Information
Advisory | XSA-175 |
Public release | 2016-06-02 12:00 |
Updated | 2023-12-15 15:35 |
Version | 7 |
CVE(s) | CVE-2016-4962 |
Title | Unsanitised guest input in libxl device handling code |
Files
advisory-175.txt (signed advisory file)
xsa175-unstable/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
xsa175-unstable/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
xsa175-unstable/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
xsa175-unstable/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
xsa175-unstable/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
xsa175-unstable/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
xsa175-unstable/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
xsa175-unstable/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
xsa175-unstable/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
xsa175-unstable/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
xsa175-unstable/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
xsa175-unstable/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
xsa175-unstable/0013-libxl-Do-not-trust-frontend-for-vusb.patch
xsa175-4.6/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
xsa175-4.6/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
xsa175-4.6/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
xsa175-4.6/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
xsa175-4.6/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
xsa175-4.6/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
xsa175-4.6/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
xsa175-4.6/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
xsa175-4.6/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
xsa175-4.6/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
xsa175-4.6/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
xsa175-4.6/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
xsa175-4.5/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
xsa175-4.5/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
xsa175-4.5/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
xsa175-4.5/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
xsa175-4.5/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
xsa175-4.5/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
xsa175-4.5/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
xsa175-4.5/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
xsa175-4.5/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
xsa175-4.5/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
xsa175-4.5/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
xsa175-4.5/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
xsa175-4.4/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
xsa175-4.4/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
xsa175-4.4/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
xsa175-4.4/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
xsa175-4.4/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
xsa175-4.4/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
xsa175-4.4/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
xsa175-4.4/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
xsa175-4.4/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
xsa175-4.4/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2016-4962 / XSA-175
version 7
Unsanitised guest input in libxl device handling code
UPDATES IN VERSION 7
====================
Normalize version tags
ISSUE DESCRIPTION
=================
Various parts of libxl device-handling code inappropriately use
information from (partially) guest controlled areas of xenstore
(principally the frontend directory
/local/domain/GUEST/device/TYPE/DEVID,
henceforth referred to as FE). The problems vary by device type:
For almost all device types (all devices except consoles and
channels), the guest has the ability to completely remove FE. This
will normally result in the virtual device no longer functioning
(which is bad for the guest and an outcome the guest could achieve
anyway). But it will also cause the device not to appear in lists of
devices, and prevent the device being properly torn down during domain
destruction (including guest reboot and migration). When such a
malicious domain is shut down, the host resources associated with the
manipulated devices may remain in use: for example, disk and nic
hotplug teardown scripts will not be run. For resources allocated in
an manner which excludes some other accesses, this can prevent the
operation of that other software on the host (for example, it can
prevent management operations on the underlying objects); for
resources are allocated in a nonexclusive manner, the guest can
consume new resources with each successive guest boot, eventually
exhausting capacity.
For all devices other than the main PV console, the guest can write
FE/backend to point to the backend of a device belonging to a
different guest. On subsequent domain removal (for example, by guest
reboot or migration) libxl uses this value with insufficient checks,
allowing libxl to be tricked into failing to tear down the device
properly.
For almost all device types the backend xenstore path and domid
returned to libxl's caller during query functions servicing the domain
are read from a guest-controlled part of xenstore. This means that a
guest can cause incorrect displays in tools like xl, and possibly
cause maloperation by higher-level domain management systems.
For all device types, libxl would read the guest-writeable FE/backend
node to find the xenstore path to the backend. A guest could write a
bad value, which would (mostly) be detected by libxl but would cause
libxl operations (including informational functions) to fail.
For consoles, vtpm and channel devices, libxl would use FE/backend
without checking, to discover important information about the device.
For vtpm devices, this means guest can manipulate the
apparently-configured uuid. For channel devices, the guest can
manipulate the apparently-configured channel name.
For channel devices, the guest can trick console attachment tools in
the backend domain into connecting to arbitrary wrong paths on the
backend domain filesystem.
IMPACT
======
A malicious guest administrator can cause denial of service by
resource exhaustion.
A malicious guest administrator can confuse and/or deny service to
management facilities.
A malicious guest administrator of a guest configured with channel
devices may be able to escalate their privilege to that of the backend
domain (i.e., normally, to that of the host).
VULNERABLE SYSTEMS
==================
Xen systems using libxl based toolstacks (for example xl or libvirt
with the libxl driver) are vulnerable to denial of service to guests
and administrators.
Xen systems with guests configured with channel devices are possibly
vulnerable to privilege escalation by those guests.
(Channel devices are be configured with "channel=" in the xl domain
configuration file. See
http://xenbits.xen.org/docs/4.6-testing/misc/channel.txt
for more information.)
MITIGATION
==========
Disabling channel devices in applicable guests will reduce the
impact of the vulnerability.
Limiting the frequency with which a guest is able to reboot, or
limiting or eliminating a guest's ability to be granted exclusive
access to host resources, will reduce the resource exhaustion impact.
CREDITS
=======
This issue was discovered by Wei Liu from Citrix.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa175-unstable/*.patch xen-unstable
xsa175-4.6/*.patch Xen 4.6
xsa175-4.5/*.patch Xen 4.5
xsa175-4.4/*.patch Xen 4.4
For Xen 4.3, patches are available in xen.git#staging-4.3. They are
currently undergoing testing by the Xen Project CI system, osstest:
xen.git commits 0376b6bb2a89..5811d6bdf5bb Xen 4.3
See:
http://xenbits.xen.org/gitweb/?p=xen.git;a=summary
git://xenbits.xen.org/xen.git
http://xenbits.xen.org/git-http/xen.git
$ sha256sum xsa175-*/*
473fdf33f6f26c0655b504e2cc384c20904bcdd713fbacc4236f499a0a6f8ac3 xsa175-unstable/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
531b2233581d847f26eeffc5fa7c1428a2f42336aed7943165da881003d4be90 xsa175-unstable/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
cfb45654444a95e80a2b9608448b1092f407b9a9d52436ce49c45978e5e8c310 xsa175-unstable/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
361cc95707bba9b1801e4972016ca61ab6d8103f93b0141758112eaa61d9113d xsa175-unstable/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
f21e63a17728e638d4e33e074e5a35fa9eb18f13c0051d9bef0d7849b60de649 xsa175-unstable/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
0fe8d5e65103a9fc2b54692726ab66ddf4004a641e5b6730ee97c7b1621d6543 xsa175-unstable/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
dd06e96c10c51829d7489c72d2560a9bbd12dbd727a0bb492810b334d0623296 xsa175-unstable/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
64e56d387e418082dbd0088a012e263abda0d452a77ff7c2273cb7425d45fc60 xsa175-unstable/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
6e3b59ac930d5210032bf1015782c14bc94881e8734e451e3d5f0c3e794f4d34 xsa175-unstable/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
2c9a23f859bf8ecd1800089ca7f9032b24311a90c4cfe38f2a26f5ee6a8443c6 xsa175-unstable/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
43d39d6544893c76a91c056543d46a0bfa32cf2891d234815b6a3d43d87fa5ef xsa175-unstable/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
82da838f3daff7f225426b6572e7f7577e821f3546bb1d2ddafd72fbc8839a0d xsa175-unstable/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
e732be8fae0d7c7de487a6a7ab919f2b91005067ce2dcf7083195fb74e2943de xsa175-unstable/0013-libxl-Do-not-trust-frontend-for-vusb.patch
c44dcbf52358b8747c922257cad3d03cc056ecc03ecd396e50f6b3f6d1cea798 xsa175-4.6/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
fd11a983dc1f125901daaa9c9019edb46c3d16a9371399a6e9c9ef4a23b54276 xsa175-4.6/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
f50f7156dc5595d1d1839c225ac8c4bd767511bc6ce4aec5f60b9ab207ea7631 xsa175-4.6/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
09b2faa98ec3db11142c17fd4d9e055505f4552ff43e48da4d30ebcbf6b929f4 xsa175-4.6/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
4fa05ee839da5bae49e4b403a2d13da802e10f7aa586007da89e73c6fd6719b7 xsa175-4.6/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
92f423b541e9447f0bf37a83bbece2cfe198b1db33ca02cd3f6ca17bad203f2f xsa175-4.6/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
97fb68eda21ab0151e6e240ddde34da0da0e8f11ea448f4603d7ef2326acda70 xsa175-4.6/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
9cde88602e13c2964307fa1bc5b1601dc6796d4b9d9b9e49898e1d13470c71ab xsa175-4.6/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
69a19ee15ad266e391b4356a2f6ad3442a905cd06441921ae4e2c2778823f8ae xsa175-4.6/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
51fadcafa1549201d6dd4eda9c3f8b9d2c7cad6851f2aafe3569ec3980c5a256 xsa175-4.6/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
dc925af06451392d87f8750b3be2ad60b95be107f2534391063732f1e1b5109a xsa175-4.6/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
57211890bf71f7648f5b3f7a88f79fddb7d3077eb3a1bc3cbd6f910fa324dfd1 xsa175-4.6/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
a262c85f9145f71df512338ef1a4b77c05086a894d58ba3d911ea6984bbeaed5 xsa175-4.5/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
676806c5713a60f113264298c48c3ac34e3370a6bfb8628d5b8700edfe2415e3 xsa175-4.5/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
50518f86aedf7857ca3644a2f073745017d12263880990cb7f0d4b3b9e264ac5 xsa175-4.5/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
e9207a4a35c13061b502935a31ad09cf4ca8048804f1a62d1c1ccfde5ff3432c xsa175-4.5/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
78baa5268af36baa546e4cd8e7f62d830c860ee3051bba5273266ca0f95627ae xsa175-4.5/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
c59be732bbf602d7d3b5dcbf3a0ca86d6f624585ba2e29f8d0f82c74f7bd33a3 xsa175-4.5/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
5c1aa2cc37240cdc4dce5c5067f18c36466d9271ab81c6a7a38d8674b534cd86 xsa175-4.5/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
020287ae99d9c049c12087d828ea2d898686ab8600c0f9f8f2042b297ebc968e xsa175-4.5/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
4781d673403b3bb0f43196af1aec52f8769bcf7352afd239d874f381a1d0e9cc xsa175-4.5/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
c6a0fb210488794188924a90df4450e42782f99651b7a016e072a7df7d26d3d6 xsa175-4.5/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
3f3eec4f45925a9de39fcfd14e7709b3fc8245425b8ae45213afee1ede2b09a0 xsa175-4.5/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch
084b0054f223addeab3ff951ac1362b7d48379ddf0556eae9971f1a87507c2d4 xsa175-4.5/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch
cefe2c82a30227b6538c6924d7d939192be3c481e48ac94c82f4c51f60388570 xsa175-4.4/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch
f24b26891fac4e8bf8a0939a5b64fc7ad096ef699f1882aad6e96cf81b85fc3e xsa175-4.4/0002-libxl-Provide-libxl__backendpath_parse_domid.patch
748ea9d369b1f8372d1a4c420e6a9d90f881b7142e7913ed5d72b99c07ac11a0 xsa175-4.4/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch
9f4011a48b01a36087e019f2c4bcdea91c8f2dabce5bd6b9a4cb7fd70f343c50 xsa175-4.4/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch
012c86146bbb67c2bb9424ba76294e6c6eca033d932d543e0e58f83e91d79e7b xsa175-4.4/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch
be5665c91b0dfd79c8c4bb35d5adfb719ab23a547479a14aacac9d5f46d77a0f xsa175-4.4/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch
9068b9025ad079d1ec1cacc399a72b5dc1836894683b2545274e8b19b795cd60 xsa175-4.4/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch
b57f96af3c1cac5f56a684afe223b4a977c144daf8d5f2a1e184697cd29fdbe2 xsa175-4.4/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch
c8941fcf41edae75fa5a1b417d9b457fdd67a5531b6cf75dc16da9d63697c61f xsa175-4.4/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch
0641b38b7718d5fa84a8ce12a2bf034273caeb1e372f48b73170b3fd085f169c xsa175-4.4/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch
$
NOTE REGARDING EMBARGO LENGTH
=============================
Due to the complexity and centrality of the set of patches, the
security team suggested a three-week embargo rather than the normal
two-week embargo, and the discoverer agreed.
Please do your best to test these patches as thoroughly and as early
as possible, and report any problems.
DEPLOYMENT DURING EMBARGO
=========================
Deployment of patches or mitigations not explicitly allowed below is
NOT permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List). Specifically,
deployment on public cloud systems is NOT permitted.
This is because the patches and mitigations result in guest-visible
changes in the information recorded in xenstore, which might lead a
guest administrator to understand the nature of the vulnerability.
Deployment is permitted only AFTER the embargo ends.
HOWEVER, deployment of the following IS is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators:
* The patches for XSA-175 EXCEPT for the one patch
libxl: Do not trust frontend for channel in list
* The mitigation of limiting reboot frequency
In any case: Distribution of updated software is prohibited (except to
other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/IMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZo5gIAI0BWDCqmlgCy1ePjkhCXuv0vR6Zm6+9vSP8N4Yl
i77xYMJisquShV67s7lEWLHl45wkEltdBgDrmyEIS1OCYLXuO3VBYl49GJDk+wjF
UIJN5oK6cB6Sy0pXU+dMQV6nr/fVLAWxfqQ0FBvDFWgSn+O2WD4mpqduJNfcumW5
FcaU0rTk3nNK+VLZEClrTpIGDAVFR7sM7UiOCS7ixwCZ8ZS3Yny+kgY+u7gXSN3q
XIrQD2FkDDQHE5ivClVaTNwK1YWPrxIMCfv//FTyySA5sGp4WoPw7VQyQbZGZSDE
2iuKWjOFjhisobA52N5vGHXXVzIZaOI8eN6p+yNudyUbc1Q=
=G3tx
-----END PGP SIGNATURE-----
Xenproject.org Security Team