823608 – (CVE-2013-2211) VUL-0: CVE-2013-2211: xen: XSA-57: libxl allows guest write access to sensitive console related xenstore keys

Bug 823608 (CVE-2013-2211) - VUL-0: CVE-2013-2211: xen: XSA-57: libxl allows guest write access to sensitive console related xenstore keys

Summary: VUL-0: CVE-2013-2211: xen: XSA-57: libxl allows guest write access to sensiti...

Status:	RESOLVED FIXED

Alias:	CVE-2013-2211

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:53511:important maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-06-06 08:04 UTC by Alexander Bergmann
Modified:	2014-03-25 22:09 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
XSA-57 unstable fix (15.45 KB, patch) 2013-06-06 08:08 UTC, Alexander Bergmann	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-06-06 08:04:47 UTC

EMBARGOED UNTIL 2013-06-20 12:00 UTC

via xen-security-issues@lists.xen.org

Date: Thu, 06 Jun 2013 13:41:58 +0000
From: "Xen.org security team" <security@xen.org>
Subject: [security@suse.de] Xen Security Advisory 57 - libxl allows guest write access to sensitive console related xenstore keys

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-57

 libxl allows guest write access to sensitive console related xenstore keys

             *** EMBARGOED UNTIL 2013-06-20 12:00 UTC ***

ISSUE DESCRIPTION
=================

The libxenlight (libxl) toolstack library does not correctly set
permissions on xenstore keys relating to paravirtualised and emulated
serial console devices. This could allow a malicious guest
administrator to change values in xenstore which the host later relies
on being implicitly trusted.

This vulnerability has not yet been assigned a CVE Candidate number by
MITRE.  We will issue an updated version of XSA-57 when this is
available.

IMPACT
======

A malicious guest administrator can read and write any files in the
host filesystem which are accessible to the user id running the
xenconsole client binary. This may be the user id of a host
administrator who connects to the guest's console or the user id of
any self service mechanism provided to guest administrators by the
host provider.

As well as reading and writing files an attacker with access to an HVM
guest can cause any PV or serial consoles to be connected to a variety
of network resources (sockets, udp connections) or other end points
(fifo, pipes) in the host file filesystem according to the privileges
granted to the qemu device model for that guest.

A malicious guest administrator can also redirect the VNC console
port of the guest to another port on the host. This may expose the VNC
port of other guests or of other firewalled services to an attack.

VULNERABLE SYSTEMS
==================

All systems which use libxl as part of the toolstack are vulnerable.

libxl is present in Xen versions 4.0 onwards.

The major consumer of libxl functionality is the xl toolstack which
became the default in Xen 4.2.

In addition to this libvirt can optionally make use of libxl. This can
be queried with
        # virsh version

Which will report "xenlight" if libxl is in use. libvirt currently
prefers the xend backend if xend is running.

The xend and xapi toolstacks do not currently use libxl.

MITIGATION
==========

Host administrators can start a domain paused and manually correct the
xenstore permissions of the relevant nodes.

A domain can be started in the paused state with xl by using
    # xl create -p <cfg>

A domain's domid can then be determined with:
    # xl domid <name>

If using libvirt then virsh can be used instead:
    # virsh start --paused <name>
    # virsh domid <name>

For a domain $DOMID the following command will recursively correct the
permissions for the primary PV console:

    # xenstore-chmod -r /local/domain/$DOMID/console n0 r$DOMID

If the domain uses a device model stubdomain then it will also be
necessary to fix the permissions for the stubdomain. The stubdomain is
named "<name>-dm". Assuming its domain ID is $DMDOM:

    # xenstore-chmod -r /local/domain/$DMDOM/console n0 r$DMDOM

In addition a stub domain has three secondary PV consoles which must be
fixed, however in this case the "state" and "protocol" nodes along
with the device node itself should not be restricted. For each device
$D in [1,2,3]:

    # xenstore-chmod -r /local/domain/$DMDOM/device/console/$N n0 r$DMDOM
    # xenstore-chmod /local/domain/$DMDOM/device/console/$N/state n$DMDOM r0
    # xenstore-chmod /local/domain/$DMDOM/device/console/$N/protocol n$DMDOM r0
    # xenstore-chmod /local/domain/$DMDOM/device/console/$N n$DMDOM r0

The current permissions can be listed with
    # xenstore-ls -fp <PATH>

Once the permissions are fixed you may unpause the domain with
    # xl unpause <domain>
or with virsh:
    # virsh resume <domain>

The permissions can also be corrected on a live system if they are
then manually validated to be non-malicious.

See http://wiki.xen.org/wiki/XenBus#Permissions for information on the
permissions syntax.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsaXX-4.2.patch             Xen 4.2.x, xen-unstable
xsaXX-unstable.patch        xen-unstable

$ sha256sum xsa57-*.patch
428a1d42f4314404cde339a78a59422bf4f0590c4d16ea8adc83425fe5eede3d  xsa57-4.1.patch
b6a5106848541972519cc529859d9ff3083c79367276c7031560fa4ce6f9f770  xsa57-4.2.patch
d329f56c30f7a4f91906658ea661234d2ca31b74ee68257bf009072999b3d3ef  xsa57-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRsJGTAAoJEIP+FMlX6CvZv6cH/0t1xBHLHaNqtrmrYJUzCQ3g
Yecoo0xxoIW/krHbej9YKROQblFOeaRpROf6T3xRXUGKd9k+vubgy0jGMpUQlU9x
L2+w6gwjJ/qySYIQntO0CdxbRSdZj5BthzpboqVuw6EJw4pDd3isHps50sz0VBPX
MhziWbxsWp3XY0LZlBcR6KuM/ESsCbDa07/G3UOfsJ7NdI1gyAQYsNlMtUhd+lCq
plYsCDSy5oaRvcAUJOJKWncXzy9mjKHnicYNKmNA/3yCASTrawu8ie6V5J1kwbeo
fixw/HshXKjw8vTPMOdrEBOnms6Hqn2a+ASKmJhVWwCmM7JSZPUaX+xLrPsv/C0=
=Ocxn
-----END PGP SIGNATURE-----

Comment 1 Alexander Bergmann 2013-06-06 08:06:54 UTC

Created attachment 543057 [details]
XSA-57 4.1.x fix

Comment 2 Alexander Bergmann 2013-06-06 08:07:30 UTC

Created attachment 543058 [details]
XSA-57 4.2.x fix

Comment 3 Alexander Bergmann 2013-06-06 08:08:11 UTC

Created attachment 543059 [details]
XSA-57 unstable fix

Comment 4 Swamp Workflow Management 2013-06-06 16:00:17 UTC

bugbot adjusting priority

Comment 5 Alexander Bergmann 2013-06-21 04:13:10 UTC

now public

Comment 6 Alexander Bergmann 2013-06-25 16:25:59 UTC

CVE-2013-2211 was assigned.

Comment 7 Charles Arnold 2013-07-12 16:09:58 UTC

Swamp: 53511

Xen and Libvirt have been submitted with the following requests;

Xen: SR#27695
Libvirt: SR#27703

Comment 8 Swamp Workflow Management 2013-08-09 10:56:08 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 9 Marcus Meissner 2013-08-12 10:59:07 UTC

opensuse affected still

Comment 10 Swamp Workflow Management 2013-08-30 14:08:51 UTC

openSUSE-SU-2013:1392-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 801663,803712,809662,813673,813675,813677,814709,816156,816159,816163,819416,820917,820919,820920,823011,823608,823786,824676,826882
CVE References: CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078,CVE-2013-2211
Sources used:
openSUSE 12.2 (src):    xen-4.1.5_04-5.29.1

Comment 11 Swamp Workflow Management 2013-09-04 13:10:09 UTC

openSUSE-SU-2013:1404-1: An update that solves 13 vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 797285,797523,801663,802221,808085,808269,809662,813673,813675,814059,814709,816159,816163,817068,817210,817799,817904,818183,819416,820917,820919,820920,823011,823608,824676,826882
CVE References: CVE-2012-6075,CVE-2013-0151,CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1922,CVE-2013-1952,CVE-2013-2007,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078
Sources used:
openSUSE 12.3 (src):    xen-4.2.2_06-1.16.1

Comment 12 Swamp Workflow Management 2013-11-19 13:06:07 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 13 Swamp Workflow Management 2013-11-29 16:05:26 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 14 Marcus Meissner 2013-12-04 16:58:16 UTC

done

Comment 15 Swamp Workflow Management 2014-03-25 18:48:28 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)

Comment 16 Swamp Workflow Management 2014-03-25 22:09:22 UTC

SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available.

Category: security (important)
Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163
CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_16-0.5.1