CVE-2019-10132 – This vulnerability allows any local user on a h... (How to Fix)

Q: What is the severity of CVE-2019-10132?

CVE-2019-10132 has a CVSS score of 8.8 (HIGH). This vulnerability allows any local user on a host system to connect to virtlockd-admin.socket or virtlogd-admin.socket and perform administrative tasks against the virtlockd and virtlogd daemons. It affects libvirt installations version 4.1.0 and above where these systemd socket units are configured without proper access controls. This essentially grants unprivileged users the ability to manipulate virtualization lock and log services.

📋 TL;DR

This vulnerability allows any local user on a host system to connect to virtlockd-admin.socket or virtlogd-admin.socket and perform administrative tasks against the virtlockd and virtlogd daemons. It affects libvirt installations version 4.1.0 and above where these systemd socket units are configured without proper access controls. This essentially grants unprivileged users the ability to manipulate virtualization lock and log services.

💻 Affected Systems

Products:

libvirt

Versions: >= 4.1.0

Operating Systems: Linux distributions using systemd with libvirt packages

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where virtlockd-admin.socket and virtlogd-admin.socket are enabled and configured without proper SocketMode restrictions.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Libvirt by Redhat

View all CVEs affecting Libvirt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An unprivileged local user could gain full administrative control over virtlockd and virtlogd daemons, potentially disrupting virtual machine operations, manipulating logs to hide malicious activity, or interfering with lock management to cause denial of service or data corruption.

🟠

Likely Case

Local users could perform unauthorized administrative actions against virtualization services, potentially disrupting VM operations or manipulating logging data.

🟢

If Mitigated

With proper socket permissions configured, only authorized users can access administrative sockets, limiting the attack surface to legitimate administrators.

🌐 Internet-Facing: LOW - This vulnerability requires local access to the host system; it cannot be exploited remotely over the network.

🏢 Internal Only: HIGH - Any local user account on affected systems can exploit this vulnerability, making internal threats significant.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but no special privileges. The vulnerability is straightforward to exploit by connecting to the unprotected sockets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libvirt versions with fixes applied (check specific distribution patches)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:1264

Restart Required: Yes

Instructions:

1. Update libvirt packages using your distribution's package manager. 2. For RHEL/CentOS: yum update libvirt. 3. For Fedora: dnf update libvirt. 4. Restart virtlockd and virtlogd services: systemctl restart virtlockd virtlogd.

🔧 Temporary Workarounds

Set proper socket permissions

linux

Manually configure SocketMode to restrict access to administrative sockets

sudo chmod 660 /run/libvirt/virtlockd-admin-sock
sudo chmod 660 /run/libvirt/virtlogd-admin-sock
sudo chown root:libvirt /run/libvirt/virtlockd-admin-sock
sudo chown root:libvirt /run/libvirt/virtlogd-admin-sock

Disable admin sockets if not needed

linux

Disable the vulnerable socket units if administrative socket access is not required

sudo systemctl disable virtlockd-admin.socket
sudo systemctl disable virtlogd-admin.socket
sudo systemctl stop virtlockd-admin.socket
sudo systemctl stop virtlogd-admin.socket

🧯 If You Can't Patch

Implement strict access controls on socket files using filesystem permissions
Monitor for unauthorized connections to virtlockd-admin-sock and virtlogd-admin-sock

🔍 How to Verify

Check if Vulnerable:

Check socket permissions: ls -la /run/libvirt/virtlockd-admin-sock /run/libvirt/virtlogd-admin-sock. If world-readable (others have rw permissions), system is vulnerable.

Check Version:

libvirtd --version or rpm -q libvirt or dpkg -l libvirt*

Verify Fix Applied:

Verify socket permissions are restricted: ls -la /run/libvirt/*-admin-sock should show permissions like srw-rw---- (660) owned by root:libvirt.

📡 Detection & Monitoring

Log Indicators:

Unauthorized connection attempts to virtlockd/virtlogd admin sockets in systemd/journal logs
Unexpected administrative commands executed against virtlockd/virtlogd

Network Indicators:

Local socket connections from non-privileged users to admin sockets

SIEM Query:

process_name:virtlockd OR process_name:virtlogd AND event_type:socket_connection AND user_id!=0

📊 Metadata

CVE ID: CVE-2019-10132

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-732

Published: May 22, 2019

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10132, you might also want to check these: