一、漏洞描述
QEMU Guest Agent(qga)类似于vmware中的 vmtools,相关安全报告显示它的Windows版本安装程序存在本地提权高危漏洞(CVE-2023-0664),攻击者可利用该漏洞进行本地权限提升,获得SYSTEM特权运行的交互式命令行界面,可能对各类云主机产品产生一定影响,漏洞详细信息请见附件。它在windows中已qemu-ga服务和QEMU Guest Agent VSS Provider存在。
QEMU Guest Agent是一种QEMU虚拟机中的通用API,它提供了从主机到客户机的一系列工具和服务,包括安全的虚拟机控制、信息传递和虚拟硬件监控,为客户机提供更好的集成体验。详见:bug声明。
The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.
As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.
Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.
漏洞影响:所有FedoraOS,windows 虚拟机2023年3月之前的qga版本;
相关链接:rockylinux
二、修复处理
1)官方修复说明
参见:QGA installer fixes; qemu-kvm 8.0.0-rc0中已经得到修复,如下所示:
qga/win32: Remove change action from MSI installer
qga/win32: Use rundll for VSS installation
qga/installer/qemu-ga.wxs | 11 +++++±----
qga/vss-win32/install.cpp | 9 +++++++++
qga/vss-win32/qga-vss.def | 2 ++
3 files changed,
安装过程:
- 获取软件
- 安装驱动 virto serial driver
- 更新 balloon 驱动 (需要区分 2012, win7 版本的使用方法)
- 安装 qemu-ga
- 注册并重启 balloon 服务
- 测试可用性
注意事项:
1 balloon 服务只能够运行在 administrator 用户下
2 假如你只属于 administrators 组, 那么请你切换成 administrator 用户
3 假如 administrator 用户被隐藏, 那么需要管理员身份运行 cmd , 输入下面命令, 再切换用户:net user administrator /active:yes
2) 软件获取
wget https://fedorapeople.org/groups/virt/virtio-win/virtio-win.repo -O /etc/yum.repos.d/virtio-win.repo
yum install virtio-win
#iso 软件存放在
ls /usr/share/virtio-win/virtio-win.iso
#或者
wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
//或直接下载: 2023-09-19 06:30 9.7M
wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-qemu-ga/qemu-ga-win-106.0.1-1.el9/qemu-ga-x86_64.msi
wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-0.1.240-1/virtio-win-gt-x64.msi
#
3)安装
#windows server 2012挂载 virtio-win.iso
#双击virtio-win.iso打开,其下有三个重要目录:
1)guest-agent (含安装的二进制文件 (qemu-ga-x64.msi, qemu-ga-x86.msi)
2)vioserial ( virto-serail driver )
3)balloon (用于注册 balloon 服务):只能超级管理员运行
1)如上图所示,先更新 VIRTO-SERAIL DRIVER
即设备管理界面,更新 pci 简单通讯控制器 (使用 vioserail 目录中的驱动):
2)安装 BALLOON PCI 驱动 (WINDOWS 2012)
完成后重启云主机;
3) 双击安装qemu-ga-x86.msi 或 qemu-ga-x64.msi后,启动qemu guest agent 服务
4)启动 BALLOON 服务 (WIN2012)
复制光盘中 balloon 目录到 c:\Program Files,然后注册 balloon 服务后 重启,执行:
mkdir "c:\Program Files\balloon\2k12\amd64"
copy d:\balloon\2k12\amd64\* "c:\Program Files\balloon\2k12\amd64\."
cd c:\Program Files\balloon\2k12\amd64
blnsvr.exe -i
net stop balloonservice
net start balloonservice
5)建议找你的云厂商来协助升级,不建议自行升级qga版本
3、附录
3.1 redhat和Fedora的关系
1)在centos8之前:
Fedora ==》RedHat ==》CentOS
简单理解:Fedora 是RedHat的“试验场”,很多新功能和特性先加入Fedora 稳定后再加入RedHat(收费),然后从RedHat再拉出CentOS(免费,培养用户和生态)
2)在centos8这之后
Fedora ==》CentOS stream ==》 RedHat
上面是IBM(收购了redhat)取消CentOS,改为在Fedora 和 RedHat 之间滚动发布CentOS stream,这就使得Centos不再像之前那样可靠稳定,适合生产环境了。