It was discovered that libvirtd would permit readonly clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs. This vulnerability was first present in libvirt v0.9.4.
Statement: * This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket. * Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster. * On Red Hat Enterprise Linux 6, the impact of this vulnerability is limited to denial of service or disclosing the existence of arbitrary files. Privilege escalation is not possible. For RHEL6, this CVE is rated as Moderate severity with 7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
External References: https://access.redhat.com/libvirt-privesc-vulnerabilities
Mitigation: The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.
Upstream patch: https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
Created libvirt tracking bugs for this issue: Affects: fedora-all [bug 1722463] Created mingw-libvirt tracking bugs for this issue: Affects: fedora-all [bug 1722467]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1578 https://access.redhat.com/errata/RHSA-2019:1578
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1579 https://access.redhat.com/errata/RHSA-2019:1579
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1580 https://access.redhat.com/errata/RHSA-2019:1580
Acknowledgments: Name: Matthias Gerstner (SUSE)
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:1699 https://access.redhat.com/errata/RHSA-2019:1699
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Advanced Virtualization Via RHSA-2019:1762 https://access.redhat.com/errata/RHSA-2019:1762
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10161