QEMU escape mitigations

S

simal

New Member
Oct 20, 2021
2
1
3
46
Hi all,

AFAIK latest Proxmox VE includes fixes for all known QEMU escapes out there, however I am interested in mitigations that can be implemented to prevent an attacker who would find and exploit a new QEMU vulnerability to attack other guests, or the host.

In this youtube video, an QEMU developer mentions 3 mitigations:
- run QEMU as an unprivileged user
- run QEMU with seccomp
- run QEMU with Mandatory Access Control (either SELinux or Apparmor)

But it looks like Proxmox VE runs QEMU as root, and does not use seccomp nor Apparmor for virtual machines. An attacker who manages to exploit and escape from QEMU would get root access on the host. Furthermore in a Proxmox cluster SSH keys are distributed across all servers, an attacker who gets root access on one server can SSH as root to all servers in the cluster.

I did not find configuration options in Proxmox VE documentation related to the 3 mitigations above, is there any way to tighten Proxmox VE cluster security?

All best
 
  • Like
Reactions: leesteken
Hi,
simal said:
- run QEMU as an unprivileged user
Click to expand...
This is the most sensible one, and we planned to look into it more closely and implemented in the future, albeit it may need some accustoming from users and may be opt-in, as it basically mostly relevant if you allow untrusted users onto a system (e.g., for hosting companies), for others it often only adds a lot of pain to manage while not providing that much benefit (an attacker would only require an extra step, with enough time that may happen too).

simal said:
- run QEMU with seccomp
- run QEMU with Mandatory Access Control (either SELinux or Apparmor)
Click to expand...
Those can help a bit, but for QEMU it's somewhat moot, if you do not trust the KVM in kernel why trust the MAC?
But we'll definitively look at those things and enable sensible and actual effective measurements in the future.

simal said:
I did not find configuration options in Proxmox VE documentation related to the 3 mitigations above, is there any way to tighten Proxmox VE cluster security?
Click to expand...
Update frequently, we patch the actual source of the issue, i.e., issues in the kernel or QEMU fast and deploy updates regularly.
Note that guest to host root break-outs are rather rare and often need a very specific configuration.
 
Last edited:
Hi Thomas, thanks for your answers!

Re MAC the rationale would be the following: indeed a vulnerability in the KVM kernel module is severe and MAC won't be any help. However historically most of the KVM/QEMU VM escapes exploited vulnerabilities in userspace QEMU. QEMU does most of the virtual devices emulation and has a larger attack surface than the KVM kernel modules.

Mitigations won't stop an attacker from gaining control to the QEMU process, but it would prevent them from attacking other guests or the host itself.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom