{ "threat_severity" : "Important", "public_date" : "2019-06-20T12:00:00Z", "bugzilla" : { "description" : "libvirt: virDomainManagedSaveDefineXML API exposed to readonly clients", "id" : "1720114", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1720114" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-284", "details" : [ "It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.", "It was discovered that libvirtd would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed." ], "statement" : "* This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.\n* Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.", "acknowledgement" : "Red Hat would like to thank Matthias Gerstner (SUSE) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-06-20T00:00:00Z", "advisory" : "RHSA-2019:1579", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "libvirt-0:4.5.0-10.el7_6.12" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-06-20T00:00:00Z", "advisory" : "RHSA-2019:1580", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "virt:rhel-8000020190618154454.f8e95b4e" }, { "product_name" : "Red Hat Enterprise Linux 8 Advanced Virtualization", "release_date" : "2019-07-11T00:00:00Z", "advisory" : "RHSA-2019:1762", "cpe" : "cpe:/a:redhat:advanced_virtualization:8::el8", "package" : "virt:8.0.0-8000020190620145550.f8e95b4e" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-07-08T00:00:00Z", "advisory" : "RHSA-2019:1699", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "redhat-release-virtualization-host-0:4.3.4-1.el7ev" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-07-08T00:00:00Z", "advisory" : "RHSA-2019:1699", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "redhat-virtualization-host-0:4.3.4-20190620.3.el7_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "libvirt", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "libvirt", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "libvirt", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10166\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10166\nhttps://access.redhat.com/libvirt-privesc-vulnerabilities" ], "csaw" : true, "name" : "CVE-2019-10166", "mitigation" : { "value" : "The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.", "lang" : "en:us" } }