CVE-2019-10161

Impact:
Important
Public Date:
2019-06-20
CWE:
CWE-284
Bugzilla:
1720115: CVE-2019-10161 libvirt: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.

Find out more about CVE-2019-10161 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

  • This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.
  • Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.
  • On Red Hat Enterprise Linux 6, the impact of this vulnerability is limited to denial of service or disclosing the existence of arbitrary files. Privilege escalation is not possible. For RHEL6, this CVE is rated as Moderate severity with 7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (redhat-virtualization-host) RHSA-2019:1699 2019-07-08
Red Hat Enterprise Linux 7 (libvirt) RHSA-2019:1579 2019-06-20
Red Hat Enterprise Linux 8 (virt:rhel) RHSA-2019:1580 2019-06-20
Red Hat Enterprise Linux 6 (libvirt) RHSA-2019:1578 2019-06-20
Advanced Virtualization for RHEL 8.0.1 (virt:8.0.0) RHSA-2019:1762 2019-07-11

Affected Packages State

Platform Package State
Red Hat Gluster Storage 3 libvirt Not affected
Red Hat Enterprise Linux 5 libvirt Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

Red Hat would like to thank Matthias Gerstner (SUSE) for reporting this issue.

Mitigation

The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.

External References

Last Modified