#VU33023 Information disclosure - CVE-2019-10183

Cybersecurity Help s.r.o.

Published: 2019-07-03 | Updated: 2020-08-03

Vulnerability identifier: #VU33023

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-10183

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments, thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release.

Mitigation
Install update from vendor's website.

External links
https://www.securityfocus.com/bid/109027
https://access.redhat.com/errata/RHSA-2019:3464
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10183

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in virt-manager (Alpine package)

Red Hat Enterprise Linux 8 update for virt-manager