CVE-2019-10168

Impact:
Important
Public Date:
2019-06-20
CWE:
(CWE-284|CWE-250)
Bugzilla:
1720118: CVE-2019-10168 libvirt: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

Find out more about CVE-2019-10168 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

  • This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.
  • Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Advanced Virtualization for RHEL 8.0.1 (virt:8.0.0) RHSA-2019:1762 2019-07-11
Red Hat Enterprise Linux 7 (libvirt) RHSA-2019:1579 2019-06-20
Red Hat Enterprise Linux 8 (virt:rhel) RHSA-2019:1580 2019-06-20
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (redhat-virtualization-host) RHSA-2019:1699 2019-07-08

Affected Packages State

Platform Package State
Red Hat Gluster Storage 3 libvirt Not affected
Red Hat Enterprise Linux 6 libvirt Not affected
Red Hat Enterprise Linux 5 libvirt Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

This issue was discovered by Jan Tomko (Red Hat).

Mitigation

The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.

External References

Last Modified