[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-announce] Xen Security Advisory 19 - guest administrator can access qemu monitor console



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory XSA-19

         guest administrator can access qemu monitor console


ISSUE DESCRIPTION
=================

A guest administrator who is granted access to the graphical console
of a Xen guest can access the qemu monitor.  The monitor can be used
to access host resources.

IMPACT
======

A malicious guest administrator can access host resources (perhaps
belonging to other guests or the underlying system) and may be able to
escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Installations where guest administrators do not have access to a
domain's graphical console, or containing only PV domains configured
without a graphical console, are not vulnerable.

Installations where all guest administrators are trustworthy are not
vulnerable, even if the guest operating systems themselves are
untrusted.

Systems using xend/xm: At least all versions since Xen 4.0 are
affected.  Systems are vulnerable even if "monitor=no" is specified in
the xm domain configuration file - this configuration option is not
properly honoured in the vulnerable versions.

Systems using libxl/xl: All versions are affected.  The "monitor="
option is not understood, and is therefore ignored, by xl.  However,
systems using the experimental device model version based on upstream
qemu are NOT vulnerable; that is, Xen 4.2 RC systems with
device_model_version="qemu_xen" specified in the xl domain config
file.

Systems using libvirt are vulnerable.  For "xen:" URIs, see xend/xm,
above.  For "libxl:" URIs, all versions are affected.

Systems based on the Xen Cloud Platform are NOT vulnerable.

CONFIRMING VULNERABILITY
========================

Connect to the guest's VNC (or SDL) graphical display and make sure
your focus is in that window.  Hold down CTRL and ALT and press 2.
You will see a black screen showing one of "serial0", "parallel0" or
"QEMU <version> monitor".  Repeat this exercise for other digits 3 to
6.  CTRL+ALT+1 is the domain's normal graphical console.  Not all
numbers will have screens attached, but note that you must release and
re-press CTRL and ALT each time.

If one of the accessible screens shows "QEMU <version> monitor" then
you are vulnerable.  Otherwise you are not.

MITIGATION
==========

With xl in Xen 4.1 and later, supplying the following config
option in the VM configuration file will disable the monitor:
   device_model_args=["-monitor","null"]

With xend the following config option will disable the monitor:
   monitor_path="null"
Note that with a vulnerable version of the software specifying
"monitor=0" will NOT disable the monitor.

We are not currently aware of the availability of mitigation for
systems using libvirt.

NOTE REGARDING EMBARGO
======================

This issue was publicly discussed online by its discoverer.
There is therefore no embargo.

NOTE REGARDING CVE
==================

This issue was previously reported in a different context, not to Xen
upstream, and assigned CVE-2007-0998 and fixed in a different way.  We
have requested a new CVE for XSA-19 but it is not yet available.

RESOLUTION
==========

The attached patch against qemu-xen-traditional
(qemu-xen-4.*-testing.git) resolves this issue.

$ sha256sum xsa19-qemu-all.patch
19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa  
xsa19-qemu-all.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQSMr3AAoJEIP+FMlX6CvZ2O8H/2cZuOEMQd6ELDSmgj2fVaYl
qpev3Ux50+wHsBf2JS4XMW+f6wwNWa8IBP1GL+SUvOLVr0PGYb8cbISy+zp6z+ku
mAF1T19iaAMNc/feSYwgtLfYE9H25SbB4cuPg6YkyLf6dQn0KnEyf9GIJxHy0xir
nU5XKEwhhJHw17cXZyagTBheXqrIRtIhgMNv3oQKg60NDc+2sMYwMmv7lgPVIvTZ
5+rkY7RX34hBCw08qt/CEyI9OXKHL1jDjPM8QtCKuwDzaWI10yQxtLjWJCYEhGkH
QqMHU6D8Q3DptCSZj/9urs7+oWGwb3TKR7rUc5v7NbiHlliEX5njDKrhxZpxvJg=
=21pO
-----END PGP SIGNATURE-----

Attachment: xsa19-qemu-all.patch
Description: Binary data

_______________________________________________
Xen-announce mailing list
Xen-announce@xxxxxxxxxxxxx
http://lists.xen.org/xen-announce

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.