CVE-2019-10161 – This vulnerability in libvirtd allows read-only... (How to Fix)

Q: How do I fix CVE-2019-10161?

1. Update libvirt package to version 4.10.1 or 5.4.1 or higher. 2. Restart libvirtd service. 3. Verify the patch is applied.

Q: What is the severity of CVE-2019-10161?

CVE-2019-10161 has a CVSS score of 7.8 (HIGH). This vulnerability in libvirtd allows read-only clients to access arbitrary files and execute programs with libvirtd's permissions via the virDomainSaveImageGetXMLDesc() API. Systems running libvirtd before versions 4.10.1 or 5.4.1 are affected. Attackers with access to the libvirtd socket can probe files, cause denial of service, or execute arbitrary code.

📋 TL;DR

This vulnerability in libvirtd allows read-only clients to access arbitrary files and execute programs with libvirtd's permissions via the virDomainSaveImageGetXMLDesc() API. Systems running libvirtd before versions 4.10.1 or 5.4.1 are affected. Attackers with access to the libvirtd socket can probe files, cause denial of service, or execute arbitrary code.

💻 Affected Systems

Products:

libvirt
libvirtd

Versions: libvirt < 4.10.1, libvirt < 5.4.1

Operating Systems: Linux distributions using affected libvirt versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to libvirtd socket. Default configurations with read-only socket access are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with libvirtd privileges leading to full system compromise.

🟠

Likely Case

Information disclosure of sensitive files or denial of service through resource exhaustion.

🟢

If Mitigated

Limited impact if libvirtd socket access is restricted to trusted users only.

🌐 Internet-Facing: LOW (libvirtd typically not exposed to internet)

🏢 Internal Only: HIGH (internal attackers with socket access can exploit)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires socket access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libvirt 4.10.1 or 5.4.1

Vendor Advisory: https://access.redhat.com/libvirt-privesc-vulnerabilities

Restart Required: Yes

Instructions:

1. Update libvirt package to version 4.10.1 or 5.4.1 or higher. 2. Restart libvirtd service. 3. Verify the patch is applied.

🔧 Temporary Workarounds

Restrict socket access

linux

Limit access to libvirtd socket to trusted users only

chmod 660 /var/run/libvirt/libvirt-sock
chown root:libvirt /var/run/libvirt/libvirt-sock

Disable read-only socket

linux

Remove or disable read-only socket if not needed

systemctl stop libvirtd-ro.socket
systemctl disable libvirtd-ro.socket

🧯 If You Can't Patch

Restrict libvirtd socket permissions to root and libvirt group only
Monitor libvirtd logs for suspicious API calls to virDomainSaveImageGetXMLDesc()

🔍 How to Verify

Check if Vulnerable:

Check libvirt version: libvirtd --version | grep -E '4\.([0-9]|10\.0)|5\.([0-3]|4\.0)'

Check Version:

libvirtd --version

Verify Fix Applied:

Verify version is 4.10.1+ or 5.4.1+: libvirtd --version

📡 Detection & Monitoring

Log Indicators:

Unusual virDomainSaveImageGetXMLDesc() API calls
Access to unexpected file paths in libvirtd logs

Network Indicators:

Unexpected connections to libvirtd socket

SIEM Query:

source="libvirtd" AND "virDomainSaveImageGetXMLDesc"

📊 Metadata

CVE ID: CVE-2019-10161

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: July 30, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/libvirt-privesc-vulnerabilities Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10161 Issue Tracking,Patch,Third Party Advisory
https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=aed6a032cead4386472afb24b16196579e239580
https://security.gentoo.org/glsa/202003-18 Third Party Advisory
https://usn.ubuntu.com/4047-2/ Third Party Advisory
https://access.redhat.com/libvirt-privesc-vulnerabilities Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10161 Issue Tracking,Patch,Third Party Advisory
https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=aed6a032cead4386472afb24b16196579e239580
https://security.gentoo.org/glsa/202003-18 Third Party Advisory
https://usn.ubuntu.com/4047-2/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10161, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Libvirt by Redhat

Libvirt by Redhat

Ubuntu Linux by Canonical

Virtualization by Redhat

Virtualization Host by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict socket access

Disable read-only socket

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities