Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2482
Xen Security Advisory CVE-2015-7311 / XSA-142
24 September 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Modify Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-7311
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-142.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-7311 / XSA-142
version 2
libxl fails to honour readonly flag on disks with qemu-xen
UPDATES IN VERSION 2
====================
CVE assigned.
ISSUE DESCRIPTION
=================
Callers of libxl can specify that a disk should be read-only to the
guest. However, there is no code in libxl to pass this information to
qemu-xen (the upstream-based qemu); and indeed there is no way in qemu
to make a disk read-only.
The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated devices
inaccessible early in boot.
IMPACT
======
Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.
CDROM devices (that is, devices specified to be presented to the guest
as CDROMs, regardless of the nature of the backing storage on the
host) are not affected.
VULNERABLE SYSTEMS
==================
Only systems using qemu-xen (rather than qemu-xen-traditional) as the
device model version are vulnerable.
Only systems using libxl or libxl-based toolstacks are vulnerable.
(This includes xl, and libvirt with the libxl driver.)
All versions of libxl which support qemu-xen are vulnerable. The
affected code was introduced in Xen 4.1.
If the host and guest together usually support PVHVM, the issue is
exploitable only if the malicious guest administrator has control of
the guest kernel or guest kernel command line.
MITIGATION
==========
Switching to qemu-xen-traditional will avoid this vulnerability.
This can be done with
device_model_version="qemu-xen-traditional"
in the xl configuration file.
Using stub domain device models (which necessarily involves switching
to qemu-xen-traditional) will also avoid this vulnerability.
This can be done with
device_model_stubdomain_override=true
in the xl configuration file.
Either of these mitigations is liable to have other guest-visible
effects or even regressions.
It may be possible, depending on the configuration, to make the
underlying storage object readonly, or to make it reject writes.
RESOLUTION
==========
There is no reasonable resolution because Qemu does not (at the time
of writing) support presenting a read-only block device to a guest as
a disk.
The attached patch corrects the weakness in the libxl code, by
rejecting the unsupported configurations, rather than allowing them to
run but with the device perhaps writeable by the guest. Applying it
should increase confidence and avoid future configuration errors, but
will break affected configurations specifying read-only disk devices.
xsa142-4.6.patch Xen 4.6.x and later
xsa142-4.5.patch Xen 4.3.x to 4.5.x inclusive
$ sha256sum xsa142*.patch
9ec0649f39720bc692be03c87ebea0506d6ec574f339fc745e41b31643240124 xsa142-4.5.patch
65f01167bfc141048261f56b99ed9b48ec7ff6e98155454ced938a17ec20e7d1 xsa142-4.6.patch
$
NOTE REGARDING LACK OF EMBARGO
==============================
This issue was discussed in public in the Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1257893
CREDITS
=======
Thanks to Michael Young of Durham University for bring this problem to
our attention.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWAXCcAAoJEIP+FMlX6CvZ1asH/0yJQ9+33gZtE69Bxicms3C2
uSepfkZVBUym+eEBqGKd2hiapngIAInotOTk+iI7DDo41wvfnJxq1eaEaQ9XurKK
kylHOb8eHmYw+HwTW2kJV2g6ffeGBMIcI5mpK35yBa5NnNHHJz0b9ZeRzddR9rSR
0eQpuP4DlN1/2/z6obXmYms84Q1oiIzMDz+MzJA/zPtfL7Q/tBjUmMfPj67zNKwe
vIfIstI5IbCRgnXSEL9EjTckqNFszyr3pH4z/Y97UXWlbTg233ewAS11Wz/CwJKT
yzS4uJGpckqTRC3YKyS1unKCP39yAVIBTx4QoPu9hrWyzUJpZUD/FvmrIHhr8co=
=kHPH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVgNfBX6ZAP0PgtI9AQI4FxAAmJumJP8L3/AWOfS1I8I/KZ+kVfLlyEyh
ZhaWU7bP+icNtcIfBfm11DivWXvIj2eivY7qtzcLesvF+tnBvLkFGUbwzpNgRcUf
J3ozCWqTbNlUWiFPFLuoJEcWN4TTw1E5GdhUzcKcql/YwZpAuN0jKZnHrM7kuHqy
mu6U3X7KJCWZXe9SfG0ZI9mRD4Xwm+zqqUicyk8wX11dviwfPkjJJaOF0AyAPOJE
YM9DHgJ12+zgwJFX6EVk7GKVmt3U2pxG7H3W8kRFYJXTTZkt+m4gTOZcZTtMZQmb
QQQ4Ip7ylkXJxQt90h8LSGZggmwLL5r4AgGtmNoTgsRK3NH8stLzGNz0vwkTdeql
+iqFkFV4YPvGi1PN1As2ELGXWfAShfJ0tBWwGmZfVvp2Y6utCBXq/vHiXz2LQV0h
UQltj89PZZPpmq/FKs5Zfq5Z6MOaWGiOCcJ0FXXl3+h8iKF0JgAOHSGEmHgFXl65
0sUR5aeSHAL1M6sNZokTDSftBs2V/19lq1wn/ZujYf/DrcN4rKfukDrOrALjUGkQ
l6rXW2xRQlGe9HTJ+ZwVP5FlnSzzRFRSD7sDQvR3Idp6RxFx+oL5sCS0Uptcc3uE
WAHYRzvVbQ/QxXMN3i7CE3dAW5WXrOIGH2o+oRuWnaR//B0iFUy2rxG8yFATSOqV
fGkcWLV4EBY=
=kV34
-----END PGP SIGNATURE-----