-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2016-4962 / XSA-175 version 7 Unsanitised guest input in libxl device handling code UPDATES IN VERSION 7 ==================== Normalize version tags ISSUE DESCRIPTION ================= Various parts of libxl device-handling code inappropriately use information from (partially) guest controlled areas of xenstore (principally the frontend directory /local/domain/GUEST/device/TYPE/DEVID, henceforth referred to as FE). The problems vary by device type: For almost all device types (all devices except consoles and channels), the guest has the ability to completely remove FE. This will normally result in the virtual device no longer functioning (which is bad for the guest and an outcome the guest could achieve anyway). But it will also cause the device not to appear in lists of devices, and prevent the device being properly torn down during domain destruction (including guest reboot and migration). When such a malicious domain is shut down, the host resources associated with the manipulated devices may remain in use: for example, disk and nic hotplug teardown scripts will not be run. For resources allocated in an manner which excludes some other accesses, this can prevent the operation of that other software on the host (for example, it can prevent management operations on the underlying objects); for resources are allocated in a nonexclusive manner, the guest can consume new resources with each successive guest boot, eventually exhausting capacity. For all devices other than the main PV console, the guest can write FE/backend to point to the backend of a device belonging to a different guest. On subsequent domain removal (for example, by guest reboot or migration) libxl uses this value with insufficient checks, allowing libxl to be tricked into failing to tear down the device properly. For almost all device types the backend xenstore path and domid returned to libxl's caller during query functions servicing the domain are read from a guest-controlled part of xenstore. This means that a guest can cause incorrect displays in tools like xl, and possibly cause maloperation by higher-level domain management systems. For all device types, libxl would read the guest-writeable FE/backend node to find the xenstore path to the backend. A guest could write a bad value, which would (mostly) be detected by libxl but would cause libxl operations (including informational functions) to fail. For consoles, vtpm and channel devices, libxl would use FE/backend without checking, to discover important information about the device. For vtpm devices, this means guest can manipulate the apparently-configured uuid. For channel devices, the guest can manipulate the apparently-configured channel name. For channel devices, the guest can trick console attachment tools in the backend domain into connecting to arbitrary wrong paths on the backend domain filesystem. IMPACT ====== A malicious guest administrator can cause denial of service by resource exhaustion. A malicious guest administrator can confuse and/or deny service to management facilities. A malicious guest administrator of a guest configured with channel devices may be able to escalate their privilege to that of the backend domain (i.e., normally, to that of the host). VULNERABLE SYSTEMS ================== Xen systems using libxl based toolstacks (for example xl or libvirt with the libxl driver) are vulnerable to denial of service to guests and administrators. Xen systems with guests configured with channel devices are possibly vulnerable to privilege escalation by those guests. (Channel devices are be configured with "channel=" in the xl domain configuration file. See http://xenbits.xen.org/docs/4.6-testing/misc/channel.txt for more information.) MITIGATION ========== Disabling channel devices in applicable guests will reduce the impact of the vulnerability. Limiting the frequency with which a guest is able to reboot, or limiting or eliminating a guest's ability to be granted exclusive access to host resources, will reduce the resource exhaustion impact. CREDITS ======= This issue was discovered by Wei Liu from Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa175-unstable/*.patch xen-unstable xsa175-4.6/*.patch Xen 4.6 xsa175-4.5/*.patch Xen 4.5 xsa175-4.4/*.patch Xen 4.4 For Xen 4.3, patches are available in xen.git#staging-4.3. They are currently undergoing testing by the Xen Project CI system, osstest: xen.git commits 0376b6bb2a89..5811d6bdf5bb Xen 4.3 See: http://xenbits.xen.org/gitweb/?p=xen.git;a=summary git://xenbits.xen.org/xen.git http://xenbits.xen.org/git-http/xen.git $ sha256sum xsa175-*/* 473fdf33f6f26c0655b504e2cc384c20904bcdd713fbacc4236f499a0a6f8ac3 xsa175-unstable/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch 531b2233581d847f26eeffc5fa7c1428a2f42336aed7943165da881003d4be90 xsa175-unstable/0002-libxl-Provide-libxl__backendpath_parse_domid.patch cfb45654444a95e80a2b9608448b1092f407b9a9d52436ce49c45978e5e8c310 xsa175-unstable/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch 361cc95707bba9b1801e4972016ca61ab6d8103f93b0141758112eaa61d9113d xsa175-unstable/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch f21e63a17728e638d4e33e074e5a35fa9eb18f13c0051d9bef0d7849b60de649 xsa175-unstable/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch 0fe8d5e65103a9fc2b54692726ab66ddf4004a641e5b6730ee97c7b1621d6543 xsa175-unstable/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch dd06e96c10c51829d7489c72d2560a9bbd12dbd727a0bb492810b334d0623296 xsa175-unstable/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch 64e56d387e418082dbd0088a012e263abda0d452a77ff7c2273cb7425d45fc60 xsa175-unstable/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch 6e3b59ac930d5210032bf1015782c14bc94881e8734e451e3d5f0c3e794f4d34 xsa175-unstable/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch 2c9a23f859bf8ecd1800089ca7f9032b24311a90c4cfe38f2a26f5ee6a8443c6 xsa175-unstable/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch 43d39d6544893c76a91c056543d46a0bfa32cf2891d234815b6a3d43d87fa5ef xsa175-unstable/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch 82da838f3daff7f225426b6572e7f7577e821f3546bb1d2ddafd72fbc8839a0d xsa175-unstable/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch e732be8fae0d7c7de487a6a7ab919f2b91005067ce2dcf7083195fb74e2943de xsa175-unstable/0013-libxl-Do-not-trust-frontend-for-vusb.patch c44dcbf52358b8747c922257cad3d03cc056ecc03ecd396e50f6b3f6d1cea798 xsa175-4.6/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch fd11a983dc1f125901daaa9c9019edb46c3d16a9371399a6e9c9ef4a23b54276 xsa175-4.6/0002-libxl-Provide-libxl__backendpath_parse_domid.patch f50f7156dc5595d1d1839c225ac8c4bd767511bc6ce4aec5f60b9ab207ea7631 xsa175-4.6/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch 09b2faa98ec3db11142c17fd4d9e055505f4552ff43e48da4d30ebcbf6b929f4 xsa175-4.6/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch 4fa05ee839da5bae49e4b403a2d13da802e10f7aa586007da89e73c6fd6719b7 xsa175-4.6/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch 92f423b541e9447f0bf37a83bbece2cfe198b1db33ca02cd3f6ca17bad203f2f xsa175-4.6/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch 97fb68eda21ab0151e6e240ddde34da0da0e8f11ea448f4603d7ef2326acda70 xsa175-4.6/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch 9cde88602e13c2964307fa1bc5b1601dc6796d4b9d9b9e49898e1d13470c71ab xsa175-4.6/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch 69a19ee15ad266e391b4356a2f6ad3442a905cd06441921ae4e2c2778823f8ae xsa175-4.6/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch 51fadcafa1549201d6dd4eda9c3f8b9d2c7cad6851f2aafe3569ec3980c5a256 xsa175-4.6/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch dc925af06451392d87f8750b3be2ad60b95be107f2534391063732f1e1b5109a xsa175-4.6/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch 57211890bf71f7648f5b3f7a88f79fddb7d3077eb3a1bc3cbd6f910fa324dfd1 xsa175-4.6/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch a262c85f9145f71df512338ef1a4b77c05086a894d58ba3d911ea6984bbeaed5 xsa175-4.5/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch 676806c5713a60f113264298c48c3ac34e3370a6bfb8628d5b8700edfe2415e3 xsa175-4.5/0002-libxl-Provide-libxl__backendpath_parse_domid.patch 50518f86aedf7857ca3644a2f073745017d12263880990cb7f0d4b3b9e264ac5 xsa175-4.5/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch e9207a4a35c13061b502935a31ad09cf4ca8048804f1a62d1c1ccfde5ff3432c xsa175-4.5/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch 78baa5268af36baa546e4cd8e7f62d830c860ee3051bba5273266ca0f95627ae xsa175-4.5/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch c59be732bbf602d7d3b5dcbf3a0ca86d6f624585ba2e29f8d0f82c74f7bd33a3 xsa175-4.5/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch 5c1aa2cc37240cdc4dce5c5067f18c36466d9271ab81c6a7a38d8674b534cd86 xsa175-4.5/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch 020287ae99d9c049c12087d828ea2d898686ab8600c0f9f8f2042b297ebc968e xsa175-4.5/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch 4781d673403b3bb0f43196af1aec52f8769bcf7352afd239d874f381a1d0e9cc xsa175-4.5/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch c6a0fb210488794188924a90df4450e42782f99651b7a016e072a7df7d26d3d6 xsa175-4.5/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch 3f3eec4f45925a9de39fcfd14e7709b3fc8245425b8ae45213afee1ede2b09a0 xsa175-4.5/0011-libxl-Do-not-trust-frontend-for-channel-in-list.patch 084b0054f223addeab3ff951ac1362b7d48379ddf0556eae9971f1a87507c2d4 xsa175-4.5/0012-libxl-Do-not-trust-frontend-for-channel-in-getinfo.patch cefe2c82a30227b6538c6924d7d939192be3c481e48ac94c82f4c51f60388570 xsa175-4.4/0001-libxl-Record-backend-frontend-paths-in-libxl-DOMID.patch f24b26891fac4e8bf8a0939a5b64fc7ad096ef699f1882aad6e96cf81b85fc3e xsa175-4.4/0002-libxl-Provide-libxl__backendpath_parse_domid.patch 748ea9d369b1f8372d1a4c420e6a9d90f881b7142e7913ed5d72b99c07ac11a0 xsa175-4.4/0003-libxl-Do-not-trust-frontend-in-libxl__devices_destro.patch 9f4011a48b01a36087e019f2c4bcdea91c8f2dabce5bd6b9a4cb7fd70f343c50 xsa175-4.4/0004-libxl-Do-not-trust-frontend-in-libxl__device_nextid.patch 012c86146bbb67c2bb9424ba76294e6c6eca033d932d543e0e58f83e91d79e7b xsa175-4.4/0005-libxl-Do-not-trust-frontend-for-disk-eject-event.patch be5665c91b0dfd79c8c4bb35d5adfb719ab23a547479a14aacac9d5f46d77a0f xsa175-4.4/0006-libxl-Do-not-trust-frontend-for-disk-in-getinfo.patch 9068b9025ad079d1ec1cacc399a72b5dc1836894683b2545274e8b19b795cd60 xsa175-4.4/0007-libxl-Do-not-trust-frontend-for-vtpm-list.patch b57f96af3c1cac5f56a684afe223b4a977c144daf8d5f2a1e184697cd29fdbe2 xsa175-4.4/0008-libxl-Do-not-trust-frontend-for-vtpm-in-getinfo.patch c8941fcf41edae75fa5a1b417d9b457fdd67a5531b6cf75dc16da9d63697c61f xsa175-4.4/0009-libxl-Do-not-trust-frontend-for-nic-in-libxl_devid_t.patch 0641b38b7718d5fa84a8ce12a2bf034273caeb1e372f48b73170b3fd085f169c xsa175-4.4/0010-libxl-Do-not-trust-frontend-for-nic-in-getinfo.patch $ NOTE REGARDING EMBARGO LENGTH ============================= Due to the complexity and centrality of the set of patches, the security team suggested a three-week embargo rather than the normal two-week embargo, and the discoverer agreed. Please do your best to test these patches as thoroughly and as early as possible, and report any problems. DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations not explicitly allowed below is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patches and mitigations result in guest-visible changes in the information recorded in xenstore, which might lead a guest administrator to understand the nature of the vulnerability. Deployment is permitted only AFTER the embargo ends. HOWEVER, deployment of the following IS is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators: * The patches for XSA-175 EXCEPT for the one patch libxl: Do not trust frontend for channel in list * The mitigation of limiting reboot frequency In any case: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/IMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZo5gIAI0BWDCqmlgCy1ePjkhCXuv0vR6Zm6+9vSP8N4Yl i77xYMJisquShV67s7lEWLHl45wkEltdBgDrmyEIS1OCYLXuO3VBYl49GJDk+wjF UIJN5oK6cB6Sy0pXU+dMQV6nr/fVLAWxfqQ0FBvDFWgSn+O2WD4mpqduJNfcumW5 FcaU0rTk3nNK+VLZEClrTpIGDAVFR7sM7UiOCS7ixwCZ8ZS3Yny+kgY+u7gXSN3q XIrQD2FkDDQHE5ivClVaTNwK1YWPrxIMCfv//FTyySA5sGp4WoPw7VQyQbZGZSDE 2iuKWjOFjhisobA52N5vGHXXVzIZaOI8eN6p+yNudyUbc1Q= =G3tx -----END PGP SIGNATURE-----