Redhat Libvirt 4.1.0 Remote Code Execution Vulnerability

Summary

A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.

Credit:

The information has been provided by Daniel P. Berrangé 
The original article can be found at: https://security.libvirt.org/2019/0003.html


Details

The virtlockd-admin.socket and virtlogd-admin.socket unit files do not set the SocketMode parameter and thus create a world accessible UNIX domain socket. Furthermore the code fails to validate the identity of clients connecting to these sockets.

An unprivileged user is able to connect to the virtlockd or virtlogd daemons and use the administrative RPC commands to elevate their privileges

Vulnerable Systems:

  • Redhat Libvirt 4.1.0

CVE Information:
CVE-2019-10132

Disclosure Timeline:
Publish Date:05/22/2019

Categories: News