CVE-2021-3667: 
NixOS vulnerability analysis and mitigation

CVE-2021-3667 is an improper locking vulnerability discovered in the virStoragePoolLookupByTargetPath API of libvirt. The issue was introduced in libvirt-4.1.0 when virStoragePoolLookupByTargetPath was exported as a public API. The vulnerability was disclosed and patched in July 2021 (Bugzilla, Ubuntu Notice).

The vulnerability occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. The 'virStoragePoolObjListSearch' returns a locked and referenced object, but fails to release it when ACL permission checks fail (GitLab Commit). The CVSS score for this vulnerability is 6.5 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

When exploited, this vulnerability allows clients connecting to the read-write socket with limited ACL permissions to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition (Red Hat CVE, Ubuntu Notice).

The vulnerability was fixed in multiple distributions through security updates. Red Hat addressed it in RHSA-2021:4191 for RHEL 8, RHSA-2021:3703 for Advanced Virtualization, and RHSA-2021:3704 for other products. Ubuntu fixed it in version 6.0.0-0ubuntu8.16 for Ubuntu 20.04. Debian fixed it in version 5.0.0-4+deb10u2 for Debian 10 buster (Debian LTS, Red Hat Errata).