Bug 1726232 (CVE-2019-10183)

Summary: CVE-2019-10183 virt-install: unattended option leaks password via command line argument
Product: [Other] Security Response Reporter: Prasad J Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, crobinso, fidencio, philwyett, phrdina, security-response-team, virt-mgr-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The virt-install utility used to provision new virtual machines, in virt-manager v2.2.0, has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments. An attacker could obtain these passwords though process listings on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1726535, 1726536    
Bug Blocks: 1726225    

Description Prasad J Pandit 2019-07-02 11:40:49 UTC
Virt-install(1) utility used to provision new virtual machines has introduced an option
'--unattended' to create VMs without user interaction. This option accepts guest VM
password as command line arguments. Thus leaking them to others users on the system
via process listing. It was introduced recently in the virt-manager v2.2.0 release.

Upstream patch:
---------------
  -> https://www.redhat.com/archives/virt-tools-list/2019-July/msg00014.html

Reference:
----------
  -> https://virt-manager.org/download/
  -> https://www.openwall.com/lists/oss-security/2019/07/03/1

Comment 2 Prasad J Pandit 2019-07-02 12:28:59 UTC
Acknowledgments:

Name: Daniel P. Berrangé (Red Hat Inc.)

Comment 3 Prasad J Pandit 2019-07-03 06:45:20 UTC
Created virt-manager tracking bugs for this issue:

Affects: fedora-all [bug 1726536]

Comment 6 errata-xmlrpc 2019-11-05 20:58:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3464 https://access.redhat.com/errata/RHSA-2019:3464

Comment 7 Product Security DevOps Team 2019-11-06 00:52:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10183