https://xapi-project.github.io/xen-api/overview.html#object-model-overviewXapi contains functiona...">Xapi: Metadata injection attack against backup/restore funct... - vulnerability database | Vulners.comhttps://xapi-project.github.io/xen-api/overview.html#object-model-overviewXapi contains functiona...">https://xapi-project.github.io/xen-api/overview.html#object-model-overviewXapi contains functiona...">https://xapi-project.github.io/xen-api/overview.html#object-model-overviewXapi contains functiona...">
Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
xenXen ProjectXSA-459
HistoryJul 16, 2024 - 11:59 a.m.

Xapi: Metadata injection attack against backup/restore functionality

2024-07-1611:59:00
Xen Project
xenbits.xen.org
2
xapi
metadata injection
backup/restore
virtual machines
storage repositories
vdi
administrator action
fraudulent metadata
vulnerable systems
data-recovery action

AI Score

6.1

Confidence

Low

JSON

ISSUE DESCRIPTION

For a brief summary of Xapi terminology, see:
<a href=“https://xapi-project.github.io/xen-api/overview.html#object-model-overview”>https://xapi-project.github.io/xen-api/overview.html#object-model-overview</a>
Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories (SRs).
The metadata itself is stored in a Virtual Disk Image (VDI) inside an SR. This is used for two purposes; a general backup of metadata (e.g. to recover from a host failure if the filer is still good), and Portable SRs (e.g. using an external hard drive to move VMs to another host).
Metadata is only restored as an explicit administrator action, but occurs in cases where the host has no information about the SR, and must locate the metadata VDI in order to retrieve the metadata.
The metadata VDI is located by searching (in UUID alphanumeric order) each VDI, mounting it, and seeing if there is a suitable metadata file present. The first matching VDI is deemed to be the metadata VDI, and is restored from.
In the general case, the content of VDIs are controlled by the VM owner, and should not be trusted by the host administrator.
A malicious guest can manipulate its disk to appear to be a metadata backup.
A guest cannot choose the UUIDs of its VDIs, but a guest with one disk has a 50% chance of sorting ahead of the legitimate metadata backup. A guest with two disks has a 75% chance, etc.

IMPACT

If a fraudulent metadata backup has been written into an SR which also contains a legitimate metadata backup, and an administrator explicitly chooses to restore from backup, the fraudulent metadata might be consumed instead of the legitimate metadata.
Control over meta data includes: which VMs are created, disk assignment, vCPU/RAM requirements, GPU allocation, etc.

VULNERABLE SYSTEMS

Systems running Xapi v1.249.x are affected.
Systems running Xapi v24.x are potentially affected. However it is believed that the only supported products using this version of Xapi have not shipped the metadata backup/restore functionality.
To leverage the vulnerability, an attacker would likely need insider information to construct a plausible-looking metadata backup, and would have to persuade a real administrator to perform a data-recovery action.

Related

osv 1
ubuntucve 1
osv
osv
CVE-2024-31144
2024-07-17 00:00:00
ubuntucve
ubuntucve
CVE-2024-31144
2024-07-17 00:00:00

AI Score

6.1

Confidence

Low

JSON
Related for XSA-459
osv1ubuntucve1