From a6df21c465012e6e1a7da4ac2be668a63fd50a07 Mon Sep 17 00:00:00 2001
From: Tu Dinh <ngoc-tu.dinh@vates.tech>
Date: Mon, 7 Apr 2025 09:34:46 +0000
Subject: Restrict access to Xeniface WMI classes

The default security descriptor provided to WMI GUIDs allows xenstore
access to LocalService and NetworkService accounts, which are supposed
to have minimum privileges on the local system.

Assign a security descriptor in xeniface.inf to restrict all WMI GUIDs.

This is part of XSA-468 / CVE-2025-27463.

Signed-off-by: Tu Dinh <ngoc-tu.dinh@vates.tech>
Reviewed-by: Owen Smith <owen.smith@cloud.com>
---
 src/xeniface.inf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/xeniface.inf b/src/xeniface.inf
index b5433920e987..07e2a91efa38 100644
--- a/src/xeniface.inf
+++ b/src/xeniface.inf
@@ -72,6 +72,16 @@ xenagent_@MAJOR_VERSION@_@MINOR_VERSION@_@MICRO_VERSION@_@BUILD_NUMBER@.dll,xena
 CopyFiles=XenIface_CopyFiles
 CopyFiles=XenAgent_CopyFiles
 
+[XenIface_Inst.WMI]
+WMIInterface={1D80EB99-A1D6-4492-B62F-8B4549FF0B5E},,XenIface_Inst.WMI.Security
+WMIInterface={12138A69-97B2-49DD-B9DE-54749AABC789},,XenIface_Inst.WMI.Security
+WMIInterface={AB8136BF-8EA7-420D-ADAD-89C83E587925},,XenIface_Inst.WMI.Security
+
+[XenIface_Inst.WMI.Security]
+; owned by BUILTIN\Administrators
+; grant GENERIC_ALL access to BUILTIN\Administrators and NT AUTHORITY\SYSTEM
+Security="O:BAG:BAD:(A;;GA;;;BA)(A;;GA;;;SY)"
+
 [XenIface_Inst.HW]
 AddReg=XenIface_Inst.HW.AddReg
 
-- 
2.47.1