[XSA-258] Information leak via crafted user-supplied CDROM
ISSUE DESCRIPTION
QEMU handles many different file formats for virtual disks (e.g., raw,
qcow2, vhd, &c). Some of these formats are "snapshots" that specify
"patches" to an alternate disk image, whose filename is included in
the snapshot file.
When qemu is given a disk but the type is not specified, it attempts
to guess the file format by reading it. If a disk image is intended
to be 'raw', but the image is entirely controlled by an attacker, the
attacker could write a header to the image, describing one of these
"snapshot" formats, and pointing to an arbitrary file as the "backing"
file.
When attaching disks via command-line parameters at boot time
(including both "normal" disks and CDROMs), libxl specifies the
format; however, when inserting a CDROM live via QMP, the format was
not specified.
IMPACT
An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)
VULNERABLE SYSTEMS
Only x86 HVM guests with a virtual CDROM device are affected. ARM
guests, x86 PV guests, x86 PVH guests, and x86 HVM guests without a
virtual CDROM device are not affected.
Only systems with qemu running in dom0 are affected; systems running
stub domains are not affected. Only systems using qemu-xen (aka
"qemu-upstream" are affected; systems running qemu-xen-traditional
are not affected.
Only systems in which an attacker can provide a raw CDROM image, and
cause that image to be virtually inserted while the guest is running,
are affected. Systems which only have host administrator-supplied
CDROM images, or systems which allow images to be added only at boot
time, are not affected.
| Package | Affected Version |
|---|---|
 pkg:generic/xen
|
= 4.9.x |
|
pkg:generic/xen
|
= 4.10.x |
|
pkg:generic/xen
|
= 4.6.x |
|
pkg:generic/xen
|
= 4.7.x |
|
pkg:generic/xen
|
= 4.8.x |
- ID
- XSA-258
- Severity
- medium
- Severity from
- CVE-2018-10472
- URL
- http://xenbits.xen.org/xsa/advisory-258.html
- Published
-
2018-04-25T12:00:00
(6 years ago) - Modified
-
2018-04-25T12:00:00
(6 years ago) - Rights
- Xen Project
- Other Advisories
-
-
ALPINE:CVE-2018-10472
-
DSA-4201-1
-
FEDORA-2018-5521156807
-
FEDORA-2018-604574c943
-
FEDORA-2018-683dfde81a
-
FEDORA-2018-73dd8de892
-
FEDORA-2018-a7862a75f5
-
FEDORA-2018-a7ac26523d
-
FEDORA-2018-d3cb6f113c
-
FEDORA-2018-eb69078020
-
FEDORA-2019-bce6498890
-
GLSA-201810-06
-
SUSE-SU-2018:1177-1
-
SUSE-SU-2018:1181-1
-
SUSE-SU-2018:1184-1
-
SUSE-SU-2018:1202-1
-
SUSE-SU-2018:1203-1
-
SUSE-SU-2018:1216-1
-
SUSE-SU-2018:3230-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| Xen Project | XSA-258 | Security Advisory |
|
| Xen Project | XSA-258 | Signed Security Advisory |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:generic/xen | xen | = 4.9.x | ||||
| Affected | pkg:generic/xen | xen | = 4.10.x | ||||
| Affected | pkg:generic/xen | xen | = 4.6.x | ||||
| Affected | pkg:generic/xen | xen | = 4.7.x | ||||
| Affected | pkg:generic/xen | xen | = 4.8.x |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |