The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an emulator argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domains capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Weakness
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libvirt | Redhat | 4.0.0 (including) | 4.10.1 (excluding) |
| Libvirt | Redhat | 5.0.0 (including) | 5.4.1 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | libvirt-0:4.5.0-10.el7_6.12 | * |
| Red Hat Enterprise Linux 8 | RedHat | virt:rhel-8000020190618154454.f8e95b4e | * |
| Red Hat Enterprise Linux 8 Advanced Virtualization | RedHat | virt:8.0.0-8000020190620145550.f8e95b4e | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | redhat-release-virtualization-host-0:4.3.4-1.el7ev | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | redhat-virtualization-host-0:4.3.4-20190620.3.el7_6 | * |
| Libvirt | Ubuntu | cosmic | * |
| Libvirt | Ubuntu | devel | * |
| Libvirt | Ubuntu | disco | * |
| Libvirt | Ubuntu | trusty | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/104.html
- https://cwe.mitre.org/data/definitions/470.html
- https://cwe.mitre.org/data/definitions/69.html
References
- https://access.redhat.com/libvirt-privesc-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10168
- https://security.gentoo.org/glsa/202003-18
- https://access.redhat.com/libvirt-privesc-vulnerabilities
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10168
- https://security.gentoo.org/glsa/202003-18