Xen: Privilege Escalation — GLSA 201703-07

A vulnerability in Xen's bundled QEMU version might allow privilege escalation.

Affected Packages

app-emulation/xen-tools on all architectures
Affected versions < 4.7.1-r8
Unaffected versions >= 4.7.1-r8

Background

Xen is a bare-metal hypervisor.

Description

In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo fails to check wethehr the specified memory region is safe.

Impact

A local attacker could potentially execute arbitrary code with privileges of Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition.

Workaround

Running guests in Paravirtualization (PV) mode, or running guests in Hardware-assisted virtualizion (HVM) utilizing stub domains mitigate the issue.

Running HVM guests with the device model in a stubdomain will mitigate the issue.

Changing the video card emulation to stdvga (stdvga=1, vga=”stdvga”, in the xl domain configuration) will avoid the vulnerability.

Resolution

All Xen Tools users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=app-emulation/xen-tools-4.7.1-r8"
 

References

Release Date
March 28, 2017

Latest Revision
March 28, 2017: 1

Severity
normal

Exploitable
local

Bugzilla entries