-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-5154 / XSA-138 version 2 QEMU heap overflow flaw while processing certain ATAPI commands. UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. IMPACT ====== An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated CD-ROM driver model are vulnerable. Systems using qemu-dm stubdomain device models (for example, by specifying "device_model_stubdomain_override=1" in xl's domain configuration files) are NOT vulnerable. Both the traditional ("qemu-xen-traditional") or upstream-based ("qemu-xen") qemu device models are potentially vulnerable. Systems running only PV guests are NOT vulnerable. ARM systems are NOT vulnerable. MITIGATION ========== Avoiding the use of emulated CD-ROM devices altogether, by not specifying such devices in the domain configuration, will avoid this issue. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stubdomains are only available with "qemu-xen-traditional". CREDITS ======= This issue was discovered by Kevin Wolf of Red Hat. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa138-qemut-{1,2}.patch qemu-xen-traditional, Xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x xsa138-qemuu-{1,2,3}.patch qemu-upstream, xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x xsa138-qemuu-{1,3}.patch qemu-upstream, Xen 4.2.x NOTE: xsa138-qemuu-2.patch is not required for Xen 4.2.x. $ sha256sum xsa138*.patch 7e385455379d88658b8ab0d4c1effffe9af21fff2e1dc0fe51cacc779afc83a4 xsa138-qemut-1.patch c9a89082e36a0646a6fe002c6892d966d415d11ad5cfdcfea7e9c8d7a3f1316c xsa138-qemut-2.patch a076808f543c82aeac2f0239a4a46d9baadcd4e4b0a2f9ae7ded99cf59cffde6 xsa138-qemuu-1.patch ed16dca7d2c179d0931d6e2503264d6593547a803eb3f08f6db7fff2127509a9 xsa138-qemuu-2.patch 090bdec00ede1f0ace1af52833038a74971e060d0c176b42bfca08511d36c644 xsa138-qemuu-3.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. The decision not to permit deployment was made by the group that, at their discretion, disclosed the issue to the Xen Project Security Team. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVth2LAAoJEIP+FMlX6CvZcd4IAJYWZrj86FDn9L5SqeTq8cLX 6tnptNaQb+uDQ/thV2R+nUVdJNaJt1UIhRhO2tD2g0dEqj/I7Vx/Hh95ncPCQ3fS ec7ph9lcsdAy8E+7abNlhJnPsOVOazEwI0we2deKjdn3CqyfVXqA47rSDY4VChtc kTV7lEIEebBlo1igz05/poUEhjkCP8UvSfpgpQY60N2y+C0OyIXPIog4q2LiEbeO cq/deACYN3jOVwPTozkQNAAOq0++UfnGfDredOIYCbvqA5OtMf1DGlWyTQLIEuKJ zCiatGudJI2klVYkHSVYfXr54WjreiRCOfLB9ilhBW7Yr2juWFQIAc+0Kf09uFo= =I0Tz -----END PGP SIGNATURE-----