1265269 – (CVE-2015-7311, xsa142) CVE-2015-7311 xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142)

Bug 1265269 (CVE-2015-7311, xsa142) - CVE-2015-7311 xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142)

Summary: CVE-2015-7311 xen: libxl fails to honour readonly flag on disks with qemu-xen...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-7311, xsa142
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1257893
Blocks:	1265270
TreeView+	depends on / blocked

Reported:	2015-09-22 14:00 UTC by Martin Prpič
Modified:	2023-05-12 10:46 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-22 14:06:00 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-09-22 14:00:41 UTC

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen (the upstream-based qemu); and indeed there is no way in qemu to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the device model, not the parallel PV devices for supporting PVHVM. Normally the PVHVM device unplug protocol renders the emulated devices inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable. The affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability. This can be done with device_model_version="qemu-xen-traditional" in the xl configuration file.

Using stub domain device models (which necessarily involves switching to qemu-xen-traditional) will also avoid this vulnerability. This can be done with device_model_stubdomain_override=true in the xl configuration file.

Either of these mitigations is liable to have other guest-visible effects or even regressions.

It may be possible, depending on the configuration, to make the underlying storage object readonly, or to make it reject writes.

Upstream patches:

http://xenbits.xen.org/xsa/xsa142-4.5.patch
http://xenbits.xen.org/xsa/xsa142-4.6.patch


External References:

http://xenbits.xen.org/xsa/advisory-142.html

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Michael Young of Durham University as the original reporter.

Comment 1 Martin Prpič 2015-09-22 14:04:06 UTC

Fedora bug 1257893 that tracks this issue has been closed as NEXTRELEASE, with the fix being available in Fedora 23.

Comment 2 Petr Matousek 2015-09-22 14:06:00 UTC

Statement:

Not vulnerable.

This issue does not affect the versions of the xen package as shipped with Red Hat Enterprise Linux 5.

Note You need to log in before you can comment on or make changes to this bug.