Xapi Metadata Injection Vulnerability in Backup/Restore Functionality

A metadata injection vulnerability has been identified in Xapi versions 1.249.x, allowing a malicious virtual machine (VM) to manipulate its disk to falsely appear as a legitimate metadata backup. This vulnerability exploits the backup and restore functionality for metadata related to Virtual Machines and Storage Repositories (SRs). The issue arises because the restoration process, which is an explicit action taken by administrators, relies on searching through VDI (Virtual Disk Image) files in a UUID alphanumeric order to locate the appropriate metadata. If a fraudulent backup is restored instead of a legitimate one, it could lead to unauthorized control over VM metadata, including VM creation, disk assignments, resource allocations, and GPU assignments.

Impact

Exploiting this vulnerability could result in the restoration of fraudulent metadata backups, allowing attackers to manipulate VM configurations and resource allocations on the host.

Reproduction

To reproduce this vulnerability, a malicious guest must create a fraudulent metadata backup within an SR that also contains a legitimate backup. The guest can then manipulate the UUID sorting of the VDIs to increase the chances of the fraudulent backup being selected during the restoration process. This exploitation would require persuading an administrator to perform the metadata restore action.

Remediation

Users can apply the provided patches to Xapi v1.249.x releases. After updating Xapi, a new metadata backup should be taken to create a VDI with a deterministic UUID. The xsa459-xsconsole.patch is also needed to maintain the existing menu options and to confirm if restoring from a prior backup is necessary.