Redhat Libvirt 4.1.0 Remote Code Execution Vulnerability
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons.
The information has been provided by Daniel P. Berrangé
The original article can be found at: https://security.libvirt.org/2019/0003.html
The virtlockd-admin.socket and virtlogd-admin.socket unit files do not set the SocketMode parameter and thus create a world accessible UNIX domain socket. Furthermore the code fails to validate the identity of clients connecting to these sockets.
An unprivileged user is able to connect to the virtlockd or virtlogd daemons and use the administrative RPC commands to elevate their privileges
- Redhat Libvirt 4.1.0