SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xen Vendors:   Xen Project
Xen Qemu Guest Agent Insecure File Permissions Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1028521
SecurityTracker URL:  http://securitytracker.com/id/1028521
CVE Reference:   CVE-2013-2007   (Links to External Site)
Date:  May 7 2013
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Xen. A local guest user can obtain elevated privileges on the target guest system.

The qemu guest agent (qga) creates files with insecure permissions (e.g., world writable) when started in daemon mode. A local user on the guest system may be able to obtain elevated privileges on the guest system.

Impact:   A local user on the guest operating system can obtain elevated privileges on the target guest system.
Solution:   No solution was available at the time of this entry.

As a workaround, the guest aqent can be disabled.

[Editor's note: An upstream patch is available for qemu.]

Vendor URL:  xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 3 2013 (Red Hat Issues Fix) Xen Qemu Guest Agent Insecure File Permissions Lets Local Users Gain Elevated Privileges
Red Hat has issued a fix for qemu-kvm-rhev for Red Hat Enterprise Linux 6.
Jun 3 2013 (Red Hat Issues Fix) Xen Qemu Guest Agent Insecure File Permissions Lets Local Users Gain Elevated Privileges
Red Hat has issued a fix for qemu-kvm for Red Hat Enterprise Linux 6.



 Source Message Contents

Subject:  [oss-security] Xen Security Advisory 51 (CVE-2013-2007) - qemu guest agent (qga) insecure file permissions

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-2007 / XSA-51
                              version 2

           qemu guest agent (qga) insecure file permissions

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The qemu guest agent creates files with insecure permissions when
started in daemon mode.

IMPACT
======

The qemu guest agent is not used by default in Xen systems.

If it is used in a particular guest, unprivileged guest processes
might be able to escalate their privilege to that of the guest.

VULNERABLE SYSTEMS
==================

We are not aware of any Xen installations using the qemu guest agent.

However, the program is built and installed (as the executable
`qemu-ga') as part of the Xen management tools by the Xen build
system.  It is possible that a system administrator, or downstream
system integrator, might have arranged to execute qemu-ga.

If you have not taken steps to run qemu-ga, you are not vulnerable.

MITIGATION
==========

Disabling the guest agent will eliminate the vulnerability.

RESOLUTION
==========

Patches to resolve this problem are available from the upstream qemu
project via the usual channels.  The Xen Project Security Team do not
intend to provide or distribute patches for this vulnerability.

DETAILS
=======

At the time of writing the information we have about this
vulnerability is as follows:

  Subject: [PATCH] qga: set umask 0077 when daemonizing (CVE-2013-2007)

  The qemu guest agent creates a bunch of files with insecure permissions
  when started in daemon mode. For example:

    -rw-rw-rw- 1 root root /var/log/qemu-ga.log
    -rw-rw-rw- 1 root root /var/run/qga.state
    -rw-rw-rw- 1 root root /var/log/qga-fsfreeze-hook.log

  In addition, at least all files created with the "guest-file-open" QMP
  command, and all files created with shell output redirection (or
  otherwise) by utilities invoked by the fsfreeze hook script are affected.

  ...

For authoritative further information, and patches, please refer to
the information provided by the qemu upstream project.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRiB3/AAoJEIP+FMlX6CvZq5wH/3Jsx5JbsgRtpnKYFBzz/zg/
Lps97aIflPh13FoyXi12eImErF6xBHzhca21Sh15m039hxmkW4ehTD/jPGyVLR8D
d6rlN5GXHqBLhZWRFESQowRgyLZ1rgOUR5feqYFf8lzP7U+jP+qcZoKj+Rplx52n
EFuD+hBFxq1wpnja2hvBfFDTChO6SncV4EO5MSjH4bnSLVrmdarLFtfpKd4A61f1
zn7xkk0+uua1EJScMtydmhfoiCK/6KIg1YjnQ36i7wekkc14p2Nvmu0UGvR4Rf2y
y2UDB/7shCieedhV3BHWezIx4CMPLHtWHJZSvgBQzkVzUkz67NiblzhHCSv9FkU=
=Nsga
-----END PGP SIGNATURE-----

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC