Описание
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
It was discovered that libvirtd would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
Отчет
- This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.
- Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.
- On Red Hat Enterprise Linux 6, the impact of this vulnerability is limited to denial of service or disclosing the existence of arbitrary files. Privilege escalation is not possible. For RHEL6, this CVE is rated as Moderate severity with 7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Меры по смягчению последствий
The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing /etc/libvirt/libvirtd.conf. The settings unix_sock_group = libvirt and unix_sock_ro_perms = 0770 will restrict access to only members of libvirt, who already have management access to virtual machines.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | libvirt | Not affected | ||
| Red Hat Storage 3 | libvirt | Not affected | ||
| Red Hat Enterprise Linux 6 | libvirt | Fixed | RHSA-2019:1578 | 20.06.2019 |
| Red Hat Enterprise Linux 7 | libvirt | Fixed | RHSA-2019:1579 | 20.06.2019 |
| Red Hat Enterprise Linux 8 | virt | Fixed | RHSA-2019:1580 | 20.06.2019 |
| Red Hat Enterprise Linux 8 Advanced Virtualization | virt | Fixed | RHSA-2019:1762 | 11.07.2019 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-release-virtualization-host | Fixed | RHSA-2019:1699 | 08.07.2019 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-virtualization-host | Fixed | RHSA-2019:1699 | 08.07.2019 |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would ...
8.8 High
CVSS3