Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YW3EB-0003fb-3F@xenbits.xen.org>
Date: Thu, 12 Mar 2015 13:32:43 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 119 (CVE-2015-2152) - HVM qemu unexpectedly
 enabling emulated VGA graphics backends

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2152 / XSA-119
                              version 3

      HVM qemu unexpectedly enabling emulated VGA graphics backends

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When instantiating an emulated VGA device for an x86 HVM guest qemu
will by default enable a backend to expose that device, either SDL or
VNC depending on the version of qemu and the build time configuration.

The libxl toolstack library does not explicitly disable these default
backends when they are not enabled, leading to an unexpected backend
running.

If either SDL or VNC is explicitly enabled in the guest configuration
then only the expected backends will be enabled.

This affects qemu-xen and qemu-xen-traditional differently.

If qemu-xen was compiled with SDL support then this would result in an
SDL window being opened if $DISPLAY is valid, or a failure to start
the guest if not.

If qemu-xen was compiled without SDL support then qemu would instead
start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
(IPv4 localhost) with IPv6 preferred if available. A VNC password will
not be configured even if one is present in the guest configuration.

qemu-xen-traditional will never start a vnc backend unless explicitly
configured. However by default it will start an SDL backend if it was
built with SDL support and $DISPLAY is valid.


IMPACT
======

For qemu-xen compiled without SDL support (unexpected VNC server):

Any local user on the domain 0 hosting the VM will be able to access
the guest's emulated VGA console.


For any qemu compiled with SDL support (unexpected SDL backend):

Users who are able to control the DISPLAY environment variable of the
toolstack process which creates the VM will be able to direct the SDL
output to an X server of their choosing and from there gain access to
the guest's emulated console.

This is a practical attack only on systems where arrangements have
been made for lower-privileged users to execute Xen toolstack code via
means which do not sufficiently launder the process environment.  This
would include some restricted sudo command configurations.


In both cases unexpected access to the guest console may then,
depending on the guest configuration, grant further privilege or
opportunities for attack.

Both cases also open up the qemu process to attacks via the VNC or X
network protocols.

The qemu monitor is not exposed via this means unless it is explicitly
enabled in the guest configuration.


VULNERABLE SYSTEMS
==================

ARM systems are not vulnerable.

PV domains are not vulnerable.

Systems where either SDL or VNC is explicitly enabled in the guest
configuration (eg `sdl=1' or `vnc=1' in the guest config file) are not
vulnerable.

Systems using qemu-xen-traditional, or systems using qemu-xen where
SDL support is built into qemu-xen, are not vulnerable; unless the Xen
toolstack code runs in a process environment partially controlled by
potential attackers.

x86 systems running HVM domains, configured to disable both SDL and
VNC access to the emulated VGA device, may be vulnerable.

Versions of Xen from 4.2 onwards are known to be affected. Older
versions have not been inspected.


MITIGATION
==========

Running qemu in a stub domain will avoid this issue.

Setting nographic to true on the domain (i.e. nographic=1 in an xl
configuration file) will completely disable the emulated VGA device
and therefore avoid this issue.  (NB that publicly visible deployment
of this mitigation during the embargo is forbidden.)

In order to disable the backends while retaining the emulated VGA then
prepending "-vnc none -display none" to the qemu-xen command-line or
"-vnc none" to the qemu-xen-traditional command-line, using e.g. a
wrapper script will avoid the issue.  Note that the "extra_hvm" option
exposed by the libxl library is not useful because it appends the
given options making them ineffective in this case.


CREDITS
=======

This issue was discovered by Sander Eikelenboom.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa119-unstable.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x
xsa119-4.2.patch             Xen 4.2.x

$ sha256sum xsa119*.patch
ee44c8f6a7cf3ca7b2d9886047b91690aaa2b091baf8629d8ab4c298022c6c47  xsa119-unstable.patch
5470eae3ca776a5100e8da9400ce15a2f4d855177f023430b2462f65e716128f  xsa119-4.2.patch
$


DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches above (or others which are substantially
similar) is permitted during the embargo, even on public-facing
systems with untrusted guest users and administrators.

Deployment of a revised command qemu line which sets "-vnc none
- -display none" or "-vnc none" (as applicable) is also permitted.


Mitigation by passing `nographic=1' or equivalent guest configuration,
is NOT permitted (except where all the guests are accessible only by
members of the Xen Project Security Issues Predisclosure List).
Specifically, deployment of such a mitigation on public cloud systems
is NOT permitted.

This is because the guest-visible configuration change (disappearance
of the emulated VGA device as the response to a security issue) would
suggest to attackers where to look for the vulnerability.


Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVAZVQAAoJEIP+FMlX6CvZ04YIAJZ0goOAXAzc5OwrY/RyTeCp
fGHhzkWQ5ZJ3GKR2x+A+uXTb5X+tpo07A/sIS9eGtUDTpzOmfNn/r+vXpicVip8j
CW8KMCvNqiMu6BlrF13x7wrYTNSCudLdcg5ermUBasPXadbPspJoLsmEZVDejLEP
7Wp99VoeOJEfR/29JrSTDLAuZ5F5TL9T3TZZ9qnxpWxa4ag7qsKL3AS8akKAj8O5
JDHsCpPdPV0w4BNkLTa9zd9xWfSb1zhPvM1S7OeMwzY1Yv1uEI9vRHwHt2JfUQBD
rpP1ED8dZphZfet0xqCzx5iyNLvYzNGenA+DnDslj/ORw07SmQ8vSRzq5SJx/uE=
=QKUI
-----END PGP SIGNATURE-----

Download attachment "xsa119-unstable.patch" of type "application/octet-stream" (3624 bytes)

Download attachment "xsa119-4.2.patch" of type "application/octet-stream" (3805 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.