SVG:Advisory-SVG-2015-CVE-2015-7835

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-CVE-2015-7835



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-Xen-CVE-2015-7835]
 
Title:       EGI SVG Advisory 'Critical' Risk 'Breakout' vulnerability for sites running 
             Xen where users have root inside their Virtual Machines -- CVE-2015-7835. 

Date:        2015-11-03
Updated:     

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-CVE-2015-7835

Introduction
============

Xen is an open source Virtualization platform [R 1] and is used primarily for Cloud virtualization, 
including by some EGI Cloud Resource Providers. 

Xen issued several advisories on 29th October 2015. [R 2]

One of these SVG considers serious, CVE-2015-7835 [R 3].

In the case when a user inside a Virtual Machine has 'root' access to that Virtual Machine it allows 
a user to 'breakout' of the Virtual Machine.   In EGI this is mainly relevant to EGI Federated Cloud 
sites where users generally do have root access inside the Virtual machine, which use Xen as their 
virtualization technology.  


Details
=======

This is serious as it allows a user with root access to a VM to escape to the VM to the 'dom0' and 
get root there, and easily affect all VMs running on that system.  The access complexity is also 
stated as 'Low' which SVG takes into account during risk assessment.

Sites should see [R 3], [R 4], and [R 5].  

Details of the bug itself are at [R 6] where it is also described as a 'Critical' bug.


Risk category
=============

This issue has been assessed as 'Critical' risk by the EGI SVG Risk Assessment Team.


Affected software
=================

Xen if users are allowed root inside the Virtual Machine.

Generally applicable to the EGI Federated Cloud if Xen is used as the virtualization technology. 


Mitigation
==========

See the Xen Advisory [R 3]


Component installation information
==================================

See the Xen Advisory [R 3]


Recommendations
===============

All running resources deploying Xen MUST be either patched or have mitigation in place 
by 2015-11-10  T21:00+01:00. 

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk 
site suspension. 


Credit
======

EGI SVG was alerted to this these advisories by Alvaro Lopez Garcia 


References
==========

[R 1] http://www.xenproject.org/

[R 2] http://xenbits.xen.org/xsa/

[R 3] http://xenbits.xen.org/xsa/advisory-148.html 

[R 4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7835

[R 5] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7835

[R 6] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions and 
comments are welcome. 


Timeline  
========
Yyyy-mm-dd

2015-10-29 Advisories issued by Xen
2015-10-29 SVG alerted to these advisories by Alvaro Lopez Garcia.  
2015-11-02 EGI Software Vulnerability Group Assessed one of these vulnerabilities as 'Critical'
2015-11-03 Advisory drafted and sent to sites