Xen devel - Mar 2007 - PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server

This patch fixes a security issue present in any Xen 3.0.3 or later when
the VNC server is enabled for a HVM guest.

cf CVE-2007-0998 / the RHEL-5 security errata:

   http://rhn.redhat.com/errata/RHSA-2007-0114.html

The VNC server for HVM guests allows the VNC client to press Ctrl+Alt+2
to switch into the QEMU monitor console. From there a user can map an
arbitrary file from the Dom0 host through to the guest as a cdrom device.
This file is mapped with full read-write privileges to writes to /dev/hdc
in the guest will change the file in the underlying Dom0 host.

So since qemu-dm processes run as root on Dom0, any unprivileged user with
access to a VNC console for a HVM guest can compromise the Dom0 OS. The VNC
password protection offers minimal against this problem since it is trivially
brute forced, although at least XenD is setup to restrict VNC to 127.0.0.1
out of the box. So it is a local-root exploit in out of box config, but is
potentially a remote-root exploit if the admin changed VNC to listen on the
public IP address.

There is no compelling reason to provide access to the QEMU monitor console.
The XenD APIs already allow a user to determine config of a guest VM. The
often quoted use case is to allow changing of the CDROM backing file during
guest installs. This can already be done by root using xenstore-write to
change the file associated with the VDB in xenstore, so QEMU monitor access
is not actually needed. Long term I anticipate XenD itself will have to 
take ownership of the QEMU monitor console connection, since upstream QEMU 
is increasingly providing monitor commands as the primary way for management 
tools to control the VM on the fly. 

The attached patch disables the key code handling the magic Ctrl+Alt+2
sequence used to activate the monitor. The code is now only enabled if
the top level Xen Makefile variable ''debug'' is set to
''y'' - it defaults
to ''n'' to regular production builds will remove access to the
QEMU monitor,
while developers can still access if required for debugging purposes.

This is effectively disabling the code added in changeset:

     10742:3e07ec30c44538e7ea55b0da2cb2624036481fc3

Along with a few other minor alteratiosn to the added code.

 Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
> This patch fixes a security issue present in any Xen 3.0.3 or later when
> the VNC server is enabled for a HVM guest.
>
> cf CVE-2007-0998 / the RHEL-5 security errata:
>
>    http://rhn.redhat.com/errata/RHSA-2007-0114.html
Same patch applies cleanly on Xen-3.1.0, is it forgetton?

-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 19/5/07 00:39, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> 19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
>> This patch fixes a security issue present in any Xen 3.0.3 or later
when
>> the VNC server is enabled for a HVM guest.
>> 
>> cf CVE-2007-0998 / the RHEL-5 security errata:
>> 
>>    http://rhn.redhat.com/errata/RHSA-2007-0114.html
> 
> Same patch applies cleanly on Xen-3.1.0, is it forgetton?
The patch is in 3.1.0.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

19 May 2007 Cts tarihinde, Keir Fraser şunları yazmıştı:
> On 19/5/07 00:39, "S.Çağlar Onur" <caglar@pardus.org.tr>
wrote:
> > 19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
> >> This patch fixes a security issue present in any Xen 3.0.3 or
later when
> >> the VNC server is enabled for a HVM guest.
> >>
> >> cf CVE-2007-0998 / the RHEL-5 security errata:
> >>
> >>    http://rhn.redhat.com/errata/RHSA-2007-0114.html
> >
> > Same patch applies cleanly on Xen-3.1.0, is it forgetton?
>
> The patch is in 3.1.0.
Hmm, is that solved another way? Cause according to HG history its first 
committed [1] then reverted [2]?

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]> 
sha1sum /var/cache/pisi/archives/xen-3.1.0-src.tgz
fa4b54c36626f2cce9b15dc99cafda0b42c54777 
/var/cache/pisi/archives/xen-3.1.0-src.tgz

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]> tar 
xvf /var/cache/pisi/archives/xen-3.1.0-src.tgz
...

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen/xen-3.1.0-src]>
patch -p1 < ../files/CVE-2007-0998.patch
patching file tools/ioemu/Makefile.target
patching file tools/ioemu/vnc.c

[1] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3375391fb0c9
[2] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3d7a4ac397b1

Cheers
-- 
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 19/5/07 12:48, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
>>> Same patch applies cleanly on Xen-3.1.0, is it forgetton?
>> 
>> The patch is in 3.1.0.
> 
> Hmm, is that solved another way? Cause according to HG history its first
> committed [1] then reverted [2]?
There''s a ''monitor'' option in the domain config file,
which can be used to
enable the monitor over VNC. It defaults to off, for security, of course.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel