From 4e5a7c9297f589c155c7991b7202880fbb98e750 Mon Sep 17 00:00:00 2001 From: Xen Project Security Team Date: Tue, 16 Jul 2024 12:45:11 +0000 Subject: [PATCH] XSA-459 CVE-2024-31144 Xensec source data: xsa.git#xsa-459-v2 Xensec source infra: xsa.git#359ea0d50c606f843cd69bb82ed1a4b78e0f7013 --- 2024/31xxx/CVE-2024-31144.json | 120 ++++++++++++++++++++++++++++----- 1 file changed, 105 insertions(+), 15 deletions(-) diff --git a/2024/31xxx/CVE-2024-31144.json b/2024/31xxx/CVE-2024-31144.json index cc8968e1f999..75de1dd4f1eb 100644 --- a/2024/31xxx/CVE-2024-31144.json +++ b/2024/31xxx/CVE-2024-31144.json @@ -1,18 +1,108 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2024-31144", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ + "CVE_data_meta" : { + "ASSIGNER" : "security@xenproject.org", + "ID" : "CVE-2024-31144" + }, + "affects" : { + "vendor" : { + "vendor_data" : [ { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "product" : { + "product_data" : [ + { + "product_name" : "", + "version" : { + "version_data" : [ + { + "version_affected" : "?", + "version_value" : "consult Xen advisory XSA-459" + } + ] + } + } + ] + }, + "vendor_name" : "" } - ] - } -} \ No newline at end of file + ] + } + }, + "configuration" : { + "configuration_data" : { + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Systems running Xapi v1.249.x are affected.\n\nSystems running Xapi v24.x are potentially affected. However it is\nbelieved that the only supported products using this version of Xapi\nhave not shipped the metadata backup/restore functionality.\n\nTo leverage the vulnerability, an attacker would likely need insider\ninformation to construct a plausible-looking metadata backup, and would\nhave to persuade a real administrator to perform a data-recovery action." + } + ] + } + } + }, + "credit" : { + "credit_data" : { + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "This issue was discovered by XenServer." + } + ] + } + } + }, + "data_format" : "MITRE", + "data_type" : "CVE", + "data_version" : "4.0", + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Xapi: Metadata injection attack against backup/restore functionality\n\nFor a brief summary of Xapi terminology, see:\n\n https://xapi-project.github.io/xen-api/overview.html#object-model-overview\n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR. This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent. The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\nguest with two disks has a 75% chance, etc." + } + ] + }, + "impact" : { + "impact_data" : { + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "If a fraudulent metadata backup has been written into an SR which also\ncontains a legitimate metadata backup, and an administrator explicitly\nchooses to restore from backup, the fraudulent metadata might be\nconsumed instead of the legitimate metadata.\n\nControl over meta data includes: which VMs are created, disk assignment,\nvCPU/RAM requirements, GPU allocation, etc." + } + ] + } + } + }, + "problemtype" : { + "problemtype_data" : [ + { + "description" : [ + { + "lang" : "eng", + "value" : "unknown" + } + ] + } + ] + }, + "references" : { + "reference_data" : [ + { + "url" : "https://xenbits.xenproject.org/xsa/advisory-459.txt" + } + ] + }, + "workaround" : { + "workaround_data" : { + "description" : { + "description_data" : [ + { + "lang" : "eng", + "value" : "Not using the metadata restore functionality avoids the vulnerability." + } + ] + } + } + } +}