Re: Xen Security Advisory 19 - guest administrator can access qemu monitor console

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2012 10:13 AM, Xen.org security team wrote:
>                  Xen Security Advisory XSA-19
>
>          guest administrator can access qemu monitor console
>
>
> ISSUE DESCRIPTION
> =================
>
> A guest administrator who is granted access to the graphical console
> of a Xen guest can access the qemu monitor.  The monitor can be used
> to access host resources.
>
> IMPACT
> ======
>
> A malicious guest administrator can access host resources (perhaps
> belonging to other guests or the underlying system) and may be able to
> escalate their privilege to that of the host.
>
> VULNERABLE SYSTEMS
> ==================
>
> Installations where guest administrators do not have access to a
> domain's graphical console, or containing only PV domains configured
> without a graphical console, are not vulnerable.
>
> Installations where all guest administrators are trustworthy are not
> vulnerable, even if the guest operating systems themselves are
> untrusted.
>
> Systems using xend/xm: At least all versions since Xen 4.0 are
> affected.  Systems are vulnerable even if "monitor=no" is specified in
> the xm domain configuration file - this configuration option is not
> properly honoured in the vulnerable versions.
>
> Systems using libxl/xl: All versions are affected.  The "monitor="
> option is not understood, and is therefore ignored, by xl.  However,
> systems using the experimental device model version based on upstream
> qemu are NOT vulnerable; that is, Xen 4.2 RC systems with
> device_model_version="qemu_xen" specified in the xl domain config
> file.
>
> Systems using libvirt are vulnerable.  For "xen:" URIs, see xend/xm,
> above.  For "libxl:" URIs, all versions are affected.
>
> Systems based on the Xen Cloud Platform are NOT vulnerable.
>
> CONFIRMING VULNERABILITY
> ========================
>
> Connect to the guest's VNC (or SDL) graphical display and make sure
> your focus is in that window.  Hold down CTRL and ALT and press 2.
> You will see a black screen showing one of "serial0", "parallel0" or
> "QEMU <version> monitor".  Repeat this exercise for other digits 3 to
> 6.  CTRL+ALT+1 is the domain's normal graphical console.  Not all
> numbers will have screens attached, but note that you must release and
> re-press CTRL and ALT each time.
>
> If one of the accessible screens shows "QEMU <version> monitor" then
> you are vulnerable.  Otherwise you are not.
>
> MITIGATION
> ==========
>
> With xl in Xen 4.1 and later, supplying the following config
> option in the VM configuration file will disable the monitor:
>    device_model_args=["-monitor","null"]
>
> With xend the following config option will disable the monitor:
>    monitor_path="null"
> Note that with a vulnerable version of the software specifying
> "monitor=0" will NOT disable the monitor.
>
> We are not currently aware of the availability of mitigation for
> systems using libvirt.
>
> NOTE REGARDING EMBARGO
> ======================
>
> This issue was publicly discussed online by its discoverer.
> There is therefore no embargo.
>
> NOTE REGARDING CVE
> ==================
>
> This issue was previously reported in a different context, not to Xen
> upstream, and assigned CVE-2007-0998 and fixed in a different way.  We
> have requested a new CVE for XSA-19 but it is not yet available.

Ahh I see the request now (it was in a different email folder). Please
use CVE-2012-4411 for this issue.

> RESOLUTION
> ==========
>
> The attached patch against qemu-xen-traditional
> (qemu-xen-4.*-testing.git) resolves this issue.
>
> $ sha256sum xsa19-qemu-all.patch
> 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa  xsa19-qemu-all.patch

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQSOgkAAoJEBYNRVNeJnmTonAP/3BTawvHhQX3HOScXFSUiIuO
Sp8+Swmfe4uvxGOR4z/q3f3FdrKN6GdBc9cmmZeSSuYelFYaIpG6PIgv4Tbf9Fwy
F8qc/nxHSWhb19J/ifAHckd7kq99qrdei+59jZeiy8PTS+6//SeVhLDvKlV7B/1X
QsS3qM6vgpGXx9xoCIxyjVODIm23Q/iWjyqtJl3uqiW5wymLOcZvLC37Do/2DJ8l
NOEqDalueYypKhPZnoj05iUiuR4vpSl/DNMvi6NHu0fI3ZEATCkEPV16fCSnPIv6
oN2UG0X7qNmIBz7oUD7lnoM86TGjFuxT4Ka4gSACykaeGpIuoeFbcboEKqMmejXH
9knYcMl9+t0G3yNYPpA6G2ED0BVXu8Ov3JmO2FoT9OEgkDv7HGD50GltnqYFvM2b
O97g3GJ9w0lJQ55cWzjU6lr763tM/lYYcl3KX/ic8frtX+7FK+rXHt0j+QHWRzbx
YmewJphXkURBVva+FvYhTlagh2tWK1w2yUarrTFiFoxUss/out58L2QP5ie41urG
JNajebW8gNPa/C3MxB+IWfGLci36+3/qW+czgvEOMwFsbE2YmbnSrZiA+9wrPNzJ
Ngn88tHZftHwUwbikjYwMBCZnFG1hySyQUCu+Ym3itQqbA9IQRxaBbBOzI4gLxso
LuaafXJ0lxi3HvevyfvA
=ZGCU
-----END PGP SIGNATURE-----