-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2018-14007 / XSA-271
XAPI HTTP directory traversal
UPDATES IN VERSION 2
XAPI has an unauthenticated HTTP endpoint update/ which exports the
contents of /var/update for other hosts to use.
However, the resolution of . and .. in paths is performed before url
unquoting is performed. This allows an attacker to traverse out of the
An unauthenticated user with access to the management network can read
arbitrary files from the dom0 filesystem. This includes the pool secret
/etc/xensource/ptoken which grants the attacker full administrator
All versions of XAPI since v1.13.0 are vulnerable.
If the directory /var/update doesn't exist, the vulnerability is not
In the recommended configuration, the management network is isolated and
isn't reachable from untrusted hosts, or by general network traffic.
This issue was discovered by Ronald Volgers of Computest
Applying the appropriate attached patch resolves this issue.
$ sha256sum xsa271*
REGENERATION OF POOL SECRET
There are no known exploits in the wild. If there is a risk that
credentials could have been stolen, they should be reset.
Most credentials can be reset via normal administrative means, but the
pool secret doesn't have any mechanism to reset. The following
instructions should be used:
1) On all pool members, stop Xapi:
# service xapi stop
2) On the pool master:
# rm /etc/xensource/ptoken
# /opt/xensource/libexec/genptoken -f -o /etc/xensource/ptoken
3) Copy /etc/xensource/ptoken to all pool slaves
4) On the pool master, restart the toolstack:
5) On all pool slaves, restart the toolstack:
Once the pool secret has been regenerated, the root password can be
# xe user-password-change
Furthermore, consideration should be given to other credentials, such as
(but not limited to) SSL keys, Storage SAN/iSCSI/NFS details, as well as
secrets contained within VMs disks/snapshots/etc.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-announce mailing list
xsa271-xapi.patch (1K) Download Attachment
|Free forum by Nabble||Edit this page|