high
8.8
CWE
22 862 284
Advisory Published
CVE Published
Updated

CVE-2019-10161: Path Traversal

First published: Thu Jun 13 2019(Updated: )

It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/libvirt<0:0.10.2-64.el6_10.2
0:0.10.2-64.el6_10.2
redhat/libvirt<0:4.5.0-10.el7_6.12
0:4.5.0-10.el7_6.12
redhat/redhat-release-virtualization-host<0:4.3.4-1.el7e
0:4.3.4-1.el7e
redhat/redhat-virtualization-host<0:4.3.4-20190620.3.el7_6
0:4.3.4-20190620.3.el7_6
Redhat Libvirt<4.10.1
Redhat Libvirt>=5.0.0<5.4.1
Redhat Enterprise Linux=6.0
Redhat Enterprise Linux=7.0
Redhat Enterprise Linux=8.0
Redhat Virtualization=4.0
Redhat Virtualization Host=4.0
Redhat Enterprise Linux=7.0
Canonical Ubuntu Linux=14.04
ubuntu/libvirt<5.4.0-0ubuntu3
5.4.0-0ubuntu3
ubuntu/libvirt<4.0.0-1ubuntu8.12
4.0.0-1ubuntu8.12
ubuntu/libvirt<4.6.0-2ubuntu3.8
4.6.0-2ubuntu3.8
ubuntu/libvirt<5.0.0-1ubuntu2.4
5.0.0-1ubuntu2.4
ubuntu/libvirt<5.4.0-0ubuntu3
5.4.0-0ubuntu3
ubuntu/libvirt<5.4.0-0ubuntu3
5.4.0-0ubuntu3
ubuntu/libvirt<5.4.0-0ubuntu3
5.4.0-0ubuntu3
ubuntu/libvirt<1.2.2-0ubuntu13.1.28+
1.2.2-0ubuntu13.1.28+
ubuntu/libvirt<1.3.1-1ubuntu10.27
1.3.1-1ubuntu10.27
All of
Any of
Redhat Virtualization=4.0
Redhat Virtualization Host=4.0
Redhat Enterprise Linux=7.0
redhat/libvirt<4.10.1
4.10.1
redhat/libvirt<5.4.1
5.4.1
debian/libvirt
5.0.0-4+deb10u1
5.0.0-4+deb10u2
7.0.0-3+deb11u2
9.0.0-4
10.0.0-2
10.2.0-1

Remedy

The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10161

Remedy

https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580

Remedy

http://libvirt.org/git/?p=libvirt.git;a=commit;h=6aa0c85be9f840a32fcec282185b5ed2513a3aa5

Remedy

http://libvirt.org/git/?p=libvirt.git;a=commit;h=a27659643b8ae9b26b52fc857cdc5b301184e26e

Remedy

http://libvirt.org/git/?p=libvirt.git;a=commit;h=1f8129c5db3952a57900b8cd1d94e629068e6aa5

Remedy

http://libvirt.org/git/?p=libvirt.git;a=commit;h=980109c41c8bb55fd105809f2e063667721feaea

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2019-10161?

    CVE-2019-10161 is a vulnerability discovered in libvirtd before versions 4.10.1 and 5.4.1.

  • What is the severity of CVE-2019-10161?

    The severity of CVE-2019-10161 is high with a CVSS score of 8.8.

  • How does CVE-2019-10161 affect libvirt?

    CVE-2019-10161 allows read-only clients to use the virDomainSaveImageGetXMLDesc() API with an arbitrary path, leading to potential privilege escalation.

  • What is the remedy for CVE-2019-10161?

    The remedy for CVE-2019-10161 is to update libvirtd to version 4.10.1 or 5.4.1.

  • Where can I find more information about CVE-2019-10161?

    You can find more information about CVE-2019-10161 at the following references: [link 1](https://access.redhat.com/libvirt-privesc-vulnerabilities), [link 2](https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580), [link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1722463).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203