Xen project Mailing List

Re: [Xen-users] [oss-security] Xen Security Advisory 19 - guest administrator can access qemu monitor console

From: Kurt Seifried <kseifried@xxxxxxxxxx>

Date: Thu, 06 Sep 2012 12:15:00 -0600

Cc: xen-users@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-announce@xxxxxxxxxxxxx, "Xen.org security team" <security@xxxxxxx>

Delivery-date: Thu, 06 Sep 2012 18:28:55 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

Openpgp: id=5E267993

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2012 10:13 AM, Xen.org security team wrote: > Xen Security Advisory XSA-19 > > guest administrator can access qemu monitor console > > > ISSUE DESCRIPTION > ================= > > A guest administrator who is granted access to the graphical console > of a Xen guest can access the qemu monitor. The monitor can be used > to access host resources. > > IMPACT > ====== > > A malicious guest administrator can access host resources (perhaps > belonging to other guests or the underlying system) and may be able to > escalate their privilege to that of the host. > > VULNERABLE SYSTEMS > ================== > > Installations where guest administrators do not have access to a > domain's graphical console, or containing only PV domains configured > without a graphical console, are not vulnerable. > > Installations where all guest administrators are trustworthy are not > vulnerable, even if the guest operating systems themselves are > untrusted. > > Systems using xend/xm: At least all versions since Xen 4.0 are > affected. Systems are vulnerable even if "monitor=no" is specified in > the xm domain configuration file - this configuration option is not > properly honoured in the vulnerable versions. > > Systems using libxl/xl: All versions are affected. The "monitor=" > option is not understood, and is therefore ignored, by xl. However, > systems using the experimental device model version based on upstream > qemu are NOT vulnerable; that is, Xen 4.2 RC systems with > device_model_version="qemu_xen" specified in the xl domain config > file. > > Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, > above. For "libxl:" URIs, all versions are affected. > > Systems based on the Xen Cloud Platform are NOT vulnerable. > > CONFIRMING VULNERABILITY > ======================== > > Connect to the guest's VNC (or SDL) graphical display and make sure > your focus is in that window. Hold down CTRL and ALT and press 2. > You will see a black screen showing one of "serial0", "parallel0" or > "QEMU <version> monitor". Repeat this exercise for other digits 3 to > 6. CTRL+ALT+1 is the domain's normal graphical console. Not all > numbers will have screens attached, but note that you must release and > re-press CTRL and ALT each time. > > If one of the accessible screens shows "QEMU <version> monitor" then > you are vulnerable. Otherwise you are not. > > MITIGATION > ========== > > With xl in Xen 4.1 and later, supplying the following config > option in the VM configuration file will disable the monitor: > device_model_args=["-monitor","null"] > > With xend the following config option will disable the monitor: > monitor_path="null" > Note that with a vulnerable version of the software specifying > "monitor=0" will NOT disable the monitor. > > We are not currently aware of the availability of mitigation for > systems using libvirt. > > NOTE REGARDING EMBARGO > ====================== > > This issue was publicly discussed online by its discoverer. > There is therefore no embargo. > > NOTE REGARDING CVE > ================== > > This issue was previously reported in a different context, not to Xen > upstream, and assigned CVE-2007-0998 and fixed in a different way. We > have requested a new CVE for XSA-19 but it is not yet available. Ahh I see the request now (it was in a different email folder). Please use CVE-2012-4411 for this issue. > RESOLUTION > ========== > > The attached patch against qemu-xen-traditional > (qemu-xen-4.*-testing.git) resolves this issue. > > $ sha256sum xsa19-qemu-all.patch > 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa > xsa19-qemu-all.patch > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQSOgkAAoJEBYNRVNeJnmTonAP/3BTawvHhQX3HOScXFSUiIuO Sp8+Swmfe4uvxGOR4z/q3f3FdrKN6GdBc9cmmZeSSuYelFYaIpG6PIgv4Tbf9Fwy F8qc/nxHSWhb19J/ifAHckd7kq99qrdei+59jZeiy8PTS+6//SeVhLDvKlV7B/1X QsS3qM6vgpGXx9xoCIxyjVODIm23Q/iWjyqtJl3uqiW5wymLOcZvLC37Do/2DJ8l NOEqDalueYypKhPZnoj05iUiuR4vpSl/DNMvi6NHu0fI3ZEATCkEPV16fCSnPIv6 oN2UG0X7qNmIBz7oUD7lnoM86TGjFuxT4Ka4gSACykaeGpIuoeFbcboEKqMmejXH 9knYcMl9+t0G3yNYPpA6G2ED0BVXu8Ov3JmO2FoT9OEgkDv7HGD50GltnqYFvM2b O97g3GJ9w0lJQ55cWzjU6lr763tM/lYYcl3KX/ic8frtX+7FK+rXHt0j+QHWRzbx YmewJphXkURBVva+FvYhTlagh2tWK1w2yUarrTFiFoxUss/out58L2QP5ie41urG JNajebW8gNPa/C3MxB+IWfGLci36+3/qW+czgvEOMwFsbE2YmbnSrZiA+9wrPNzJ Ngn88tHZftHwUwbikjYwMBCZnFG1hySyQUCu+Ym3itQqbA9IQRxaBbBOzI4gLxso LuaafXJ0lxi3HvevyfvA =ZGCU -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.