Bug 1566253 (CVE-2018-10472) - CVE-2018-10472 xsa258 xen: Information leak via crafted user-supplied CDROM
Summary: CVE-2018-10472 xsa258 xen: Information leak via crafted user-supplied CDROM
Status: CLOSED NOTABUG
Alias: CVE-2018-10472
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180425:1200,...
Keywords: Security
Depends On: 1571867
Blocks: 1566254
TreeView+ depends on / blocked
 
Reported: 2018-04-11 21:18 UTC by Laura Pardo
Modified: 2019-06-08 22:48 UTC (History)
13 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-04-12 12:18:41 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-04-11 21:18:06 UTC
ISSUE DESCRIPTION
=================

QEMU handles many different file formats for virtual disks (e.g., raw,
qcow2, vhd, &c). Some of these formats are "snapshots" that specify
"patches" to an alternate disk image, whose filename is included in
the snapshot file.

When qemu is given a disk but the type is not specified, it attempts
to guess the file format by reading it. If a disk image is intended
to be 'raw', but the image is entirely controlled by an attacker, the
attacker could write a header to the image, describing one of these
"snapshot" formats, and pointing to an arbitrary file as the "backing"
file.

When attaching disks via command-line parameters at boot time
(including both "normal" disks and CDROMs), libxl specifies the
format; however, when inserting a CDROM live via QMP, the format was
not specified.

IMPACT
======

An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

VULNERABLE SYSTEMS
==================

Only x86 HVM guests with a virtual CDROM device are affected. ARM
guests, x86 PV guests, x86 PVH guests, and x86 HVM guests without a
virtual CDROM device are not affected.

Only systems with qemu running in dom0 are affected; systems running
stub domains are not affected. Only systems using qemu-xen (aka
"qemu-upstream" are affected; systems running qemu-xen-traditional
are not affected.

Only systems in which an attacker can provide a raw CDROM image, and
cause that image to be virtually inserted while the guest is running,
are affected. Systems which only have host administrator-supplied
CDROM images, or systems which allow images to be added only at boot
time, are not affected.

MITIGATION
==========

One workaround is to "wrap" the guest-supplied image in a specific
format; i.e., accept a raw image from the untrusted user, and convert
it into qcow2 format; for example:

qemu-img convert -f raw -O qcow2 untrusted.raw wrapped.qcow2

WARNING: Make sure to specify `-f raw` if you do this, or qemu will
"guess" the format of "untrusted.raw" (which the attacker may have
crafted to look like a qcow2 snapshot image with an alternativee base).

Another workaround is to allow guests to only change CDROMs at boot
time, not while the guest is running.

Comment 1 Adam Mariš 2018-04-25 14:51:28 UTC
Acknowledgments:

Name: the Xen project
Upstream: Anthony Perard (Citrix)

Comment 2 Adam Mariš 2018-04-25 14:51:40 UTC
External References:

https://xenbits.xen.org/xsa/advisory-258.html

Comment 3 Adam Mariš 2018-04-25 14:52:15 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1571867]


Note You need to log in before you can comment on or make changes to this bug.