libxl allows guest write access to sensitive console related xenstore keys
The libxenlight (libxl) toolstack library does not correctly set permissions on xenstore keys relating to paravirtualised and emulated serial console devices. This could allow a malicious guest administrator to change values in xenstore which the host later relies on being implicitly trusted.
improper permission set (not correctly set permissions on xenstore keys)
libxl: Restrict permissions on PV console device xenstore nodes
Matthew Daley has observed that the PV console protocol places sensitive host state into a guest writeable xenstore locations, this includes:
- The pty used to communicate between the console backend daemon and its client, allowing the guest administrator to read and write arbitrary host files.
- The output file, allowing the guest administrator to write arbitrary host files or to target arbitrary qemu chardevs which include sockets, udp, ptr, pipes etc (see -chardev in qemu(1) for a more complete list).
- The maximum buffer size, allowing the guest administrator to consume more resources than the host administrator has configured.
- The backend to use (qemu vs xenconsoled), potentially allowing the guest administrator to confuse host software.
So we arrange to make the sensitive keys in the xenstore frontend directory read only for the guest. This is safe since the xenstore permissions model, unlike POSIX directory permissions, does not allow the guest to remove and recreate a node if it has write access to the containing directory.
A malicious guest administrator can read and write any files in the host filesystem which are accessible to the user id running the xenconsole client binary. This may be the user id of a host administrator who connects to the guest’s console or the user id of any self service mechanism provided to guest administrators by the host provider.
As well as reading and writing files an attacker with access to an HVM guest can cause any PV or serial consoles to be connected to a variety of network resources (sockets, udp connections) or other end points (fifo, pipes) in the host file filesystem according to the privileges granted to the qemu device model for that guest.
A malicious guest administrator can also redirect the VNC console port of the guest to another port on the host. This may expose the VNC port of other guests or of other firewalled services to an attack.
information leak, privilege escalation