Bug 1665228 (CVE-2019-3840) - CVE-2019-3840 libvirt: NULL pointer dereference after running qemuAgentCommand in qemuAgentGetInterfaces function
Summary: CVE-2019-3840 libvirt: NULL pointer dereference after running qemuAgentComman...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3840
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1665229 1665230 1683559 1683560
Blocks: 1665231
TreeView+ depends on / blocked
 
Reported: 2019-01-10 17:41 UTC by Pedro Sampaio
Modified: 2019-09-29 15:04 UTC (History)
11 users (show)

Fixed In Version: libvirt 5.0.0
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was discovered in libvirt in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service.
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:35 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2294 0 None None None 2019-08-06 12:37:46 UTC

Description Pedro Sampaio 2019-01-10 17:41:42 UTC 
A flaw was found in libvirtd. A null pointer in virJSONValueObjectHasKey function in util/virjson.c triggers a crash, resulting in remote denial of service via guest agent.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1663051

Upstream patch:

https://www.redhat.com/archives/libvir-list/2019-January/msg00241.html
Comment 1 Pedro Sampaio 2019-01-10 17:42:01 UTC 
Created libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1665229]


Created mingw-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 1665230]
Comment 2 Riccardo Schirone 2019-02-26 14:31:25 UTC 
The NULL pointer dereference is caused by the execution of qemuAgentGetInterfaces() in qemu/qemu_agent.c. A "guest-network-get-interfaces" command is sent to the guest agent through the qemuAgentCommand() function and although a reply is expected, the `needReply` parameter of qemuAgentCommand() is not set. Thus if for some reasons the qemu agent does not reply, the reply variable may be NULL, thus causing an error in virJSONValueObjectGet(), which is called immediately after the qemuAgentCommand() function.
Comment 3 Riccardo Schirone 2019-02-26 14:34:45 UTC 
An attacker who has an account on a Guest VM could use this flaw to crash libvirtd on the host, thus causing a Denial of Service for other VMs as well. An attacker would need high privileges to control qemu-ga and make it fail to reply to the "guest-network-get-interfaces" command sent by libvirtd, however we do not exclude other ways to prevent the guest agent from correctly replying.
Comment 4 Riccardo Schirone 2019-02-26 14:46:50 UTC 
For the flaw to be exploited, User Interaction is required as a user on the host needs to request a "guest-network-get-interfaces" agent command.
Comment 8 errata-xmlrpc 2019-08-06 12:37:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2294 https://access.redhat.com/errata/RHSA-2019:2294
Comment 9 Product Security DevOps Team 2019-08-06 19:20:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3840
Note You need to log in before you can comment on or make changes to this bug.