Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1392939 - (CVE-2016-9379, CVE-2016-9380, xsa198) CVE-2016-9379 CVE-2016-9380 xsa198 xen: delimiter injection vulnerabilities in pygrub (XSA-198)
CVE-2016-9379 CVE-2016-9380 xsa198 xen: delimiter injection vulnerabilities i...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161122,repor...
: Security
Depends On: 1397383
Blocks: 1392955
  Show dependency treegraph
 
Reported: 2016-11-08 08:57 EST by Adam Mariš
Modified: 2018-03-07 05:14 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-07 05:14:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
All Xen versions (at least Xen 4.4 and later) patch (2.14 KB, patch)
2016-11-08 09:45 EST, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-11-08 08:57:11 EST
ISSUE DESCRIPTION
=================

pygrub, the boot loader emulator, fails to quote (or sanity check) its
results when reporting them to its caller.

pygrub supports a number of output formats.  When the S-expression
output format is requested, putting string quotes and S-expressions in
the bootloader configuration file can produce incorrect output.

When the nul-delimited output format is requested, nul bytes in the
bootloader configuration file can produce an ambiguous or confusing
output file, which is interpreted by libxl in a vulnerable way.

The existing bootloader config interpreters all read input in a
line-based way from their bootloaders, and none of them support any
kind of escaping.  So the newline-delimited output format is safe.

The attacker can use this to cause the toolstack to treat any file
accessible to the toolstack as if it were the guest's initial ramdisk
file.  The file contents are provided to the guest kernel; also,
normally, these files are deleted by the toolstack as the guest starts
to boot; alternatively they may be deleted later.

IMPACT
======

A malicious guest administrator can obtain the contents of sensitive
host files (an information leak).

Additionally, a malicious guest administrator can cause files on the
host to be removed, causing a denial of service.  In some unusual host
configurations, ability to remove certain files may be useable for
privilege escalation.


VULNERABLE SYSTEMS
==================

Xen versions 2.0 and later are vulnerable.

The vulnerability is only exposed to guests configured by the host
administrator to boot using pygrub.  In the xl and xm domain
configuration file, this is typically achieved with
bootloader="pygrub"
On x86 this would typically apply only to PV domains.

All systems using xl, libxl, or libvirt are vulnerable to pygrub-using
guests.

Systems using other (third-party) toolstacks may or may not be
vulnerable, depending on whether pygrub is configured, and what pygrub
output format they use.  Please consult your toolstack provider.


MITIGATION
==========

Configuring guests not to use pygrub will avoid the vulnerability.

For x86 PV guests currently using pygrub, booting the guest as HVM
is often a practical option to avoid pygrub.


External References:

http://xenbits.xen.org/xsa/advisory-198.html

Acknowledgements:

Name: the Xen project
Upstream: Daniel Richman (the Cambridge University Student-Run Computing Facility), Gábor Szarka (the Cambridge University Student-Run Computing Facility)
Comment 1 Adam Mariš 2016-11-08 09:45 EST
Created attachment 1218546 [details]
All Xen versions (at least Xen 4.4 and later) patch
Comment 2 Martin Prpič 2016-11-22 07:25:09 EST
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1397383]

Note You need to log in before you can comment on or make changes to this bug.