Libvirt Security Notice: LSN-2019-0005 ====================================== Summary: virDomainManagedSaveDefineXML does not check for read-only connection Reported on: 20190604 Published on: 20190620 Fixed on: 20190620 Reported by: Matthias Gerstner Patched by: Ján Tomko See also: CVE-2019-10166 Description ----------- The virDomainManagedSaveDefineXML API redefines the manage-saved domain XML without checking for a read-only connection. This allows unprivileged users to check for existence of arbitrary files or executing arbitrary binaries with elevated privileges. Impact ------ The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can provide an arbitrary emulator, executing arbitrary binaries as the configured QEMU user. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges. Workaround ---------- Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v3.7.0 Broken in: v3.8.0 Broken in: v3.9.0 Broken in: v3.10.0 Broken in: v4.0.0 Broken in: v4.1.0 Broken in: v4.2.0 Broken in: v4.3.0 Broken in: v4.4.0 Broken in: v4.5.0 Broken in: v4.6.0 Broken in: v4.7.0 Broken in: v4.8.0 Broken in: v4.9.0 Broken in: v4.10.0 Broken in: v5.0.0 Broken in: v5.1.0 Broken in: v5.2.0 Broken in: v5.3.0 Broken in: v5.4.0 Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: db0b78457f183e4c7ac45bc94de86044a1e2056a Branch: v3.7-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: e7d9c8899fc7751201b46b6cf6bff4eadb38af2f Branch: v4.1-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: d9a1f3debad411756f53ab8ab81e44ab0bb50e0a Branch: v4.2-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 1813138f6b00058285e325191d50c41ace39e5b3 Branch: v4.3-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 9816854ac4e5ccd87cf82320b4550671e75f6509 Branch: v4.4-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: e777cce08e069e29deedec540d463ed70c29e92c Branch: v4.5-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: d025c10d54975fe98927be85f33146e780c28d52 Branch: v4.6-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 00e673c93fc3d0cfed274cc7a1ec2c52260c8262 Branch: v4.7-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 6da721ea37bf3624ff9922637cfa657d2dcb20f9 Branch: v4.8-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 6dc29a174ae204b1ae13fed0f533818ad6d24b9f Branch: v4.9-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1 Branch: v4.10-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 3f744efec31959f7643849f6a3708198bcdfc6ae Branch: v5.0-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: a064d492272bcb0029b140ec4e18fce1ac0ec5b2 Branch: v5.1-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 58c7c3fc4a0f15544c2054ed4682ff5d740681ab Branch: v5.1.0-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Branch: v5.2-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: 96bca3af450cc62183b91a361f7024f93126bc49 Branch: v5.3-maint Broken by: 1558f2584fd9b32c7903238bff2c9f12ba406ba6 Fixed by: f4dabe99f7f46520f2967f3e068fcbeb54e617df