* PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
@ 2007-03-19 20:25 Daniel P. Berrange
2007-05-18 23:39 ` S.Çağlar Onur
0 siblings, 1 reply; 5+ messages in thread
From: Daniel P. Berrange @ 2007-03-19 20:25 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1: Type: text/plain, Size: 2612 bytes --]
This patch fixes a security issue present in any Xen 3.0.3 or later when
the VNC server is enabled for a HVM guest.
cf CVE-2007-0998 / the RHEL-5 security errata:
http://rhn.redhat.com/errata/RHSA-2007-0114.html
The VNC server for HVM guests allows the VNC client to press Ctrl+Alt+2
to switch into the QEMU monitor console. From there a user can map an
arbitrary file from the Dom0 host through to the guest as a cdrom device.
This file is mapped with full read-write privileges to writes to /dev/hdc
in the guest will change the file in the underlying Dom0 host.
So since qemu-dm processes run as root on Dom0, any unprivileged user with
access to a VNC console for a HVM guest can compromise the Dom0 OS. The VNC
password protection offers minimal against this problem since it is trivially
brute forced, although at least XenD is setup to restrict VNC to 127.0.0.1
out of the box. So it is a local-root exploit in out of box config, but is
potentially a remote-root exploit if the admin changed VNC to listen on the
public IP address.
There is no compelling reason to provide access to the QEMU monitor console.
The XenD APIs already allow a user to determine config of a guest VM. The
often quoted use case is to allow changing of the CDROM backing file during
guest installs. This can already be done by root using xenstore-write to
change the file associated with the VDB in xenstore, so QEMU monitor access
is not actually needed. Long term I anticipate XenD itself will have to
take ownership of the QEMU monitor console connection, since upstream QEMU
is increasingly providing monitor commands as the primary way for management
tools to control the VM on the fly.
The attached patch disables the key code handling the magic Ctrl+Alt+2
sequence used to activate the monitor. The code is now only enabled if
the top level Xen Makefile variable 'debug' is set to 'y' - it defaults
to 'n' to regular production builds will remove access to the QEMU monitor,
while developers can still access if required for debugging purposes.
This is effectively disabling the code added in changeset:
10742:3e07ec30c44538e7ea55b0da2cb2624036481fc3
Along with a few other minor alteratiosn to the added code.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
[-- Attachment #2: xen-vnc-monitor-export.patch --]
[-- Type: text/plain, Size: 1513 bytes --]
diff -r f40bd358129a tools/ioemu/Makefile.target
--- a/tools/ioemu/Makefile.target Sat Mar 17 16:56:39 2007 +0000
+++ b/tools/ioemu/Makefile.target Mon Mar 19 14:13:35 2007 -0400
@@ -193,6 +193,10 @@ LIBS+=-lsocket -lnsl -lresolv
LIBS+=-lsocket -lnsl -lresolv
endif
+ifeq ($(debug),y)
+CFLAGS += -DQEMU_VNC_MONITOR_EXPORT
+endif
+
# profiling code
ifdef TARGET_GPROF
LDFLAGS+=-p
diff -r f40bd358129a tools/ioemu/vnc.c
--- a/tools/ioemu/vnc.c Sat Mar 17 16:56:39 2007 +0000
+++ b/tools/ioemu/vnc.c Mon Mar 19 14:54:19 2007 -0400
@@ -113,8 +113,10 @@ struct VncState
int visible_w;
int visible_h;
+#ifdef QEMU_VNC_MONITOR_EXPORT
int ctl_keys; /* Ctrl+Alt starts calibration */
int shift_keys; /* Shift / CapsLock keys */
+#endif
int numlock;
};
@@ -895,6 +897,7 @@ static void do_key_event(VncState *vs, i
kbd_put_keycode(keycode & 0x7f);
else
kbd_put_keycode(keycode | 0x80);
+#ifdef QEMU_VNC_MONITOR_EXPORT
} else if (down) {
int qemu_keysym = 0;
@@ -922,8 +925,10 @@ static void do_key_event(VncState *vs, i
}
if (qemu_keysym != 0)
kbd_put_keysym(qemu_keysym);
- }
-
+#endif
+ }
+
+#ifdef QEMU_VNC_MONITOR_EXPORT
if (down) {
switch (sym) {
case XK_Control_L:
@@ -976,6 +981,10 @@ static void do_key_event(VncState *vs, i
break;
}
}
+#else
+ if (!down && sym == XK_Num_Lock)
+ vs->numlock = !vs->numlock;
+#endif
}
static void key_event(VncState *vs, int down, uint32_t sym)
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
2007-03-19 20:25 PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server Daniel P. Berrange
@ 2007-05-18 23:39 ` S.Çağlar Onur
2007-05-19 8:23 ` Keir Fraser
0 siblings, 1 reply; 5+ messages in thread
From: S.Çağlar Onur @ 2007-05-18 23:39 UTC (permalink / raw)
To: xen-devel, Daniel P. Berrange
[-- Attachment #1.1: Type: text/plain, Size: 534 bytes --]
19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
> This patch fixes a security issue present in any Xen 3.0.3 or later when
> the VNC server is enabled for a HVM guest.
>
> cf CVE-2007-0998 / the RHEL-5 security errata:
>
> http://rhn.redhat.com/errata/RHSA-2007-0114.html
Same patch applies cleanly on Xen-3.1.0, is it forgetton?
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
2007-05-18 23:39 ` S.Çağlar Onur
@ 2007-05-19 8:23 ` Keir Fraser
2007-05-19 11:48 ` S.Çağlar Onur
0 siblings, 1 reply; 5+ messages in thread
From: Keir Fraser @ 2007-05-19 8:23 UTC (permalink / raw)
To: caglar, xen-devel, Daniel P. Berrange
On 19/5/07 00:39, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> 19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
>> This patch fixes a security issue present in any Xen 3.0.3 or later when
>> the VNC server is enabled for a HVM guest.
>>
>> cf CVE-2007-0998 / the RHEL-5 security errata:
>>
>> http://rhn.redhat.com/errata/RHSA-2007-0114.html
>
> Same patch applies cleanly on Xen-3.1.0, is it forgetton?
The patch is in 3.1.0.
-- Keir
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
2007-05-19 8:23 ` Keir Fraser
@ 2007-05-19 11:48 ` S.Çağlar Onur
2007-05-19 11:52 ` Keir Fraser
0 siblings, 1 reply; 5+ messages in thread
From: S.Çağlar Onur @ 2007-05-19 11:48 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel P. Berrange
[-- Attachment #1.1: Type: text/plain, Size: 1520 bytes --]
19 May 2007 Cts tarihinde, Keir Fraser şunları yazmıştı:
> On 19/5/07 00:39, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
> > 19 Mar 2007 Pts tarihinde, Daniel P. Berrange şunları yazmıştı:
> >> This patch fixes a security issue present in any Xen 3.0.3 or later when
> >> the VNC server is enabled for a HVM guest.
> >>
> >> cf CVE-2007-0998 / the RHEL-5 security errata:
> >>
> >> http://rhn.redhat.com/errata/RHSA-2007-0114.html
> >
> > Same patch applies cleanly on Xen-3.1.0, is it forgetton?
>
> The patch is in 3.1.0.
Hmm, is that solved another way? Cause according to HG history its first
committed [1] then reverted [2]?
[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]>
sha1sum /var/cache/pisi/archives/xen-3.1.0-src.tgz
fa4b54c36626f2cce9b15dc99cafda0b42c54777 /var/cache/pisi/archives/xen-3.1.0-src.tgz
[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]> tar
xvf /var/cache/pisi/archives/xen-3.1.0-src.tgz
...
[caglar@zangetsu][~/svk/devel/applications/virtualization/xen/xen-3.1.0-src]>
patch -p1 < ../files/CVE-2007-0998.patch
patching file tools/ioemu/Makefile.target
patching file tools/ioemu/vnc.c
[1] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3375391fb0c9
[2] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3d7a4ac397b1
Cheers
--
S.Çağlar Onur <caglar@pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/
Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server
2007-05-19 11:48 ` S.Çağlar Onur
@ 2007-05-19 11:52 ` Keir Fraser
0 siblings, 0 replies; 5+ messages in thread
From: Keir Fraser @ 2007-05-19 11:52 UTC (permalink / raw)
To: caglar, xen-devel; +Cc: Daniel P. Berrange
On 19/5/07 12:48, "S.Çağlar Onur" <caglar@pardus.org.tr> wrote:
>>> Same patch applies cleanly on Xen-3.1.0, is it forgetton?
>>
>> The patch is in 3.1.0.
>
> Hmm, is that solved another way? Cause according to HG history its first
> committed [1] then reverted [2]?
There's a 'monitor' option in the domain config file, which can be used to
enable the monitor over VNC. It defaults to off, for security, of course.
-- Keir
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-05-19 11:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-19 20:25 PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server Daniel P. Berrange
2007-05-18 23:39 ` S.Çağlar Onur
2007-05-19 8:23 ` Keir Fraser
2007-05-19 11:48 ` S.Çağlar Onur
2007-05-19 11:52 ` Keir Fraser
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.