{"containers": {"cna": {"affected": [{"product": "libvirt", "vendor": "libvirt", "versions": [{"status": "affected", "version": "4.x.x before 4.10.1"}, {"status": "affected", "version": "5.x.x before 5.4.1"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-15T04:06:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166"}, {"name": "GLSA-202003-18", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-18"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-10166", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libvirt", "version": {"version_data": [{"version_value": "4.x.x before 4.10.1"}, {"version_value": "5.x.x before 5.4.1"}]}}]}, "vendor_name": "libvirt"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed."}]}, "impact": {"cvss": [[{"vectorString": "7.8/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284"}]}]}, "references": {"reference_data": [{"name": "https://access.redhat.com/libvirt-privesc-vulnerabilities", "refsource": "CONFIRM", "url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166"}, {"name": "GLSA-202003-18", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-18"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:10:09.965Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166"}, {"name": "GLSA-202003-18", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-18"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10166", "datePublished": "2019-08-02T12:02:59.000Z", "dateReserved": "2019-03-27T00:00:00.000Z", "dateUpdated": "2024-08-04T22:10:09.965Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EBE53E7-FA47-4A57-B702-A09AAD367D41", "versionEndExcluding": "4.10.1", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:libvirt:*:*:*:*:*:*:*:*", "matchCriteriaId": "2004724A-67F7-45C3-8FEF-21F4DF5655B6", "versionEndExcluding": "5.4.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:virtualization:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "C32B0A34-5B95-4B1F-8077-5C7768FDFB33", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed."}, {"lang": "es", "value": "Se detect\u00f3 que libvirtd, versiones 4.x.x anteriores a 4.10.1 y versiones 5.x.x anteriores a 5.4.1, permitir\u00eda a los clientes de solo lectura utilizar la API de la funci\u00f3n virDomainManagedSaveDefineXML(), lo que les permitir\u00eda modificar archivos de estado managed save. Si un managed save ya ha sido creado por un usuario privilegiado, un atacante local podr\u00eda modificar este archivo de manera que libvirtd ejecutar\u00eda un programa arbitrario cuando el dominio est\u00e9 reanudado."}], "id": "CVE-2019-10166", "lastModified": "2024-11-21T04:18:33.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.1, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-02T13:15:12.107", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/libvirt-privesc-vulnerabilities"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10166"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-18"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Matthias Gerstner (SUSE) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2019:1579", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libvirt-0:4.5.0-10.el7_6.12", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-06-20T00:00:00Z"}, {"advisory": "RHSA-2019:1580", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8000020190618154454.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-06-20T00:00:00Z"}, {"advisory": "RHSA-2019:1762", "cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "package": "virt:8.0.0-8000020190620145550.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization", "release_date": "2019-07-11T00:00:00Z"}, {"advisory": "RHSA-2019:1699", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "redhat-release-virtualization-host-0:4.3.4-1.el7ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2019-07-08T00:00:00Z"}, {"advisory": "RHSA-2019:1699", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "redhat-virtualization-host-0:4.3.4-20190620.3.el7_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2019-07-08T00:00:00Z"}], "bugzilla": {"description": "libvirt: virDomainManagedSaveDefineXML API exposed to readonly clients", "id": "1720114", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720114"}, "csaw": true, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-284", "details": ["It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.", "It was discovered that libvirtd would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed."], "mitigation": {"lang": "en:us", "value": "The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing `/etc/libvirt/libvirtd.conf`. The settings `unix_sock_group = libvirt` and `unix_sock_ro_perms = 0770` will restrict access to only members of `libvirt`, who already have management access to virtual machines."}, "name": "CVE-2019-10166", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "libvirt", "product_name": "Red Hat Storage 3"}], "public_date": "2019-06-20T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10166\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10166\nhttps://access.redhat.com/libvirt-privesc-vulnerabilities"], "statement": "* This vulnerability requires access to the libvirt socket, normally in /var/run/libvirt/libvirt_sock_ro. Typically in hypervisor environments, local user accounts are not supported so no untrusted users should be able to access this socket.\n* Red Hat Gluster Storage 3 is not affected by this vulnerability as libvirtd daemon is not shipped in Gluster.", "threat_severity": "Important"}

{}