libxl allows guest write access to sensitive console related xenstore keys

ISSUE DESCRIPTION

The libxenlight (libxl) toolstack library does not correctly set permissions on xenstore keys relating to paravirtualised and emulated serial console devices. This could allow a malicious guest administrator to change values in xenstore which the host later relies on being implicitly trusted.
This vulnerability has not yet been assigned a CVE Candidate number by MITRE. We will issue an updated version of XSA-57 when this is available.

IMPACT

A malicious guest administrator can read and write any files in the host filesystem which are accessible to the user id running the xenconsole client binary. This may be the user id of a host administrator who connects to the guest’s console or the user id of any self service mechanism provided to guest administrators by the host provider.
As well as reading and writing files an attacker with access to an HVM guest can cause any PV or serial consoles to be connected to a variety of network resources (sockets, udp connections) or other end points (fifo, pipes) in the host file filesystem according to the privileges granted to the qemu device model for that guest.
A malicious guest administrator can also redirect the VNC console port of the guest to another port on the host. This may expose the VNC port of other guests or of other firewalled services to an attack.

VULNERABLE SYSTEMS

All systems which use libxl as part of the toolstack are vulnerable.
libxl is present in Xen versions 4.0 onwards.
The major consumer of libxl functionality is the xl toolstack which became the default in Xen 4.2.
In addition to this libvirt can optionally make use of libxl. This can be queried with # virsh version
Which will report “xenlight” if libxl is in use. libvirt currently prefers the xend backend if xend is running.
The xend and xapi toolstacks do not currently use libxl.