|
Message-ID: <5048E824.7030802@redhat.com> Date: Thu, 06 Sep 2012 12:15:00 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: "Xen.org security team" <security@....org>, xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org Subject: Re: Xen Security Advisory 19 - guest administrator can access qemu monitor console -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2012 10:13 AM, Xen.org security team wrote: > Xen Security Advisory XSA-19 > > guest administrator can access qemu monitor console > > > ISSUE DESCRIPTION > ================= > > A guest administrator who is granted access to the graphical console > of a Xen guest can access the qemu monitor. The monitor can be used > to access host resources. > > IMPACT > ====== > > A malicious guest administrator can access host resources (perhaps > belonging to other guests or the underlying system) and may be able to > escalate their privilege to that of the host. > > VULNERABLE SYSTEMS > ================== > > Installations where guest administrators do not have access to a > domain's graphical console, or containing only PV domains configured > without a graphical console, are not vulnerable. > > Installations where all guest administrators are trustworthy are not > vulnerable, even if the guest operating systems themselves are > untrusted. > > Systems using xend/xm: At least all versions since Xen 4.0 are > affected. Systems are vulnerable even if "monitor=no" is specified in > the xm domain configuration file - this configuration option is not > properly honoured in the vulnerable versions. > > Systems using libxl/xl: All versions are affected. The "monitor=" > option is not understood, and is therefore ignored, by xl. However, > systems using the experimental device model version based on upstream > qemu are NOT vulnerable; that is, Xen 4.2 RC systems with > device_model_version="qemu_xen" specified in the xl domain config > file. > > Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, > above. For "libxl:" URIs, all versions are affected. > > Systems based on the Xen Cloud Platform are NOT vulnerable. > > CONFIRMING VULNERABILITY > ======================== > > Connect to the guest's VNC (or SDL) graphical display and make sure > your focus is in that window. Hold down CTRL and ALT and press 2. > You will see a black screen showing one of "serial0", "parallel0" or > "QEMU <version> monitor". Repeat this exercise for other digits 3 to > 6. CTRL+ALT+1 is the domain's normal graphical console. Not all > numbers will have screens attached, but note that you must release and > re-press CTRL and ALT each time. > > If one of the accessible screens shows "QEMU <version> monitor" then > you are vulnerable. Otherwise you are not. > > MITIGATION > ========== > > With xl in Xen 4.1 and later, supplying the following config > option in the VM configuration file will disable the monitor: > device_model_args=["-monitor","null"] > > With xend the following config option will disable the monitor: > monitor_path="null" > Note that with a vulnerable version of the software specifying > "monitor=0" will NOT disable the monitor. > > We are not currently aware of the availability of mitigation for > systems using libvirt. > > NOTE REGARDING EMBARGO > ====================== > > This issue was publicly discussed online by its discoverer. > There is therefore no embargo. > > NOTE REGARDING CVE > ================== > > This issue was previously reported in a different context, not to Xen > upstream, and assigned CVE-2007-0998 and fixed in a different way. We > have requested a new CVE for XSA-19 but it is not yet available. Ahh I see the request now (it was in a different email folder). Please use CVE-2012-4411 for this issue. > RESOLUTION > ========== > > The attached patch against qemu-xen-traditional > (qemu-xen-4.*-testing.git) resolves this issue. > > $ sha256sum xsa19-qemu-all.patch > 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQSOgkAAoJEBYNRVNeJnmTonAP/3BTawvHhQX3HOScXFSUiIuO Sp8+Swmfe4uvxGOR4z/q3f3FdrKN6GdBc9cmmZeSSuYelFYaIpG6PIgv4Tbf9Fwy F8qc/nxHSWhb19J/ifAHckd7kq99qrdei+59jZeiy8PTS+6//SeVhLDvKlV7B/1X QsS3qM6vgpGXx9xoCIxyjVODIm23Q/iWjyqtJl3uqiW5wymLOcZvLC37Do/2DJ8l NOEqDalueYypKhPZnoj05iUiuR4vpSl/DNMvi6NHu0fI3ZEATCkEPV16fCSnPIv6 oN2UG0X7qNmIBz7oUD7lnoM86TGjFuxT4Ka4gSACykaeGpIuoeFbcboEKqMmejXH 9knYcMl9+t0G3yNYPpA6G2ED0BVXu8Ov3JmO2FoT9OEgkDv7HGD50GltnqYFvM2b O97g3GJ9w0lJQ55cWzjU6lr763tM/lYYcl3KX/ic8frtX+7FK+rXHt0j+QHWRzbx YmewJphXkURBVva+FvYhTlagh2tWK1w2yUarrTFiFoxUss/out58L2QP5ie41urG JNajebW8gNPa/C3MxB+IWfGLci36+3/qW+czgvEOMwFsbE2YmbnSrZiA+9wrPNzJ Ngn88tHZftHwUwbikjYwMBCZnFG1hySyQUCu+Ym3itQqbA9IQRxaBbBOzI4gLxso LuaafXJ0lxi3HvevyfvA =ZGCU -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.