CVE-2019-10167
Published: 20 June 2019
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libvirt Launchpad, Ubuntu, Debian |
bionic |
Released
(4.0.0-1ubuntu8.12)
|
| cosmic |
Released
(4.6.0-2ubuntu3.8)
|
|
| disco |
Released
(5.0.0-1ubuntu2.4)
|
|
| eoan |
Released
(5.4.0-0ubuntu3)
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.3.1-1ubuntu10.27)
|
|
|
Patches: upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26 upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=58f237d696310f3ac62e98b3b5e9cb98e13064e9 upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=93edb0ea630556569320de83d45b100718f1391f upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=585be8edbef5ce4ef30e6c20386358ca1ba8e344 upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=be5d96d547ec54bc35e5eab6472ec900184ae837 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |