[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 175 (CVE-2016-4962) - Unsanitised guest input in libxl device handling code



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-4962 / XSA-175
                              version 5

         Unsanitised guest input in libxl device handling code

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Various parts of libxl device-handling code inappropriately use
information from (partially) guest controlled areas of xenstore
(principally the frontend directory
   /local/domain/GUEST/device/TYPE/DEVID,
henceforth referred to as FE).  The problems vary by device type:

For almost all device types (all devices except consoles and
channels), the guest has the ability to completely remove FE.  This
will normally result in the virtual device no longer functioning
(which is bad for the guest and an outcome the guest could achieve
anyway).  But it will also cause the device not to appear in lists of
devices, and prevent the device being properly torn down during domain
destruction (including guest reboot and migration).  When such a
malicious domain is shut down, the host resources associated with the
manipulated devices may remain in use: for example, disk and nic
hotplug teardown scripts will not be run.  For resources allocated in
an manner which excludes some other accesses, this can prevent the
operation of that other software on the host (for example, it can
prevent management operations on the underlying objects); for
resources are allocated in a nonexclusive manner, the guest can
consume new resources with each successive guest boot, eventually
exhausting capacity.

For all devices other than the main PV console, the guest can write
FE/backend to point to the backend of a device belonging to a
different guest.  On subsequent domain removal (for example, by guest
reboot or migration) libxl uses this value with insufficient checks,
allowing libxl to be tricked into failing to tear down the device
properly.

For almost all device types the backend xenstore path and domid
returned to libxl's caller during query functions servicing the domain
are read from a guest-controlled part of xenstore.  This means that a
guest can cause incorrect displays in tools like xl, and possibly
cause maloperation by higher-level domain management systems.

For all device types, libxl would read the guest-writeable FE/backend
node to find the xenstore path to the backend.  A guest could write a
bad value, which would (mostly) be detected by libxl but would cause
libxl operations (including informational functions) to fail.

For consoles, vtpm and channel devices, libxl would use FE/backend
without checking, to discover important information about the device.
For vtpm devices, this means guest can manipulate the
apparently-configured uuid.  For channel devices, the guest can
manipulate the apparently-configured channel name.

For channel devices, the guest can trick console attachment tools in
the backend domain into connecting to arbitrary wrong paths on the
backend domain filesystem.

IMPACT
======

A malicious guest administrator can cause denial of service by
resource exhaustion.

A malicious guest administrator can confuse and/or deny service to
management facilities.

A malicious guest administrator of a guest configured with channel
devices may be able to escalate their privilege to that of the backend
domain (i.e., normally, to that of the host).

VULNERABLE SYSTEMS
==================

Xen systems using libxl based toolstacks (for example xl or libvirt
with the libxl driver) are vulnerable to denial of service to guests
and administrators.

Xen systems with guests configured with channel devices are possibly
vulnerable to privilege escalation by those guests.

(Channel devices are be configured with "channel=" in the xl domain
configuration file.  See
  http://xenbits.xen.org/docs/4.6-testing/misc/channel.txt
for more information.)

MITIGATION
==========

Disabling channel devices in applicable guests will reduce the
impact of the vulnerability.

Limiting the frequency with which a guest is able to reboot, or
limiting or eliminating a guest's ability to be granted exclusive
access to host resources, will reduce the resource exhaustion impact.

CREDITS
=======

This issue was discovered by Wei Liu from Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa175-unstable/*.patch           xen-unstable
xsa175-4.6/*.patch                xen-4.6
xsa175-4.5/*.patch                xen-4.5
xsa175-4.4/*.patch                xen-4.4

$ sha256sum xsa175-*/*
473fdf33f6f26c0655b504e2cc384c20904bcdd713fbacc4236f499a0a6f8ac3  
xsa175-unstable/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
531b2233581d847f26eeffc5fa7c1428a2f42336aed7943165da881003d4be90  
xsa175-unstable/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
cfb45654444a95e80a2b9608448b1092f407b9a9d52436ce49c45978e5e8c310  
xsa175-unstable/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
361cc95707bba9b1801e4972016ca61ab6d8103f93b0141758112eaa61d9113d  
xsa175-unstable/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
f21e63a17728e638d4e33e074e5a35fa9eb18f13c0051d9bef0d7849b60de649  
xsa175-unstable/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
0fe8d5e65103a9fc2b54692726ab66ddf4004a641e5b6730ee97c7b1621d6543  
xsa175-unstable/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
dd06e96c10c51829d7489c72d2560a9bbd12dbd727a0bb492810b334d0623296  
xsa175-unstable/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
64e56d387e418082dbd0088a012e263abda0d452a77ff7c2273cb7425d45fc60  
xsa175-unstable/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
6e3b59ac930d5210032bf1015782c14bc94881e8734e451e3d5f0c3e794f4d34  
xsa175-unstable/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
2c9a23f859bf8ecd1800089ca7f9032b24311a90c4cfe38f2a26f5ee6a8443c6  
xsa175-unstable/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
43d39d6544893c76a91c056543d46a0bfa32cf2891d234815b6a3d43d87fa5ef  
xsa175-unstable/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
82da838f3daff7f225426b6572e7f7577e821f3546bb1d2ddafd72fbc8839a0d  
xsa175-unstable/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
e732be8fae0d7c7de487a6a7ab919f2b91005067ce2dcf7083195fb74e2943de  
xsa175-unstable/0013-libxl-Do-not-trust-frontend-for-vusb.patch
c44dcbf52358b8747c922257cad3d03cc056ecc03ecd396e50f6b3f6d1cea798  
xsa175-4.6/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
fd11a983dc1f125901daaa9c9019edb46c3d16a9371399a6e9c9ef4a23b54276  
xsa175-4.6/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
f50f7156dc5595d1d1839c225ac8c4bd767511bc6ce4aec5f60b9ab207ea7631  
xsa175-4.6/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
09b2faa98ec3db11142c17fd4d9e055505f4552ff43e48da4d30ebcbf6b929f4  
xsa175-4.6/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
4fa05ee839da5bae49e4b403a2d13da802e10f7aa586007da89e73c6fd6719b7  
xsa175-4.6/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
92f423b541e9447f0bf37a83bbece2cfe198b1db33ca02cd3f6ca17bad203f2f  
xsa175-4.6/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
97fb68eda21ab0151e6e240ddde34da0da0e8f11ea448f4603d7ef2326acda70  
xsa175-4.6/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
9cde88602e13c2964307fa1bc5b1601dc6796d4b9d9b9e49898e1d13470c71ab  
xsa175-4.6/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
69a19ee15ad266e391b4356a2f6ad3442a905cd06441921ae4e2c2778823f8ae  
xsa175-4.6/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
51fadcafa1549201d6dd4eda9c3f8b9d2c7cad6851f2aafe3569ec3980c5a256  
xsa175-4.6/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
dc925af06451392d87f8750b3be2ad60b95be107f2534391063732f1e1b5109a  
xsa175-4.6/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
57211890bf71f7648f5b3f7a88f79fddb7d3077eb3a1bc3cbd6f910fa324dfd1  
xsa175-4.6/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
a262c85f9145f71df512338ef1a4b77c05086a894d58ba3d911ea6984bbeaed5  
xsa175-4.5/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
676806c5713a60f113264298c48c3ac34e3370a6bfb8628d5b8700edfe2415e3  
xsa175-4.5/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
50518f86aedf7857ca3644a2f073745017d12263880990cb7f0d4b3b9e264ac5  
xsa175-4.5/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
e9207a4a35c13061b502935a31ad09cf4ca8048804f1a62d1c1ccfde5ff3432c  
xsa175-4.5/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
78baa5268af36baa546e4cd8e7f62d830c860ee3051bba5273266ca0f95627ae  
xsa175-4.5/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
c59be732bbf602d7d3b5dcbf3a0ca86d6f624585ba2e29f8d0f82c74f7bd33a3  
xsa175-4.5/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
5c1aa2cc37240cdc4dce5c5067f18c36466d9271ab81c6a7a38d8674b534cd86  
xsa175-4.5/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
020287ae99d9c049c12087d828ea2d898686ab8600c0f9f8f2042b297ebc968e  
xsa175-4.5/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
4781d673403b3bb0f43196af1aec52f8769bcf7352afd239d874f381a1d0e9cc  
xsa175-4.5/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
c6a0fb210488794188924a90df4450e42782f99651b7a016e072a7df7d26d3d6  
xsa175-4.5/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
3f3eec4f45925a9de39fcfd14e7709b3fc8245425b8ae45213afee1ede2b09a0  
xsa175-4.5/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
084b0054f223addeab3ff951ac1362b7d48379ddf0556eae9971f1a87507c2d4  
xsa175-4.5/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
cefe2c82a30227b6538c6924d7d939192be3c481e48ac94c82f4c51f60388570  
xsa175-4.4/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
f24b26891fac4e8bf8a0939a5b64fc7ad096ef699f1882aad6e96cf81b85fc3e  
xsa175-4.4/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
748ea9d369b1f8372d1a4c420e6a9d90f881b7142e7913ed5d72b99c07ac11a0  
xsa175-4.4/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
9f4011a48b01a36087e019f2c4bcdea91c8f2dabce5bd6b9a4cb7fd70f343c50  
xsa175-4.4/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
012c86146bbb67c2bb9424ba76294e6c6eca033d932d543e0e58f83e91d79e7b  
xsa175-4.4/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
be5665c91b0dfd79c8c4bb35d5adfb719ab23a547479a14aacac9d5f46d77a0f  
xsa175-4.4/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
9068b9025ad079d1ec1cacc399a72b5dc1836894683b2545274e8b19b795cd60  
xsa175-4.4/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
b57f96af3c1cac5f56a684afe223b4a977c144daf8d5f2a1e184697cd29fdbe2  
xsa175-4.4/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
c8941fcf41edae75fa5a1b417d9b457fdd67a5531b6cf75dc16da9d63697c61f  
xsa175-4.4/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
0641b38b7718d5fa84a8ce12a2bf034273caeb1e372f48b73170b3fd085f169c  
xsa175-4.4/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
$

NOTE REGARDING EMBARGO LENGTH
=============================

Due to the complexity and centrality of the set of patches, the
security team suggested a three-week embargo rather than the normal
two-week embargo, and the discoverer agreed.

Please do your best to test these patches as thoroughly and as early
as possible, and report any problems.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations not explicitly allowed below is
NOT permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List).  Specifically,
deployment on public cloud systems is NOT permitted.

This is because the patches and mitigations result in guest-visible
changes in the information recorded in xenstore, which might lead a
guest administrator to understand the nature of the vulnerability.

Deployment is permitted only AFTER the embargo ends.

HOWEVER, deployment of the following IS is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators:
  * The patches for XSA-175 EXCEPT for the one patch
       libxl: Do not trust frontend for channel in list
  * The mitigation of limiting reboot frequency

In any case: Distribution of updated software is prohibited (except to
other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJXUCvtAAoJEIP+FMlX6CvZS7QIAMAUfcPHE/j8eqXCjoToYAfq
/VjLuEaUgHwSeWcsXhJ78p74uCuKty17VUeNQ2A9JZIISiAVbai51Ms4RZsCxYeK
G3XVf8bHZDiLhCS/AaFjS2AMrE/ulV+m5LRd4U0YTykf392s/hT9VKQkdkZh6ryu
S206cu2rDgmABI9mvzDQlhTfgS3Efe7SFmHq63swYzN4CwuKKbdd7EdFuHUio3Qq
QewtQ1UNORTR84vKfiNY/4Bd6Fhwl/0JU5kYKlPskzuM1ItN8wa5E3aou/0S7Cv4
vE0c7oXfIJKyf5zcxBI6T/VJXN3zyM+pAj3i0Hdn6LczRR2kAEnkp60MMr17ICE=
=GCRC
-----END PGP SIGNATURE-----

Attachment: xsa175-unstable/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
Description: Binary data

Attachment: xsa175-unstable/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
Description: Binary data

Attachment: xsa175-unstable/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
Description: Binary data

Attachment: xsa175-unstable/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
Description: Binary data

Attachment: xsa175-unstable/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
Description: Binary data

Attachment: xsa175-unstable/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
Description: Binary data

Attachment: xsa175-unstable/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
Description: Binary data

Attachment: xsa175-unstable/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
Description: Binary data

Attachment: xsa175-unstable/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
Description: Binary data

Attachment: xsa175-unstable/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
Description: Binary data

Attachment: xsa175-unstable/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
Description: Binary data

Attachment: xsa175-unstable/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
Description: Binary data

Attachment: xsa175-unstable/0013-libxl-Do-not-trust-frontend-for-vusb.patch
Description: Binary data

Attachment: xsa175-4.6/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
Description: Binary data

Attachment: xsa175-4.6/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
Description: Binary data

Attachment: xsa175-4.6/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
Description: Binary data

Attachment: xsa175-4.6/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
Description: Binary data

Attachment: xsa175-4.6/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
Description: Binary data

Attachment: xsa175-4.6/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.6/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
Description: Binary data

Attachment: xsa175-4.6/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.6/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
Description: Binary data

Attachment: xsa175-4.6/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.6/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
Description: Binary data

Attachment: xsa175-4.6/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.5/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
Description: Binary data

Attachment: xsa175-4.5/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
Description: Binary data

Attachment: xsa175-4.5/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
Description: Binary data

Attachment: xsa175-4.5/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
Description: Binary data

Attachment: xsa175-4.5/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
Description: Binary data

Attachment: xsa175-4.5/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.5/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
Description: Binary data

Attachment: xsa175-4.5/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.5/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
Description: Binary data

Attachment: xsa175-4.5/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.5/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
Description: Binary data

Attachment: xsa175-4.5/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.4/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
Description: Binary data

Attachment: xsa175-4.4/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
Description: Binary data

Attachment: xsa175-4.4/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
Description: Binary data

Attachment: xsa175-4.4/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
Description: Binary data

Attachment: xsa175-4.4/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
Description: Binary data

Attachment: xsa175-4.4/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.4/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
Description: Binary data

Attachment: xsa175-4.4/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
Description: Binary data

Attachment: xsa175-4.4/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
Description: Binary data

Attachment: xsa175-4.4/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.