Thomas Goirand
2012-Sep-06 17:46 UTC
[Pkg-xen-devel] Fwd: [Xen-announce] Xen Security Advisory 19 - guest administrator can access qemu monitor console
Hi everyone at the security team, I'd like to upload an update of xen-qemu-dm-4.0 in Squeeze. Below is the Xen Security Advisory as I received it, attached is the patch that they provided. Both the debdiff and the updated packages are available in here: http://archive.gplhost.com/pub/security/xen-qemu-dm-4.0/ Please allow me to upload this fix. If you wish, I can prepare a DSA as well (but probably what's below is enough for you guys to prepare one), just let me know. Cheers, Thomas Goirand (zigo) -------- Original Message -------- Subject: [Xen-announce] Xen Security Advisory 19 - guest administrator can access qemu monitor console Date: Thu, 06 Sep 2012 16:13:26 +0000 From: Xen.org security team <security at xen.org> To: xen-announce at lists.xen.org, xen-devel at lists.xen.org, xen-users at lists.xen.org, oss-security at lists.openwall.com CC: Xen.org security team <security at xen.org> Xen Security Advisory XSA-19 guest administrator can access qemu monitor console ISSUE DESCRIPTION ================ A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT ===== A malicious guest administrator can access host resources (perhaps belonging to other guests or the underlying system) and may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================= Installations where guest administrators do not have access to a domain's graphical console, or containing only PV domains configured without a graphical console, are not vulnerable. Installations where all guest administrators are trustworthy are not vulnerable, even if the guest operating systems themselves are untrusted. Systems using xend/xm: At least all versions since Xen 4.0 are affected. Systems are vulnerable even if "monitor=no" is specified in the xm domain configuration file - this configuration option is not properly honoured in the vulnerable versions. Systems using libxl/xl: All versions are affected. The "monitor=" option is not understood, and is therefore ignored, by xl. However, systems using the experimental device model version based on upstream qemu are NOT vulnerable; that is, Xen 4.2 RC systems with device_model_version="qemu_xen" specified in the xl domain config file. Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, above. For "libxl:" URIs, all versions are affected. Systems based on the Xen Cloud Platform are NOT vulnerable. CONFIRMING VULNERABILITY ======================= Connect to the guest's VNC (or SDL) graphical display and make sure your focus is in that window. Hold down CTRL and ALT and press 2. You will see a black screen showing one of "serial0", "parallel0" or "QEMU <version> monitor". Repeat this exercise for other digits 3 to 6. CTRL+ALT+1 is the domain's normal graphical console. Not all numbers will have screens attached, but note that you must release and re-press CTRL and ALT each time. If one of the accessible screens shows "QEMU <version> monitor" then you are vulnerable. Otherwise you are not. MITIGATION ========= With xl in Xen 4.1 and later, supplying the following config option in the VM configuration file will disable the monitor: device_model_args=["-monitor","null"] With xend the following config option will disable the monitor: monitor_path="null" Note that with a vulnerable version of the software specifying "monitor=0" will NOT disable the monitor. We are not currently aware of the availability of mitigation for systems using libvirt. NOTE REGARDING EMBARGO ===================== This issue was publicly discussed online by its discoverer. There is therefore no embargo. NOTE REGARDING CVE ================= This issue was previously reported in a different context, not to Xen upstream, and assigned CVE-2007-0998 and fixed in a different way. We have requested a new CVE for XSA-19 but it is not yet available. RESOLUTION ========= The attached patch against qemu-xen-traditional (qemu-xen-4.*-testing.git) resolves this issue. $ sha256sum xsa19-qemu-all.patch 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch -------------- next part -------------- A non-text attachment was scrubbed... Name: xsa19-qemu-all.patch Type: application/octet-stream Size: 924 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120907/c0153a1f/attachment.obj>
Bastian Blank
2012-Sep-06 18:23 UTC
[Pkg-xen-devel] Fwd: [Xen-announce] Xen Security Advisory 19 - guest administrator can access qemu monitor console
On Fri, Sep 07, 2012 at 01:46:57AM +0800, Thomas Goirand wrote:> I'd like to upload an update of xen-qemu-dm-4.0 in Squeeze. Below is the > Xen Security Advisory as I received it, attached is the patch that they > provided. Both the debdiff and the updated packages are available in here: > > http://archive.gplhost.com/pub/security/xen-qemu-dm-4.0/And what about CVE-2012-3515? Bastian -- Most legends have their basis in facts. -- Kirk, "And The Children Shall Lead", stardate 5029.5
Apparently Analagous Threads
- Xen Security Advisory 19 (CVE-2012-4411) - guest administrator can access qemu monitor console
- Re: [oss-security] Xen Security Advisory 19 - guest administrator can access qemu monitor console
- Bug#686848: CVE-2007-0998: Qemu monitor can be used to access host resources
- FreeBSD Security Advisory FreeBSD-SA-05:19.ipsec
- FreeBSD Security Advisory FreeBSD-SA-05:19.ipsec