[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 180 (CVE-2014-3672) - Unrestricted qemu logging



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-3672 / XSA-180

                       Unrestricted qemu logging

ISSUE DESCRIPTION
=================

When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen.  This output is not
rate-limited in any way.  The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.

IMPACT
======

The disk containing the logfile can be exausted, possibly causing a
denial-of-service (DoS).

VULNERABLE SYSTEMS
==================

All versions of Xen are affected.

Only x86 systems are affected; ARM systems are not affected.

Only systems running HVM guests are affected; systems running only PV
guests are not affected.

Both qemu-upstream and qemu-traditional are affected.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Andrew Sorensen of leviathansecurity.com.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

The patches adopt a simple and rather crude approach which is
effective at resolving the security issue in the context of a Xen
device model.  They may not be appropriate for adoption upstream or in
other contexts.

xsa180-qemut.patch       qemu-xen-traditional (all supported versions)
xsa180-qemuu.patch       qemu-xen (upstream) Xen unstable

$ sha256sum xsa180*
7733fd57868c4313c7c47ccde3aba21e9ed5002ee8a937b20997fb3d2282a5d7  
xsa180-qemut.patch
7a92bbd3b6368f91e694400c8e850567972e14852e4f61fbb61cc3b7b98f14ef  
xsa180-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJXQzkrAAoJEIP+FMlX6CvZjkYIAMJRhIzcKP7P8Q075WKw29e2
PpLFy+eOM/946SOnKxrN/1Pq+yYl5Jn1rN/TMRre4n6pYdGlGY/+MFa4N2tfKhBv
8dYcE2BMD9tbLi4SpbvoIMUtmLM1y0lVSmtHbMaw/zQDpT0uM1Kh+P0VjTeBADo/
PgRgePGfV7r+4nVjxjdSiNah8XAR5P/hoHNGOaM2kuIT19FwyDK7uQONE+HL2SdI
ccA+JAMZFlHs1/hcjeCLny7Soedy4GPfGfqUpu/zRkaaDmCkG1E+gfcox5S2myYc
Kogj7oiVWjRTcYh5cUOIfSmC4TDM8pqWnMmFftGShOvWqRJH3tUWt3TkaU669X8=
=SczG
-----END PGP SIGNATURE-----

Attachment: xsa180-qemut.patch
Description: Binary data

Attachment: xsa180-qemuu.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.