CVE-2019-10161: Path Traversal
First published: Thu Jun 13 2019(Updated: )
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/libvirt | <0:0.10.2-64.el6_10.2 | 0:0.10.2-64.el6_10.2 |
| redhat/libvirt | <0:4.5.0-10.el7_6.12 | 0:4.5.0-10.el7_6.12 |
| redhat/redhat-release-virtualization-host | <0:4.3.4-1.el7e | 0:4.3.4-1.el7e |
| redhat/redhat-virtualization-host | <0:4.3.4-20190620.3.el7_6 | 0:4.3.4-20190620.3.el7_6 |
| Redhat Libvirt | <4.10.1 | |
| Redhat Libvirt | >=5.0.0<5.4.1 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Virtualization | =4.0 | |
| Redhat Virtualization Host | =4.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Canonical Ubuntu Linux | =14.04 | |
| All of | ||
| Any of | ||
| Redhat Virtualization | =4.0 | |
| Redhat Virtualization Host | =4.0 | |
| Redhat Enterprise Linux | =7.0 | |
| redhat/libvirt | <4.10.1 | 4.10.1 |
| redhat/libvirt | <5.4.1 | 5.4.1 |
| debian/libvirt | 7.0.0-3+deb11u3 9.0.0-4+deb12u1 10.7.0-3 |
Remedy
The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-10161 https://nvd.nist.gov/vuln/detail/CVE-2019-10161 https://access.redhat.com/libvirt-privesc-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=1720115
- https://access.redhat.com/errata/RHSA-2019:1578
- https://access.redhat.com/errata/RHSA-2019:1579
- https://access.redhat.com/errata/RHSA-2019:1580
- https://access.redhat.com/errata/RHSA-2019:1762
- https://access.redhat.com/errata/RHSA-2019:1699
- https://access.redhat.com/security/cve/cve-2019-10161
- https://access.redhat.com/libvirt-privesc-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10161
- https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
- https://security.gentoo.org/glsa/202003-18
- https://usn.ubuntu.com/4047-2/
- https://launchpad.net/bugs/cve/CVE-2019-10161
- https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=aed6a032cead4386472afb24b16196579e239580
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1722463
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1722467
- https://security-tracker.debian.org/tracker/CVE-2019-10161
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10161
- https://nvd.nist.gov/vuln/detail/CVE-2019-10161
- https://ubuntu.com/security/CVE-2019-10161
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-10161?
CVE-2019-10161 is a vulnerability discovered in libvirtd before versions 4.10.1 and 5.4.1.
What is the severity of CVE-2019-10161?
The severity of CVE-2019-10161 is high with a CVSS score of 8.8.
How does CVE-2019-10161 affect libvirt?
CVE-2019-10161 allows read-only clients to use the virDomainSaveImageGetXMLDesc() API with an arbitrary path, leading to potential privilege escalation.
What is the remedy for CVE-2019-10161?
The remedy for CVE-2019-10161 is to update libvirtd to version 4.10.1 or 5.4.1.
Where can I find more information about CVE-2019-10161?
You can find more information about CVE-2019-10161 at the following references: [link 1](https://access.redhat.com/libvirt-privesc-vulnerabilities), [link 2](https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580), [link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1722463).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10161
- agent/references
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/redhat
- canonical/redhat libvirt
- version/redhat libvirt/5.0.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- canonical/redhat virtualization
- version/redhat virtualization/4.0
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- package-manager/debian