Resource management error in libvirt

#VU27545 Resource management error in libvirt

Published: 2020-05-05

Vulnerability identifier: #VU27545

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-20485

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libvirt
Universal components / Libraries / Libraries used by multiple products

Vendor: libvirt.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the qemu/qemu_driver.c in libvirt while holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libvirt: 4.0.0 - 5.10.0

External links
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953078
http://bugzilla.redhat.com/show_bug.cgi?id=1809740
http://libvirt.org/git/?p=libvirt.git;a=commit;h=a663a860819287e041c3de672aad1d8543098ecc
http://security-tracker.debian.org/tracker/CVE-2019-20485
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1730509.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 8 update for the virt:rhel and virt-devel:rhel modules

Denial of service in libvirt

Red Hat Enterprise Linux 7 update for libvirt