Xen ProjectXSA-198delimiter injection vulnerabilities in pygrub
7.9 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
24.9%
ISSUE DESCRIPTION
pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller.
pygrub supports a number of output formats. When the S-expression output format is requested, putting string quotes and S-expressions in the bootloader configuration file can produce incorrect output. (CVE-2016-9379)
When the nul-delimited output format is requested, nul bytes in the bootloader configuration file can produce an ambiguous or confusing output file, which is interpreted by libxl in a vulnerable way. (CVE-2016-9380)
The existing bootloader config interpreters all read input in a line-based way from their bootloaders, and none of them support any kind of escaping. So the newline-delimited output format is safe.
The attacker can use this to cause the toolstack to treat any file accessible to the toolstack as if it were the guest’s initial ramdisk file. The file contents are provided to the guest kernel; also, normally, these files are deleted by the toolstack as the guest starts to boot; alternatively they may be deleted later.
IMPACT
A malicious guest administrator can obtain the contents of sensitive host files (an information leak).
Additionally, a malicious guest administrator can cause files on the host to be removed, causing a denial of service. In some unusual host configurations, ability to remove certain files may be useable for privilege escalation.
VULNERABLE SYSTEMS
Xen versions 2.0 and later are vulnerable.
The vulnerability is only exposed to guests configured by the host administrator to boot using pygrub. In the xl and xm domain configuration file, this is typically achieved with bootloader=“pygrub” On x86 this would typically apply only to PV domains.
All systems using xl, libxl, or libvirt are vulnerable to pygrub-using guests.
Systems using other (third-party) toolstacks may or may not be vulnerable, depending on whether pygrub is configured, and what pygrub output format they use. Please consult your toolstack provider.
Related
7.9 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
24.9%