Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1r16oW-0002Ya-8S@xenbits.xenproject.org>
Date: Thu, 09 Nov 2023 15:19:24 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 443 v4 (CVE-2023-34325,CVE-2022-4949) -
 Multiple vulnerabilities in libfsimage disk handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

        Xen Security Advisory CVE-2023-34325,CVE-2022-4949 / XSA-443
                               version 4

	   Multiple vulnerabilities in libfsimage disk handling

UPDATES IN VERSION 4
====================

Added reference to CVE for upstream grub project.

ISSUE DESCRIPTION
=================

libfsimage contains parsing code for several filesystems, most of them based on
grub-legacy code.  libfsimage is used by pygrub to inspect guest disks.

Pygrub runs as the same user as the toolstack (root in a priviledged domain).

At least one issue has been reported to the Xen Security Team that allows an
attacker to trigger a stack buffer overflow in libfsimage.  After further
analisys the Xen Security Team is no longer confident in the suitability of
libfsimage when run against guest controlled input with super user priviledges.

In order to not affect current deployments that rely on pygrub patches are
provided in the resolution section of the advisory that allow running pygrub in
deprivileged mode.

CVE-2023-4949 refers to the original issue in the upstream grub
project ("An attacker with local access to a system (either through a
disk or external drive) can present a modified XFS partition to
grub-legacy in such a way to exploit a memory corruption in grub’s XFS
file system implementation.")  CVE-2023-34325 refers specifically to
the vulnerabilities in Xen's copy of libfsimage, which is decended
from a very old version of grub.

IMPACT
======

A guest using pygrub can escalate its privilege to that of the domain
construction tools (i.e., normally, to control of the host).

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

MITIGATION
==========

Ensuring that guests do not use the pygrub bootloader will avoid this
vulnerability.

For cases where the PV guest is known to be 64bit, and uses grub2 as a
bootloader, pvgrub is a suitable alternative pygrub.

Running only HVM guests will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Ferdinand Nölscher of Google.

RESOLUTION
==========

Applying patches 1-4 resolves the libfsimage XFS stack overflow.  Applying
patches 5-11 add additional functionality to pygrub and libxl in order to run
pygrub in a restricted environment using a specific UID.  Check xl.cfg man page
for information on the bootloader_restrict option.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa443/xsa443-??.patch          xen-unstable
xsa443/xsa443-4.17-??.patch     Xen 4.17.x
xsa443/xsa443-4.16-??.patch     Xen 4.16.x
xsa443/xsa443-4.15-??.patch     Xen 4.15.x

$ sha256sum xsa443*/*
d2b306efd35b1e207904f4142be724c4b70bacafae73f8efd5ee12570eb235a1  xsa443/xsa443-01.patch
3af33399c9966465ef65461c344fe0c3184a21a59830de8e3701122cda4f5483  xsa443/xsa443-02.patch
a260be66f02307143d9e776cac2b95735011056bebd718f175680f879563ea21  xsa443/xsa443-03.patch
170d511df3a3898ab0302f7e85bc63127cb0b75f73fdcd83104d3f358365f648  xsa443/xsa443-4.15-01.patch
16c942da8929ab240a8807da05d9b39bbabfb34adc4f5a63bc3d2d99568973b1  xsa443/xsa443-4.15-02.patch
13fd27948f5a5e21e1a8e0ddf218ec79b44f1fca55fdc371c932ad2dfa5c23ea  xsa443/xsa443-4.15-03.patch
1c865b8f0048483ea76e8cfbeba1536ca6cbde04c58a7e0d485d46c063046cf4  xsa443/xsa443-4.15-04.patch
115b9561c0ea8f155d60049a1e60a26e5261147b1d2672d8a96313aef5dd95e6  xsa443/xsa443-4.15-05.patch
5e54fe8fcd56de43e9035e57ed964cc677aca853b6f205f8576f56aa8f968bf0  xsa443/xsa443-4.15-06.patch
a0bd7681bd541b21d069cd025cfb97c798c35041300d5cc86f59941471b88b3c  xsa443/xsa443-4.15-07.patch
165795217669df7fa2f6bcb3eb820f93391c7d46422eb941ae359b43ce5c510f  xsa443/xsa443-4.15-08.patch
fe8be8c39f83567597ec5077bd6fe8b57324d5f6bed7f5cfbed7df43008f7835  xsa443/xsa443-4.15-09.patch
48936926848af29786490dd6db3dcfaf8ed8443f1d6ae896dcb95c930e2f4c21  xsa443/xsa443-4.15-10.patch
213b6a45198869869248b2e3c096fd327f7b0cccbd68faa12335134172c7c908  xsa443/xsa443-4.15-11.patch
170d511df3a3898ab0302f7e85bc63127cb0b75f73fdcd83104d3f358365f648  xsa443/xsa443-4.16-01.patch
16c942da8929ab240a8807da05d9b39bbabfb34adc4f5a63bc3d2d99568973b1  xsa443/xsa443-4.16-02.patch
13fd27948f5a5e21e1a8e0ddf218ec79b44f1fca55fdc371c932ad2dfa5c23ea  xsa443/xsa443-4.16-03.patch
1c865b8f0048483ea76e8cfbeba1536ca6cbde04c58a7e0d485d46c063046cf4  xsa443/xsa443-4.16-04.patch
115b9561c0ea8f155d60049a1e60a26e5261147b1d2672d8a96313aef5dd95e6  xsa443/xsa443-4.16-05.patch
5e54fe8fcd56de43e9035e57ed964cc677aca853b6f205f8576f56aa8f968bf0  xsa443/xsa443-4.16-06.patch
a0bd7681bd541b21d069cd025cfb97c798c35041300d5cc86f59941471b88b3c  xsa443/xsa443-4.16-07.patch
165795217669df7fa2f6bcb3eb820f93391c7d46422eb941ae359b43ce5c510f  xsa443/xsa443-4.16-08.patch
fe8be8c39f83567597ec5077bd6fe8b57324d5f6bed7f5cfbed7df43008f7835  xsa443/xsa443-4.16-09.patch
c9538238f4b636b7d093a59610b0eab2e7fd409a7cc9e988d006bee4c9b944f7  xsa443/xsa443-4.16-10.patch
62147de7a6b8a0073c7abe204da25e94871a32c4e3851f9feccf065976dc0267  xsa443/xsa443-4.16-11.patch
3322213303481fea964cf18e09b172d42caf21fe662c947ae6ddc0d8a1789fa1  xsa443/xsa443-4.17-01.patch
02cf94559407d693ef2dcfc47671b63f5f27019dd759bae3b5eaaa922fb4ea74  xsa443/xsa443-4.17-02.patch
189bef69380d6fbd7f571b2fe11908bac26a650e2b0d040e12b8c1266373f8c8  xsa443/xsa443-4.17-03.patch
cdb4f0dd47a6c8a759ae4ffd400f2ce72675b8779ca5576dea74e372ca77a021  xsa443/xsa443-4.17-04.patch
2147dcf95b1ad36da0961e2c084072fa9eb59486e9c0ed43444d268a17d01ee1  xsa443/xsa443-4.17-05.patch
a523273792a77fa55a7ab8925369edcb9d9ae50e8e9236be43f23e66aaa0f5e2  xsa443/xsa443-4.17-06.patch
54f97e027c80bfed8e3559ba8d89a69d2f4c48e1017c2090af029a01efe49741  xsa443/xsa443-4.17-07.patch
79667e7b8fbfa43f9135ba14ca364c63e1e7e7c3a68ae12513fe0204e57fa2bd  xsa443/xsa443-4.17-08.patch
11125e8da5f9e8313d943e6cbba2ff160478681c290b1413c88113292cca91c4  xsa443/xsa443-4.17-09.patch
113bbc294e10be4e8bf9855536114f875add033f790504f5c744b38da85d1b11  xsa443/xsa443-4.17-10.patch
7e5c7d4ef0b148ce9421c1856ced8b023bae22abc8e13956fe2832628c9d4189  xsa443/xsa443-4.17-11.patch
eb81bcbaf1016bce77696c1f2f5cd90b22e11eaa02d15c36c4c704b02981c50d  xsa443/xsa443-04.patch
5a099d8bf6a06e318f9ff92491ae4191fd2a3f8637a3c9616173bd2c7d56dbb6  xsa443/xsa443-05.patch
32733ee7dd1baf81338d50532876f211660dd65eb44f3ea121604b4c897ba30f  xsa443/xsa443-06.patch
9dfe8e70ed3007dbe46de75d6790baa770d91ac42d6abf642ca0f11b8b2d6b6d  xsa443/xsa443-07.patch
b8040da4d2ef22ed9f96e1648fa8c4682f82bce2d17bbdd9f2250c48f8858d10  xsa443/xsa443-08.patch
4b0fa7efd271de010943a2974e178d6e9c44c5181a94fc58ddd3f9ecd953d572  xsa443/xsa443-09.patch
f1b97a6ee5dc15a2b85ffde12242eb65d885b244419f34d737eb4489769f7224  xsa443/xsa443-10.patch
eafccd01a5458baf2a7f39b3e533fd3638d6f728078c437247dc712856422706  xsa443/xsa443-11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmVM+FMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZU7AIALBwYs4RFK+Q3YhyXBdKCFybnRJmj6qVgeJXZr7m
lk1SFdickZpnWrV7UL/BlLbR/PuYSqbkICYVoyVqMTOP/O5UHTxpZEP1q9SqAW0z
Jm/7oi1YNkBc/XKYUoEW2Z/k6S3dTzG+iNTB5Xn25DKZtzTb3YtaNCuMGqWYHDfz
Q/NHc3uLtxnXKjq/YMSs9ig2VEjRTphkiTe37mN0hFmnXDBlxtZHj1h5iw1DwO/o
W64C4H+3DlI5SA7yTY1EEVPWfNr+t/GqvafgAVMcy1WGutHTZVaMp814ctxXvAex
grTDK/k+jmEa12zCWodkf85EZNCisVnyBfoo5W9DJ2w2Udo=
=eeA0
-----END PGP SIGNATURE-----

Download attachment "xsa443/xsa443-01.patch" of type "application/octet-stream" (1907 bytes)

Download attachment "xsa443/xsa443-02.patch" of type "application/octet-stream" (1174 bytes)

Download attachment "xsa443/xsa443-03.patch" of type "application/octet-stream" (4970 bytes)

Download attachment "xsa443/xsa443-4.15-01.patch" of type "application/octet-stream" (1907 bytes)

Download attachment "xsa443/xsa443-4.15-02.patch" of type "application/octet-stream" (1174 bytes)

Download attachment "xsa443/xsa443-4.15-03.patch" of type "application/octet-stream" (5023 bytes)

Download attachment "xsa443/xsa443-4.15-04.patch" of type "application/octet-stream" (2138 bytes)

Download attachment "xsa443/xsa443-4.15-05.patch" of type "application/octet-stream" (2019 bytes)

Download attachment "xsa443/xsa443-4.15-06.patch" of type "application/octet-stream" (2036 bytes)

Download attachment "xsa443/xsa443-4.15-07.patch" of type "application/octet-stream" (4265 bytes)

Download attachment "xsa443/xsa443-4.15-08.patch" of type "application/octet-stream" (4477 bytes)

Download attachment "xsa443/xsa443-4.15-09.patch" of type "application/octet-stream" (12166 bytes)

Download attachment "xsa443/xsa443-4.15-10.patch" of type "application/octet-stream" (9005 bytes)

Download attachment "xsa443/xsa443-4.15-11.patch" of type "application/octet-stream" (6491 bytes)

Download attachment "xsa443/xsa443-4.16-01.patch" of type "application/octet-stream" (1907 bytes)

Download attachment "xsa443/xsa443-4.16-02.patch" of type "application/octet-stream" (1174 bytes)

Download attachment "xsa443/xsa443-4.16-03.patch" of type "application/octet-stream" (5023 bytes)

Download attachment "xsa443/xsa443-4.16-04.patch" of type "application/octet-stream" (2138 bytes)

Download attachment "xsa443/xsa443-4.16-05.patch" of type "application/octet-stream" (2019 bytes)

Download attachment "xsa443/xsa443-4.16-06.patch" of type "application/octet-stream" (2036 bytes)

Download attachment "xsa443/xsa443-4.16-07.patch" of type "application/octet-stream" (4265 bytes)

Download attachment "xsa443/xsa443-4.16-08.patch" of type "application/octet-stream" (4477 bytes)

Download attachment "xsa443/xsa443-4.16-09.patch" of type "application/octet-stream" (12166 bytes)

Download attachment "xsa443/xsa443-4.16-10.patch" of type "application/octet-stream" (9005 bytes)

Download attachment "xsa443/xsa443-4.16-11.patch" of type "application/octet-stream" (6491 bytes)

Download attachment "xsa443/xsa443-4.17-01.patch" of type "application/octet-stream" (1907 bytes)

Download attachment "xsa443/xsa443-4.17-02.patch" of type "application/octet-stream" (1174 bytes)

Download attachment "xsa443/xsa443-4.17-03.patch" of type "application/octet-stream" (5023 bytes)

Download attachment "xsa443/xsa443-4.17-04.patch" of type "application/octet-stream" (2165 bytes)

Download attachment "xsa443/xsa443-4.17-05.patch" of type "application/octet-stream" (2019 bytes)

Download attachment "xsa443/xsa443-4.17-06.patch" of type "application/octet-stream" (2036 bytes)

Download attachment "xsa443/xsa443-4.17-07.patch" of type "application/octet-stream" (4265 bytes)

Download attachment "xsa443/xsa443-4.17-08.patch" of type "application/octet-stream" (4477 bytes)

Download attachment "xsa443/xsa443-4.17-09.patch" of type "application/octet-stream" (12166 bytes)

Download attachment "xsa443/xsa443-4.17-10.patch" of type "application/octet-stream" (9005 bytes)

Download attachment "xsa443/xsa443-4.17-11.patch" of type "application/octet-stream" (6491 bytes)

Download attachment "xsa443/xsa443-04.patch" of type "application/octet-stream" (2193 bytes)

Download attachment "xsa443/xsa443-05.patch" of type "application/octet-stream" (2019 bytes)

Download attachment "xsa443/xsa443-06.patch" of type "application/octet-stream" (2036 bytes)

Download attachment "xsa443/xsa443-07.patch" of type "application/octet-stream" (4265 bytes)

Download attachment "xsa443/xsa443-08.patch" of type "application/octet-stream" (4477 bytes)

Download attachment "xsa443/xsa443-09.patch" of type "application/octet-stream" (12161 bytes)

Download attachment "xsa443/xsa443-10.patch" of type "application/octet-stream" (15952 bytes)

Download attachment "xsa443/xsa443-11.patch" of type "application/octet-stream" (6527 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.