Your message dated Sun, 09 Sep 2012 15:02:52 +0000 with message-id <[email protected]> and subject line Bug#686848: fixed in xen-qemu-dm-4.0 4.0.1-2+squeeze2 has caused the Debian Bug report #686848, regarding CVE-2007-0998: Qemu monitor can be used to access host resources to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 686848: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686848 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: xen-qemu-dm-4.0 Version: 4.0.1-2+squeeze1 Severity: grave Tags: squeeze Copying the Xen Security Advisory: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-19 guest administrator can access qemu monitor console ISSUE DESCRIPTION ================= A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT ====== A malicious guest administrator can access host resources (perhaps belonging to other guests or the underlying system) and may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Installations where guest administrators do not have access to a domain's graphical console, or containing only PV domains configured without a graphical console, are not vulnerable. Installations where all guest administrators are trustworthy are not vulnerable, even if the guest operating systems themselves are untrusted. Systems using xend/xm: At least all versions since Xen 4.0 are affected. Systems are vulnerable even if "monitor=no" is specified in the xm domain configuration file - this configuration option is not properly honoured in the vulnerable versions. Systems using libxl/xl: All versions are affected. The "monitor=" option is not understood, and is therefore ignored, by xl. However, systems using the experimental device model version based on upstream qemu are NOT vulnerable; that is, Xen 4.2 RC systems with device_model_version="qemu_xen" specified in the xl domain config file. Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, above. For "libxl:" URIs, all versions are affected. Systems based on the Xen Cloud Platform are NOT vulnerable. CONFIRMING VULNERABILITY ======================== Connect to the guest's VNC (or SDL) graphical display and make sure your focus is in that window. Hold down CTRL and ALT and press 2. You will see a black screen showing one of "serial0", "parallel0" or "QEMU <version> monitor". Repeat this exercise for other digits 3 to 6. CTRL+ALT+1 is the domain's normal graphical console. Not all numbers will have screens attached, but note that you must release and re-press CTRL and ALT each time. If one of the accessible screens shows "QEMU <version> monitor" then you are vulnerable. Otherwise you are not. MITIGATION ========== With xl in Xen 4.1 and later, supplying the following config option in the VM configuration file will disable the monitor: device_model_args=["-monitor","null"] With xend the following config option will disable the monitor: monitor_path="null" Note that with a vulnerable version of the software specifying "monitor=0" will NOT disable the monitor. We are not currently aware of the availability of mitigation for systems using libvirt. NOTE REGARDING EMBARGO ====================== This issue was publicly discussed online by its discoverer. There is therefore no embargo. NOTE REGARDING CVE ================== This issue was previously reported in a different context, not to Xen upstream, and assigned CVE-2007-0998 and fixed in a different way. We have requested a new CVE for XSA-19 but it is not yet available. RESOLUTION ========== The attached patch against qemu-xen-traditional (qemu-xen-4.*-testing.git) resolves this issue. $ sha256sum xsa19-qemu-all.patch 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQSMr3AAoJEIP+FMlX6CvZ2O8H/2cZuOEMQd6ELDSmgj2fVaYl qpev3Ux50+wHsBf2JS4XMW+f6wwNWa8IBP1GL+SUvOLVr0PGYb8cbISy+zp6z+ku mAF1T19iaAMNc/feSYwgtLfYE9H25SbB4cuPg6YkyLf6dQn0KnEyf9GIJxHy0xir nU5XKEwhhJHw17cXZyagTBheXqrIRtIhgMNv3oQKg60NDc+2sMYwMmv7lgPVIvTZ 5+rkY7RX34hBCw08qt/CEyI9OXKHL1jDjPM8QtCKuwDzaWI10yQxtLjWJCYEhGkH QqMHU6D8Q3DptCSZj/9urs7+oWGwb3TKR7rUc5v7NbiHlliEX5njDKrhxZpxvJg= =21pO -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: xen-qemu-dm-4.0 Source-Version: 4.0.1-2+squeeze2 We believe that the bug you reported is fixed in the latest version of xen-qemu-dm-4.0, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guido Trotter <[email protected]> (supplier of updated xen-qemu-dm-4.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 08 Sep 2012 12:29:04 +0000 Source: xen-qemu-dm-4.0 Binary: xen-qemu-dm-4.0 Architecture: source amd64 Version: 4.0.1-2+squeeze2 Distribution: stable-security Urgency: low Maintainer: Thomas Goirand <[email protected]> Changed-By: Guido Trotter <[email protected]> Description: xen-qemu-dm-4.0 - Xen Qemu Device Model virtual machine hardware emulator Closes: 686848 Changes: xen-qemu-dm-4.0 (4.0.1-2+squeeze2) stable-security; urgency=low . * Security upload * Fix for Xen Security Advisory 17 (CVE-2012-3515) * Fix for Xen Security Advisory 19 (CVE-2012-4411) (closes: #686848) Checksums-Sha1: 3ce7e079e69573da01953ff04cf830fc8ca074c4 1391 xen-qemu-dm-4.0_4.0.1-2+squeeze2.dsc ec4c2dfc6ee33ff4552728d8ef53817452f49ac7 18208 xen-qemu-dm-4.0_4.0.1-2+squeeze2.debian.tar.gz 4210dfe4e1d676ab6e08d389ba662a915a69de38 603754 xen-qemu-dm-4.0_4.0.1-2+squeeze2_amd64.deb Checksums-Sha256: 4dbac81add2615f544578a4fb82a21f86a767cca703956b15e34a7fe5ce88025 1391 xen-qemu-dm-4.0_4.0.1-2+squeeze2.dsc 398f9d95992647b7d10a586035c579f8fe1cd11cf089cc0010fc098c793d0590 18208 xen-qemu-dm-4.0_4.0.1-2+squeeze2.debian.tar.gz 9cb1b7eb50b1d6aef7ce69d41d533a99174bee7df7ba0fc0d4e59a823c6a16c3 603754 xen-qemu-dm-4.0_4.0.1-2+squeeze2_amd64.deb Files: eebd634481e1e564fb69f2356b60ef85 1391 misc optional xen-qemu-dm-4.0_4.0.1-2+squeeze2.dsc 3bf259526aacae868f8592edd873730b 18208 misc optional xen-qemu-dm-4.0_4.0.1-2+squeeze2.debian.tar.gz 49b84e30a2b1b109ca13a1f69c9a1f14 603754 misc optional xen-qemu-dm-4.0_4.0.1-2+squeeze2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlBLPHYACgkQhImxTYgHUpv9XgCfYgTwqMU76KZtf2C/sRmfdRcc 3UoAn0JSnhpRRh4/bzkKb2sUmHlry7Z2 =GzNQ -----END PGP SIGNATURE-----
--- End Message ---

