SB2019070837 - Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 update for redhat-virtualization-host

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-10161)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions in libvirtd that allow read-only clients to use the virDomainSaveImageGetXMLDesc() API. A local user with read-only access to the libvirtd socket can confirm presence of arbitrary files on the system, trigger denial of service condition or execute arbitrary applications on the affected system.

2) Improper access control (CVE-ID: CVE-2019-10166)

The vulnerability allows a local authenticated user to execute arbitrary code.

It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.

3) Improper access control (CVE-ID: CVE-2019-10167)

The vulnerability allows a local authenticated user to execute arbitrary code.

The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

4) Improper access control (CVE-ID: CVE-2019-10168)

The vulnerability allows a local authenticated user to execute arbitrary code.

The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

5) Integer overflow (CVE-ID: CVE-2019-11477)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to integer overflow when handling TCP Selective Acknowledgments (SACKs) due to incorrect processing of TCP_SKB_CB(skb)->tcp_gso_segs value in Linux kernel. A remote non-authenticated attacker can send specially crafted network traffic to the affected system, trigger integer overflow and render the system unavailable.

Successful exploitation of the vulnerability allows a remote attacker to perform denial of service (DoS) attack.

6) Resource exhaustion (CVE-ID: CVE-2019-11478)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to an error when processing TCP Selective Acknowledgment (SACK) sequences within the Linux kernel TCP retransmission queue implementation in tcp_fragment. A remote non-authenticated attacker can send specially crafted network traffic to the affected system and perform a denial of service (DoS) attack.

7) Resource exhaustion (CVE-ID: CVE-2019-11479)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to presence of hard-coded MSS value (48 bytes) in the Linux kernel source code. A remote attacker can fragment TCP resend queues significantly more than if a larger MSS were enforced and perform denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:1699