[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server



This patch fixes a security issue present in any Xen 3.0.3 or later when
the VNC server is enabled for a HVM guest.

cf CVE-2007-0998 / the RHEL-5 security errata:

   http://rhn.redhat.com/errata/RHSA-2007-0114.html

The VNC server for HVM guests allows the VNC client to press Ctrl+Alt+2
to switch into the QEMU monitor console. From there a user can map an
arbitrary file from the Dom0 host through to the guest as a cdrom device.
This file is mapped with full read-write privileges to writes to /dev/hdc
in the guest will change the file in the underlying Dom0 host.

So since qemu-dm processes run as root on Dom0, any unprivileged user with
access to a VNC console for a HVM guest can compromise the Dom0 OS. The VNC
password protection offers minimal against this problem since it is trivially
brute forced, although at least XenD is setup to restrict VNC to 127.0.0.1
out of the box. So it is a local-root exploit in out of box config, but is
potentially a remote-root exploit if the admin changed VNC to listen on the
public IP address.

There is no compelling reason to provide access to the QEMU monitor console.
The XenD APIs already allow a user to determine config of a guest VM. The
often quoted use case is to allow changing of the CDROM backing file during
guest installs. This can already be done by root using xenstore-write to
change the file associated with the VDB in xenstore, so QEMU monitor access
is not actually needed. Long term I anticipate XenD itself will have to 
take ownership of the QEMU monitor console connection, since upstream QEMU 
is increasingly providing monitor commands as the primary way for management 
tools to control the VM on the fly. 

The attached patch disables the key code handling the magic Ctrl+Alt+2
sequence used to activate the monitor. The code is now only enabled if
the top level Xen Makefile variable 'debug' is set to 'y' - it defaults
to 'n' to regular production builds will remove access to the QEMU monitor,
while developers can still access if required for debugging purposes.

This is effectively disabling the code added in changeset:

     10742:3e07ec30c44538e7ea55b0da2cb2624036481fc3

Along with a few other minor alteratiosn to the added code.

 Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

Attachment: xen-vnc-monitor-export.patch
Description: Text document

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.