Libvirt Security Notice: LSN-2019-0007 ====================================== Summary: virConnect*HypervisorCPU do not check for read-only connection Reported on: 20190604 Published on: 20190620 Fixed on: 20190620 Reported by: Ján Tomko <jtomko@redhat.com> Patched by: Ján Tomko <jtomko@redhat.com> See also: CVE-2019-10168 Description ----------- The virConnect*HypervisorCPU APIs allow reporting CPU capabilities from arbitrary emulator binaries without checking for a read-only connection. This allows unprivileged users to execute arbitrary binaries with elevated privileges. Impact ------ The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can provide an arbitrary emulator, executing arbitrary binaries as the configured QEMU user. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges. Workaround ---------- Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root. Affected product ---------------- Name: libvirt Repository: git://libvirt.org/git/libvirt.git http://libvirt.org/git/?p=libvirt.git Branch: master Broken in: v4.4.0 Broken in: v4.5.0 Broken in: v4.6.0 Broken in: v4.7.0 Broken in: v4.8.0 Broken in: v4.9.0 Broken in: v4.10.0 Broken in: v5.0.0 Broken in: v5.1.0 Broken in: v5.2.0 Broken in: v5.3.0 Broken in: v5.4.0 Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: bf6c2830b6c338b1f5699b095df36f374777b291 Branch: v4.4-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: a6116fc8618300f6e2a082396812363310d1420f Branch: v4.5-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: 415cc5c0644304fd1e1bb721a092cf65e07be79f Branch: v4.6-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: 890965e8943a8837b41c3c6f366135ccfef48fb3 Branch: v4.7-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: f5ace9c05d59b70d4899199a187cb32ec6f600d8 Branch: v4.8-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: fc30929ffdf339d920b2e2183faf4373920bff6f Branch: v4.9-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c Branch: v4.10-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: 09c2635d0deec198de0f250abc2958f2d1c09eaa Branch: v5.0-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: 1ef98539a655109480628c91feac48c3c69675ef Branch: v5.1-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: 2a3f95a40725f743b5189868bcc1a78d922517f6 Branch: v5.1.0-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Branch: v5.2-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: 45ae5e529d4e886f47dacca9dfe5a08d95a3425a Branch: v5.3-maint Broken by: 24a41aa6435045df2cf711d34cf399c2d74e4bf2 Broken by: 7d0a1efcd6087096671f3769ec2b850292465e9a Fixed by: d8e4d13446a0b04b757bd28c242a4cfecaaa8f1e