May 16, 2013 · 9:41 pm
OpenSCAP is a project that lets you scan physical machines looking for known vulnerabilities or configuration problems (like public-writable directories).
Obviously it would be good to use this to scan guests, especially in a cloud scenario where you want to help naive users not to deploy guests that are just going to get pwned the minute they go online.
New upstream in OpenSCAP is the ability to scan chroots. You can use this to scan containers, or using guestmount, scan offline guests.
Usage with guestmount is described here or here.
(Thanks Daniel Kopecek and Peter Vrabec)
December 22, 2011 · 8:18 pm
Paolo Bonzini discovered that you can issue SCSI ioctls to virtio devices which are passed down to the host.
The very unfortunate part about this is it easily allows guests to read and write parts of host devices that they are not supposed to. For example, if a guest was confined to host device
/dev/sda3, it could read or write other partitions or the boot sector on
In your guest, try this command which reads the host boot sector:
sg_dd if=/dev/vda blk_sgio=1 bs=512 count=1 of=output
of arguments around to exploit the host.
Here’s Paolo’s write-up on LKML.
Here is the libguestfs mitigation patch. The libvirt mitigation patch.