|
Message-Id: <E1mzHNS-0001sS-ET@xenbits.xenproject.org> Date: Mon, 20 Dec 2021 12:02:50 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 391 v3 (CVE-2021-28711,CVE-2021-28712,CVE-2021-28713) - Rogue backends can cause DoS of guests via high frequency events -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-28711,CVE-2021-28712,CVE-2021-28713 / XSA-391 version 3 Rogue backends can cause DoS of guests via high frequency events UPDATES IN VERSION 3 ==================== Public release ISSUE DESCRIPTION ================= Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 IMPACT ====== Potentially malicious PV backends can cause guest DoS due to unhardened frontends in the guests, even though this ought to have been prevented by containing them within a driver domain. VULNERABLE SYSTEMS ================== All guests being serviced by potentially malicious backends are vulnerable, even if those backends are running in a less privileged environment. The vulnerability is not affecting the host, but the guests. MITIGATION ========== There is no known mitigation available. RESOLUTION ========== Applying the attached patches resolves this issue. xsa391-linux-1.patch Linux 5.15 xsa391-linux-2.patch Linux 5.15 xsa391-linux-3.patch Linux 5.15 $ sha256sum xsa391* e55d3f15a85ff31e62a291981de89f7b0c08da807db9b2a6a2b9cbb2e29847cd xsa391-linux-1.patch 163fc4b9966768eb74e3bc1858a0b0254eff771898bd5f4d71806beeae0ffd2a xsa391-linux-2.patch de888abe8d11d3204b4033b304cf3d66104a65956089e23f1736db682d3cedc4 xsa391-linux-3.patch $ CREDITS ======= This issue was discovered by Jürgen Groß of SUSE. DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patches need to be applied to the guests, which will be visible by the guest administrators. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmG8srwMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZz/kH/RFI60D9qJnbNmDMgtbvihwn+jeHI0ejS7en8Ojf CL9QftZ2+YdyxjMISOHCCaWgUKQQyF/n9chF5sMMOkWRfUPL2TDPPKTmEnC9XMOq MYIftwT0OoMAVVhrRU3FZUZtpvTeQstofOYhBGhElmeEibYU+DbjKiv4agTEE3+8 9M3cxDk3Zw9cO1/6tU3kYtPkbxVP3r6kZQSHnpRnKLbABXWJB3Y02cX09tU//mV7 2REisCWKViLcKoupYTUOQHPWOD+VFE48mwKB4D9H9t9aTyn5PVjH/jVhiGrqbbic ia8a0AKi5F9l8xIKha81+TGIbjCY+HCuLbaShRDnaU9/2Qc= =wKo2 -----END PGP SIGNATURE----- Download attachment "xsa391-linux-1.patch" of type "application/octet-stream" (2418 bytes) Download attachment "xsa391-linux-2.patch" of type "application/octet-stream" (8674 bytes) Download attachment "xsa391-linux-3.patch" of type "application/octet-stream" (4416 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.