Bug 851252 - (CVE-2012-3515) CVE-2012-3515 qemu: VT100 emulation vulnerability
CVE-2012-3515 qemu: VT100 emulation vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120905,repo...
: Security
Depends On: 851253 851254 851255 851256 851257 851258 854599 854600 854854
Blocks: 851264 853908 853917 853920 854054
  Show dependency treegraph
 
Reported: 2012-08-23 11:13 EDT by Petr Matousek
Modified: 2013-08-24 10:07 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-24 10:07:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2012-08-23 11:13:36 EDT
A flaw has been found in the way qemu handles VT100 escape sequences when emulating certain devices with a virtual console backend.

An attacker who has sufficient privilege to access a vulnerable device within a guest can overwrite portions qemu address space. This can allow them to escalate their privileges to that of the qemu process on the host.

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 Petr Matousek 2012-08-23 11:15:48 EDT
Xen
===

All hosts running HVM guests are potentially vulnerable to this depending on the specific guest configuration. The default configuration is not vulnerable.

When using libvirt, the default configuration of managed guests is safe, too. Libvirt by default configures the serial and parallel ports in a way that is not vulnerable.

Please note that configuring serial and/or parallel port to use vc backend later, makes the host vulnerable even when libvirt is used to manage the guest.

PV guests are not affected by this issue.
Comment 2 Petr Matousek 2012-08-23 11:17:04 EDT
KVM
===

All hosts running KVM guests are potentially vulnerable to this depending on the specific guest configuration. The default configuration is not vulnerable.

The only supported way of running qemu-kvm on Red Hat Enterprise Linux 5 is using libvirt. When guest is created, libvirt by default configures the serial and parallel ports in a way that is not vulnerable.

Please note that configuring serial and/or parallel port to use vc backend later, makes the host vulnerable even when libvirt is used to manage the guest.

Running qemu-kvm directly from command line can potentially make the system vulnerable.


On Red Hat Enterprise Linux 6, command line execution of qemu-kvm is supported provided that "-nodefaults" parameter is passed in as one of the arguments. Using "-nodefaults" disables default insecure configuration. For further information please refer to [1]. As long as "-nodefaults" argument is passed in and serial and/or parallel port is not configured to use vc backend, the host is not vulnerable.

  [1] https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/ch19s10.html

When guest is created, libvirt by default configures the serial and parallel ports in a way that is not vulnerable.

Please note that configuring serial and/or parallel port to use vc backend later, makes the host vulnerable even when libvirt is used to manage the guest.
Comment 6 Petr Matousek 2012-08-23 11:22:17 EDT
Statement:

This issue did affect the versions of xen package as shipped with Red Hat
Enterprise Linux 5.

This issue did affect the versions of kvm package as shipped with Red Hat
Enterprise Linux 5.

This issue did affect the versions of qemu-kvm package as shipped with Red Hat
Enterprise Linux 6.
Comment 17 Petr Matousek 2012-09-05 08:07:34 EDT
Now public via:

http://seclists.org/oss-sec/2012/q3/381
Comment 18 Petr Matousek 2012-09-05 08:10:00 EDT
Created xen tracking bugs for this issue

Affects: fedora-all [bug 854599]
Comment 19 Petr Matousek 2012-09-05 08:10:08 EDT
Created qemu tracking bugs for this issue

Affects: fedora-all [bug 854600]
Comment 20 errata-xmlrpc 2012-09-05 12:36:58 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2012:1233 https://rhn.redhat.com/errata/RHSA-2012-1233.html
Comment 21 errata-xmlrpc 2012-09-05 12:47:25 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1235 https://rhn.redhat.com/errata/RHSA-2012-1235.html
Comment 22 errata-xmlrpc 2012-09-05 12:49:58 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1234 https://rhn.redhat.com/errata/RHSA-2012-1234.html
Comment 23 errata-xmlrpc 2012-09-05 12:58:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1236 https://rhn.redhat.com/errata/RHSA-2012-1236.html
Comment 24 errata-xmlrpc 2012-09-13 12:52:00 EDT
This issue has been addressed in following products:

  RHEV-H, V2V and Agents for RHEL-5

Via RHSA-2012:1262 https://rhn.redhat.com/errata/RHSA-2012-1262.html
Comment 25 Fedora Update System 2012-09-17 14:00:28 EDT
xen-4.1.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 errata-xmlrpc 2012-10-02 13:11:22 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2012:1325 https://rhn.redhat.com/errata/RHSA-2012-1325.html
Comment 27 gcy3y 2012-11-25 03:12:06 EST
are there any test code for this. thank you!
Comment 30 Petr Matousek 2012-11-26 11:18:30 EST
Hello,

(In reply to comment #27)
> are there any test code for this. thank you!

I am sorry but we do not share security issues reproducers.

Best regards,
--
Petr Matousek / Red Hat Security Response Team

Note You need to log in before you can comment on or make changes to this bug.