{ "threat_severity" : "Important", "public_date" : "2019-06-20T12:00:00Z", "bugzilla" : { "description" : "libvirt: arbitrary command execution via virConnectGetDomainCapabilities API", "id" : "1720117", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1720117" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-829", "details" : [ "The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an \"emulatorbin\" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.", "The virConnectGetDomainCapabilities() libvirt API accepts an \"emulatorbin\" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges." ], "statement" : "* This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.\n* Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.", "acknowledgement" : "This issue was discovered by Jan Tomko (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-06-20T00:00:00Z", "advisory" : "RHSA-2019:1579", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "libvirt-0:4.5.0-10.el7_6.12" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-06-20T00:00:00Z", "advisory" : "RHSA-2019:1580", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "virt:rhel-8000020190618154454.f8e95b4e" }, { "product_name" : "Red Hat Enterprise Linux 8 Advanced Virtualization", "release_date" : "2019-07-11T00:00:00Z", "advisory" : "RHSA-2019:1762", "cpe" : "cpe:/a:redhat:advanced_virtualization:8::el8", "package" : "virt:8.0.0-8000020190620145550.f8e95b4e" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-07-08T00:00:00Z", "advisory" : "RHSA-2019:1699", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "redhat-release-virtualization-host-0:4.3.4-1.el7ev" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-07-08T00:00:00Z", "advisory" : "RHSA-2019:1699", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "redhat-virtualization-host-0:4.3.4-20190620.3.el7_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "libvirt", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "libvirt", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "libvirt", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10167\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10167\nhttps://access.redhat.com/libvirt-privesc-vulnerabilities" ], "csaw" : true, "name" : "CVE-2019-10167", "mitigation" : { "value" : "The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines.", "lang" : "en:us" } }