CVE-2019-10166
First published: Thu Jun 13 2019(Updated: )
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/libvirt | <0:4.5.0-10.el7_6.12 | 0:4.5.0-10.el7_6.12 |
| redhat/redhat-release-virtualization-host | <0:4.3.4-1.el7e | 0:4.3.4-1.el7e |
| redhat/redhat-virtualization-host | <0:4.3.4-20190620.3.el7_6 | 0:4.3.4-20190620.3.el7_6 |
| Redhat Libvirt | >=4.0.0<4.10.1 | |
| Redhat Libvirt | >=5.0.0<5.4.1 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Eus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Redhat Virtualization | =4.3 | |
| ubuntu/libvirt | <4.0.0-1ubuntu8.12 | 4.0.0-1ubuntu8.12 |
| ubuntu/libvirt | <4.6.0-2ubuntu3.8 | 4.6.0-2ubuntu3.8 |
| ubuntu/libvirt | <5.0.0-1ubuntu2.4 | 5.0.0-1ubuntu2.4 |
| redhat/libvirt | <4.10.1 | 4.10.1 |
| redhat/libvirt | <5.4.1 | 5.4.1 |
| debian/libvirt | 5.0.0-4+deb10u1 5.0.0-4+deb10u2 7.0.0-3+deb11u2 9.0.0-4 10.0.0-2 10.2.0-1 |
Remedy
The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-10166 https://nvd.nist.gov/vuln/detail/CVE-2019-10166 https://access.redhat.com/libvirt-privesc-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=1720114
- https://access.redhat.com/errata/RHSA-2019:1579
- https://access.redhat.com/errata/RHSA-2019:1580
- https://access.redhat.com/errata/RHSA-2019:1762
- https://access.redhat.com/errata/RHSA-2019:1699
- https://access.redhat.com/security/cve/cve-2019-10166
- https://access.redhat.com/libvirt-privesc-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166
- https://security.gentoo.org/glsa/202003-18
- https://launchpad.net/bugs/cve/CVE-2019-10166
- https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1722462
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1722465
- https://security-tracker.debian.org/tracker/CVE-2019-10166
- https://rhn.redhat.com/errata/RHSA-2019-1579.html
- https://security.libvirt.org/2019/0005.html
- https://ubuntu.com/security/notices/USN-4047-1
- https://www.cve.org/CVERecord?id=CVE-2019-10166
- https://nvd.nist.gov/vuln/detail/CVE-2019-10166
- http://libvirt.org/git/?p=libvirt.git;a=commit;h=a064d492272bcb0029b140ec4e18fce1ac0ec5b2
- http://libvirt.org/git/?p=libvirt.git;a=commit;h=00e673c93fc3d0cfed274cc7a1ec2c52260c8262
- http://libvirt.org/git/?p=libvirt.git;a=commit;h=d9a1f3debad411756f53ab8ab81e44ab0bb50e0a
- https://ubuntu.com/security/CVE-2019-10166
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-10166.
What is the severity of CVE-2019-10166?
CVE-2019-10166 has a high severity rating.
What is the affected software?
The affected software is libvirtd versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1.
How can the vulnerability be fixed?
To fix the vulnerability, update libvirtd to version 4.10.1 or newer.
Where can I find more information about CVE-2019-10166?
You can find more information about CVE-2019-10166 at the following references: [1] [2] [3].
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/remedy
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10166
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/redhat
- canonical/redhat libvirt
- version/redhat libvirt/4.0.0
- version/redhat libvirt/5.0.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- canonical/redhat virtualization
- version/redhat virtualization/4.3
- package-manager/debian
- package-manager/ubuntu