Bug 549384

Description Agostino Sarubbo 2015-05-13 15:41:17 UTC

From ${URL} :

            Xen Security Advisory CVE-2015-3456 / XSA-133
                              version 2

          Privilege escalation via emulated floppy disk drive

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The code in qemu which emulates a floppy disk controller did not
correctly bounds check accesses to an array and therefore was
vulnerable to a buffer overflow attack.

IMPACT
======

A guest which has access to an emulated floppy device can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

VULNERABLE SYSTEMS
==================

All Xen systems running x86 HVM guests without stubdomains are
vulnerable to this depending on the specific guest configuration. The
default configuration is vulnerable.

Guests using either the traditional "qemu-xen" or upstream qemu device
models are vulnerable.

Guests using a qemu-dm stubdomain to run the device model are only
vulnerable to takeover of that service domain.

Systems running only x86 PV guests are not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"
version.

CREDITS
=======

This issue was discovered by Jason Geffner, Senior Security Researcher
at CrowdStrike.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa133-qemuu.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa133-qemuu-4.3-4.2.patch   qemu-upstream-unstable, Xen 4.3.x, Xen 4.2.x
xsa133-qemut.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.