CVE-2019-20485

Published: 19 March 2020

qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage).

Priority

Low

CVSS 3 base score: 5.7

Status

Notes

it appears this CVE is only for the suspend job because it is
the only one that doesn't require write permissions.

In libvirt in bionic and older, there was no support for running
both agent monitor jobs and normal monitor jobs at the same.
Support for doing so was introduced in the following commit:
https://gitlab.com/libvirt/libvirt/-/commit/4621350f6d3dbca57bbd97829ff5d4efc3a51c97
As such, it would not appear that a malicious guest agent would
be able to block jobs in bionic and earlier, so marking as
not-affected.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20485
• https://www.redhat.com/archives/libvir-list/2019-December/msg00295.html
• https://www.redhat.com/archives/libvir-list/2020-January/msg00569.html
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953078