Bug 919663 – VUL-0: CVE-2015-2152: xen: XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends

Bug 919663 - (CVE-2015-2152) VUL-0: CVE-2015-2152: xen: XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends

(CVE-2015-2152)
Summary:	VUL-0: CVE-2015-2152: xen: XSA-119: HVM qemu unexpectedly enabling emulated V...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2015-2152:2.1:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-02-26 09:10 UTC by Johannes Segitz
Modified:	2016-11-22 17:20 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-26 09:10:01 UTC

Xen Security Advisory XSA-119

      HVM qemu unexpectedly enabling emulated VGA graphics backends

              *** EMBARGOED UNTIL 2015-03-12 12:00 UTC ***

ISSUE DESCRIPTION
=================

When instantiating an emulated VGA device for an x86 HVM guest qemu
will by default enable a backend to expose that device, either SDL or
VNC depending on the version of qemu and the build time configuration.

The libxl toolstack library does not explicitly disable these default
backends when they are not enabled, leading to an unexpected backend
running.

If either SDL or VNC is explicitly enabled in the guest configuration
then only the expected backends will be enabled.

This affects qemu-xen and qemu-xen-traditionally differently.

If qemu-xen was compiled with SDL support then this would result in an
SDL window being opened if $DISPLAY is valid, or a failure to start
the guest if not.

If qemu-xen was compiled without SDL support then qemu would instead
start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
(IPv4 localhost) with IPv6 preferred if available. A VNC password will
not be configured even if one is present in the guest configuration.

qemu-xen-traditional will never start a vnc backend unless explicitly
configured. However by default it will start an SDL backend if it was
built with SDL support and $DISPLAY is valid.


IMPACT
======

For qemu-xen compiled without SDL support (unexpected VNC server):

Any local user on the domain 0 hosting the VM will be able to access
the guest's emulated VGA console.


For any qemu compiled with SDL support (unexpected SDL backend):

Users who are able to control the DISPLAY environment variable of the
toolstack process which creates the VM will be able to direct the SDL
output to an X server of their choosing and from there gain access to
the guest's emulated console.

This is a practical attack only on systems where arrangements have
been made for lower-privileged users to execute Xen toolstack code via
means which do not sufficiently launder the process environment.  This
would include some restricted sudo command configurations.


In both cases unexpected access to the guest console may then,
depending on the guest configuration, grant further privilege or
opportunities for attack.

Both cases also open up the qemu process to attacks via the VNC or X
network protocols.

The qemu monitor is not exposed via this means unless it is explicitly
enabled in the guest configuration.


VULNERABLE SYSTEMS
==================

ARM systems are not vulnerable.

PV domains are not vulnerable.

Systems where either SDL or VNC is explicitly enabled in the guest
configuration (eg `sdl=1' or `vnc=1' in the guest config file) are not
vulnerable.

Systems using qemu-xen-traditional, or systems using qemu-xen where
SDL support is built into qemu-xen, are not vulnerable; unless the Xen
toolstack code runs in a process environment partially controlled by
potential attackers.

x86 systems running HVM domains, configured to disable both SDL and
VNC access to the emulated VGA device, may be vulnerable.

Versions of Xen from 4.2 onwards are known to be affected. Older
versions have not been inspected.


MITIGATION
==========

Running qemu in a stub domain will avoid this issue.

Setting nographic to true on the domain (i.e. nographic=1 in an xl
configuration file) will completely disable the emulated VGA device
and therefore avoid this issue.  (NB that publicly visible deployment
of this mitigation during the embargo is forbidden.)

In order to disable the backends while retaining the emulated VGA then
prepending "-vnc none -display none" to the qemu-xen command-line or
"-vnc none" to the qemu-xen-traditional command-line, using e.g. a
wrapper script will avoid the issue.  Note that the "extra_hvm" option
exposed by the libxl library is not useful because it appends the
given options making them ineffective in this case.


RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa119-unstable.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x
xsa119-4.2.patch             Xen 4.2.x

$ sha256sum xsa119*.patch
19a502a382e79c0caead8c915eb48cb36db14b71f32f78ddf02b7bf973a5064b  xsa119-unstable.patch
e806027e7b55a4c011bdab958346854de57046b9c0603866b5ab0775f010e7f7  xsa119-4.2.patch

CRD: 2015-03-12 12:00 UTC

Comment 1 Johannes Segitz 2015-02-26 09:10:23 UTC

Created attachment 624616 [details]
xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

Comment 2 Johannes Segitz 2015-02-26 09:10:40 UTC

Created attachment 624617 [details]
Xen 4.2.x

Comment 4 Swamp Workflow Management 2015-02-26 23:00:58 UTC

bugbot adjusting priority

Comment 5 Johannes Segitz 2015-03-04 08:55:14 UTC

CVE was assigned: CVE-2015-2152

Comment 6 Charles Arnold 2015-03-06 23:22:47 UTC

SLE12: MR#52782
SLE11-SP3: SR#52784
SLE11-SP2: SR#52786

Comment 7 Johannes Segitz 2015-03-12 13:36:05 UTC

public

Comment 8 Swamp Workflow Management 2015-03-27 09:08:14 UTC

SUSE-SU-2015:0613-1: An update that solves 8 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,904255,906996,910254,910681,912011,918995,918998,919098,919464,919663
CVE References: CVE-2014-3615,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.1_10-9.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.1_10-9.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.1_10-9.1

Comment 9 Swamp Workflow Management 2015-04-20 14:06:50 UTC

openSUSE-SU-2015:0732-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 861318,895528,901488,903680,910254,918995,918998,919098,919464,919663,922705,922706
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2752,CVE-2015-2756
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_02-41.1

Comment 10 Swamp Workflow Management 2015-06-22 10:08:11 UTC

openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1

Comment 11 Marcus Meissner 2015-12-19 16:36:28 UTC

released a while ago