Описание
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
The virConnectGetDomainCapabilities() libvirt API accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Отчет
- This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.
- Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.
Меры по смягчению последствий
The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing /etc/libvirt/libvirtd.conf. The settings unix_sock_group = libvirt and unix_sock_ro_perms = 0770 will restrict access to only members of libvirt, who already have management access to virtual machines.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | libvirt | Not affected | ||
| Red Hat Enterprise Linux 6 | libvirt | Not affected | ||
| Red Hat Storage 3 | libvirt | Not affected | ||
| Red Hat Enterprise Linux 7 | libvirt | Fixed | RHSA-2019:1579 | 20.06.2019 |
| Red Hat Enterprise Linux 8 | virt | Fixed | RHSA-2019:1580 | 20.06.2019 |
| Red Hat Enterprise Linux 8 Advanced Virtualization | virt | Fixed | RHSA-2019:1762 | 11.07.2019 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-release-virtualization-host | Fixed | RHSA-2019:1699 | 08.07.2019 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-virtualization-host | Fixed | RHSA-2019:1699 | 08.07.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x befo ...
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Уязвимость функции virConnectGetDomainCapabilities() библиотеки управления виртуализацией Libvirt, позволяющая нарушителю выполнить произвольный код или повысить свои привилегии
EPSS
8.8 High
CVSS3