CVE-2019-10167
Published: 20 June 2019
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Priority
Status
Package | Release | Status |
---|---|---|
libvirt Launchpad, Ubuntu, Debian |
bionic |
Released
(4.0.0-1ubuntu8.12)
|
cosmic |
Released
(4.6.0-2ubuntu3.8)
|
|
disco |
Released
(5.0.0-1ubuntu2.4)
|
|
eoan |
Released
(5.4.0-0ubuntu3)
|
|
trusty |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xenial |
Released
(1.3.1-1ubuntu10.27)
|
|
Patches: upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26 (5.4) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=58f237d696310f3ac62e98b3b5e9cb98e13064e9 (5.0) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=93edb0ea630556569320de83d45b100718f1391f (4.6) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=585be8edbef5ce4ef30e6c20386358ca1ba8e344 (4.1) upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=be5d96d547ec54bc35e5eab6472ec900184ae837 (1.3.1) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |