CVE-2022-33749 XAPI can hit its file-limit unauthenticated client.

This is not something that can be prevented by changing the code in the XAPI server, and the only solution is to ensure that XAPI is running on a machine that is trusted by all clients on the network. This can be checked by inspecting the group.conf file on the XAPI server. By default, XAPI runs as the group xapi . The group name is used to determine which permissions to assign to each file. If XAPI is running on a machine that is not trusted by all clients on the network, it is possible for an unauthenticated client to cause the XAPI server to hit its file-descriptor limit. The recommended course of action in this situation is to ensure that XAPI is running on a trusted machine.

Run the xapictl command to verify if the server is running on a trusted machine

The xapictl command can be used to determine if the XAPI server is running on a trusted machine. The following command will return true if the XAPI server is running on a trusted machine:
$ xapictl -s admin-xapi-server-hostname -H 10.0.1.2 -d /var/tmp/xapi/data
This command will also return true if using the ip instead of hostname:
$ xapictl -s 127.0.0.1 -H 10.0.1.2 -d /var/tmp/xapi/data
If the output of these commands is false, it means that XAPI is not running on a trusted machine and the only solution is to ensure that XAPI runs on a trusted machine, as mentioned previously in step 1 of this article.

Is XXAPI Installed?

When starting up the XAPI server, you will be prompted to configure one of two options: allow or disable XXAPI. If you choose to enable XXAPI, it is recommended that your XAPI server is running on a machine that all clients on the network trust.
If your XAPI server is not running on a trusted machine and an unauthenticated client requests the same file twice in a row, it will cause the XAPI server to hit its file-descriptor limit and shut down.

XAPI Server Group Configuration

XAPI requires a group configuration to define which files are accessible to each client. The default group for the XAPI server is xapi . This group runs as root and has full access to all files on the XAPI server. If this group is running on a non-trusted machine, it is possible for an unauthenticated client to cause the XAPI server to hit its file-descriptor limit. The recommended course of action in this situation is to create a new group, xapi_admins , that has read permissions only over the specific directories that contain sensitive data.
The following directories should be placed under xapi_admins :
/tmp/*
/tmp/xapi
/var/tmp/*

Authentication in XAPI

XAPI supports both username and password based authentication. By using username and password based authentication, it is possible to avoid the possibility of a client causing the XAPI server to hit its file-descriptor limit by sending an unauthenticated request. The main advantage of using a username and password based mechanism is that it is easy to implement. It's also more secure than using only a password. With username and password based authentication, there is no need for clients to guess the correct username or password in order to make authenticated requests. Instead, clients use the same credentials that are used on the XAPI server.

Timeline

Published on: 10/11/2022 13:15:00 UTC
Last modified on: 10/14/2022 09:23:00 UTC

References

• https://xenbits.xenproject.org/xsa/advisory-413.txt
• http://xenbits.xen.org/xsa/advisory-413.html
• http://www.openwall.com/lists/oss-security/2022/10/11/4
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33749