A user allowed to connect to a VM running on Xen/QEMU can use a command sequence (CTRL+ALT+2) to access the QEMU monitor mode. In this mode, the user can do things like remap CD-ROM drive access to arbitrary files on the host machine, allowing read/write access to files such as /etc/passwd on the host. Essentially by using this tool the guest OS can write to restricted files on the host OS. http://rhn.redhat.com/errata/RHSA-2007-0114.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0998 This may not apply to us. Xen is masked, and the vulnerability requires the QEMU console access to be enabled. Red Hat's fix was to disable the QEMU monitor mode. Can someone from the Xen herd look into this and verify that we have the problem?
I assume we have this issue, but I don't have the hardware to test xen with fully virtualized guests (which is the only time vnc/qemu would be used). I can look into how to disable monitor mode and just hope...
xen please advise and patch as necessary.
Sorry for the delayed response, I was away from Gentoo for a while. I just now rolled a patch for Xen 3.0.4 similar to the one used by RedHat which is for Xen 3.0.3. Xen 3.0.4 is currently waiting in my overlay to push into portage. I don't yet have access to a machine that supports fully virtualized guests so my patch is entirely untested. As soon as I can test it I will push 3.0.4 into portage, which will also resolve a handful of other kernel related security issues. Overlay: http://overlays.gentoo.org/svn/dev/marineam/xen Patch: http://overlays.gentoo.org/svn/dev/marineam/xen/app-emulation/xen-tools/files/3.0.4_p1/xen-tools-remove-monitor-mode-from-vnc.patch
Thx Micheal. Any ETA on when you can get it tested or do you want someone else to do it?
I now have hardware on order for the testing which should arrive in about a week to a week and a half. If someone else has the ability to test things sooner then great. If someone can please ping me on irc or via email.
Micehal any news on this one?
(In reply to comment #7) > Micehal any news on this one? > I committed Xen 3.0.4 last night which includes this patch, so it is fixed now. Xen 3.0.2 will remain in the tree for a little while since Xen upgrades can be quite nasty.
Thx Micheal. Please don't close security bugs though this time it was actually to be closed:)
