat Enterprise Linux 8.0 Advanced Virtualization
Discovery Timeline
- 2022-08-29 - CVE-2022-0358 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0358
Vulnerability Analysis
This vulnerability stems from improper checking of dropped privileges (CWE-273) in the QEMU virtio-fs shared file system daemon. When a directory has the SGID (Set Group ID) bit set, files created within that directory should inherit the group ownership of the parent directory. However, virtiofsd fails to properly handle this scenario when a user who is not a member of the target group creates files in such directories.
The flaw allows unprivileged guest users to create files with unintended group ownership, specifically inheriting root group ownership when exploiting SGID directories. This creates a path for privilege escalation both within the guest environment and potentially on the host system where virtiofsd runs.
Root Cause
The root cause lies in virtiofsd's failure to properly check and enforce privilege restrictions when handling file creation operations in SGID directories. The daemon does not adequately verify that the user creating the file should be allowed to inherit the group ownership specified by the SGID bit, violating the principle of least privilege.
Attack Vector
The attack requires local access to a guest system running virtio-fs. An attacker would:
- Identify a directory shared via virtio-fs that has the SGID bit set and is writable
- Create files within this directory as an unprivileged user who is not a member of the SGID group
- The created files incorrectly inherit the group ownership (potentially root group)
- Leverage these files to access resources restricted to the inherited group
- If the attacker can create executable files, they may escalate privileges on the host system
The attack mechanism exploits the improper privilege checking during file creation operations. When virtiofsd processes a file creation request in an SGID directory, it fails to properly validate whether the requesting user should be permitted to create files with the inherited group ownership. For detailed technical information, see the QEMU GitLab commit that addresses this issue.
Detection Methods for CVE-2022-0358
Indicators of Compromise
- Files in virtio-fs shared directories with unexpected group ownership (particularly root group)
- Newly created executable files in SGID directories created by non-privileged users
- Unusual file permission patterns in shared filesystem directories
- Guest processes accessing resources that should be restricted to root group
Detection Strategies
- Monitor virtio-fs shared directories for files with mismatched group ownership
- Audit file creation events in SGID directories for ownership anomalies
- Implement file integrity monitoring on critical shared directories
- Review guest user activity for attempts to access root-group resources
Monitoring Recommendations
- Enable comprehensive logging for virtiofsd file operations
- Set up alerts for file creation events in SGID directories by non-member users
- Monitor for privilege escalation attempts within guest VMs
- Track executable file creation in shared filesystem paths
How to Mitigate CVE-2022-0358
Immediate Actions Required
- Update QEMU to a version containing the security patch (commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca)
- Apply Red Hat Enterprise Linux security updates for affected virtualization packages
- Review and restrict SGID directory permissions in virtio-fs shared paths
- Audit existing files in shared directories for improper group ownership
Patch Information
The vulnerability has been addressed by the QEMU project. The fix is available in the QEMU GitLab commit. Red Hat has also published advisories and patches for affected Enterprise Linux versions. Additional details can be found in the Red Hat Bug Report #2044863 and the Red Hat CVE-2022-0358 Advisory.
Workarounds
- Remove or avoid using SGID directories in virtio-fs shared paths until patching is complete
- Restrict write access to shared directories to trusted users only
- Consider alternative file sharing mechanisms if patching is not immediately possible
- Implement strict access controls on virtiofsd shared directories
# Configuration example - Remove SGID bit from shared directories as a temporary workaround
# Find and list SGID directories in virtio-fs shared paths
find /path/to/shared/directory -type d -perm -2000 -ls
# Remove SGID bit from specific directories (use with caution)
chmod g-s /path/to/shared/directory
# Alternatively, restrict write permissions on SGID directories
chmod o-w /path/to/shared/sgid-directory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
