Information

Advisory XSA-180
Public release 2016-05-23 17:09
Updated 2023-12-15 15:35
Version 2
CVE(s) CVE-2014-3672
Title Unrestricted qemu logging

Files

advisory-180.txt (signed advisory file)
xsa180-qemut.patch
xsa180-qemuu.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2014-3672 / XSA-180
                              version 2

                       Unrestricted qemu logging

UPDATES IN VERSION 2
====================

Normalize version tags.

ISSUE DESCRIPTION
=================

When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen.  This output is not
rate-limited in any way.  The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.

IMPACT
======

The disk containing the logfile can be exausted, possibly causing a
denial-of-service (DoS).

VULNERABLE SYSTEMS
==================

All versions of Xen are affected.

Only x86 systems are affected; ARM systems are not affected.

Only systems running HVM guests are affected; systems running only PV
guests are not affected.

Both qemu-upstream and qemu-traditional are affected.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Andrew Sorensen of leviathansecurity.com.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

The patches adopt a simple and rather crude approach which is
effective at resolving the security issue in the context of a Xen
device model.  They may not be appropriate for adoption upstream or in
other contexts.

xsa180-qemut.patch       qemu-xen-traditional (all supported versions)
xsa180-qemuu.patch       qemu-xen master

$ sha256sum xsa180*
7733fd57868c4313c7c47ccde3aba21e9ed5002ee8a937b20997fb3d2282a5d7  xsa180-qemut.patch
7a92bbd3b6368f91e694400c8e850567972e14852e4f61fbb61cc3b7b98f14ef  xsa180-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/IMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZCDkH/j6mf9xGcnIhfDhuyR1Ln63iWXj7/G3GTJH5poGY
iJHurRYdA5ShJSOOYjOPw/B94llP01v3fXYl8860warrzG4Lg7daIwU0fqVypf3b
e74J5TA89pq6xrALIjExPKCEh3TouXcFG+5IoIDmXdEEYX9AQ1ommMHY0/aUzr1A
bUt4UlG569qgQl2yYpkziI/07hbYy9MPmiKtenFBDk8PwQwUo7mfnBxzpnnph/QZ
wUVsqSIaK4NRIJURwGcjSM5hEQCwGuLpdZVY88lsIdy83HEFmFUS/OEJvx2XV8j9
q48IgXxgzdwvxDgjMAptr8qCq9GgMtbW+4cIP5uPGmvLrKU=
=Qnfn
-----END PGP SIGNATURE-----

Xenproject.org Security Team