प्लेटफ़ॉर्म
linux
घटक
virt-install
में ठीक किया गया
2.2.1
CVE-2019-10183 is a security vulnerability affecting the virt-install utility, a tool used to provision virtual machines. The vulnerability arises from the introduction of the --unattended option, which allows creating VMs without user interaction by passing the guest VM password as a command-line argument. This exposes the password to other users on the system through process listing, potentially leading to unauthorized access. The vulnerability impacts versions 2.2.0 of virt-install, as included in virt-manager v2.2.0, and is resolved in version 2.2.1.
The primary impact of CVE-2019-10183 is the exposure of virtual machine passwords to other users on the same system. An attacker with sufficient privileges to list processes (e.g., root or a user with ps access) can easily retrieve the password used for the unattended VM creation. This allows them to gain unauthorized access to the virtual machine, potentially compromising sensitive data or using the VM as a launchpad for further attacks. The blast radius is limited to the local system where the VM is provisioned, but the potential for data compromise remains significant, especially if the VM contains sensitive information or is used for critical services. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention.
CVE-2019-10183 was published on July 3, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. The LOW CVSS score suggests a low probability of exploitation, but the ease of detection and potential impact should not be disregarded. Public proof-of-concept (POC) code is readily available, demonstrating the vulnerability's exploitability.
एक्सप्लॉइट स्थिति
EPSS
0.14% (34% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2019-10183 is to upgrade virt-install to version 2.2.1 or later, which addresses the password leakage issue. If upgrading is not immediately feasible, consider disabling the --unattended option and requiring user interaction for VM creation. Alternatively, restrict access to the ps command or implement stricter process listing permissions to limit the ability of other users to view the password. Review your VM provisioning scripts and configurations to ensure that passwords are not being passed as command-line arguments. After upgrading, confirm the fix by attempting to create a VM using the --unattended option and verifying that the password is not visible in process listings.
कमांड लाइन पर सीधे पासवर्ड के साथ '--unattended' विकल्प का उपयोग करने से बचें। यदि वर्चुअल मशीनों के निर्माण को स्वचालित करना आवश्यक है, तो पर्यावरण चर या प्रतिबंधित अनुमतियों वाली कॉन्फ़िगरेशन फ़ाइलों जैसे पासवर्ड प्रदान करने के अधिक सुरक्षित तरीकों का उपयोग करें। यदि उपलब्ध हो तो इस समस्या को ठीक करने वाले virt-manager के बाद के संस्करण में अपडेट करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2019-10183 is a LOW severity vulnerability in virt-install where VM passwords passed via the --unattended option are exposed to other users on the system via process listing.
You are affected if you are using virt-install version 2.2.0 or earlier and utilizing the --unattended option for VM creation.
Upgrade virt-install to version 2.2.1 or later to resolve the vulnerability. Alternatively, disable the --unattended option or restrict process listing permissions.
There is no current evidence of active exploitation campaigns targeting CVE-2019-10183, but the ease of exploitation warrants attention.
Refer to the Red Hat security advisory for details: https://access.redhat.com/security/cve/CVE-2019-10183
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।