Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1mzHNS-0001sS-ET@xenbits.xenproject.org>
Date: Mon, 20 Dec 2021 12:02:50 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 391 v3 (CVE-2021-28711,CVE-2021-28712,CVE-2021-28713)
 - Rogue backends can cause DoS of guests via high frequency events

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2021-28711,CVE-2021-28712,CVE-2021-28713 / XSA-391
                                   version 3

   Rogue backends can cause DoS of guests via high frequency events

UPDATES IN VERSION 3
====================

Public release

ISSUE DESCRIPTION
=================

Xen offers the ability to run PV backends in regular unprivileged
guests, typically referred to as "driver domains". Running PV backends
in driver domains has one primary security advantage: if a driver domain
gets compromised, it doesn't have the privileges to take over the
system.

However, a malicious driver domain could try to attack other guests via
sending events at a high frequency leading to a Denial of Service in the
guest due to trying to service interrupts for elongated amounts of time.

There are three affected backends:
 * blkfront          patch 1, CVE-2021-28711
 * netfront          patch 2, CVE-2021-28712
 * hvc_xen (console) patch 3, CVE-2021-28713

IMPACT
======

Potentially malicious PV backends can cause guest DoS due to unhardened
frontends in the guests, even though this ought to have been prevented by
containing them within a driver domain.

VULNERABLE SYSTEMS
==================

All guests being serviced by potentially malicious backends are vulnerable,
even if those backends are running in a less privileged environment. The
vulnerability is not affecting the host, but the guests.

MITIGATION
==========

There is no known mitigation available.

RESOLUTION
==========

Applying the attached patches resolves this issue.

xsa391-linux-1.patch   Linux 5.15
xsa391-linux-2.patch   Linux 5.15
xsa391-linux-3.patch   Linux 5.15

$ sha256sum xsa391*
e55d3f15a85ff31e62a291981de89f7b0c08da807db9b2a6a2b9cbb2e29847cd  xsa391-linux-1.patch
163fc4b9966768eb74e3bc1858a0b0254eff771898bd5f4d71806beeae0ffd2a  xsa391-linux-2.patch
de888abe8d11d3204b4033b304cf3d66104a65956089e23f1736db682d3cedc4  xsa391-linux-3.patch
$

CREDITS
=======

This issue was discovered by Jürgen Groß of SUSE.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the patches need to be applied to the guests, which will
be visible by the guest administrators.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmG8srwMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZz/kH/RFI60D9qJnbNmDMgtbvihwn+jeHI0ejS7en8Ojf
CL9QftZ2+YdyxjMISOHCCaWgUKQQyF/n9chF5sMMOkWRfUPL2TDPPKTmEnC9XMOq
MYIftwT0OoMAVVhrRU3FZUZtpvTeQstofOYhBGhElmeEibYU+DbjKiv4agTEE3+8
9M3cxDk3Zw9cO1/6tU3kYtPkbxVP3r6kZQSHnpRnKLbABXWJB3Y02cX09tU//mV7
2REisCWKViLcKoupYTUOQHPWOD+VFE48mwKB4D9H9t9aTyn5PVjH/jVhiGrqbbic
ia8a0AKi5F9l8xIKha81+TGIbjCY+HCuLbaShRDnaU9/2Qc=
=wKo2
-----END PGP SIGNATURE-----

Download attachment "xsa391-linux-1.patch" of type "application/octet-stream" (2418 bytes)

Download attachment "xsa391-linux-2.patch" of type "application/octet-stream" (8674 bytes)

Download attachment "xsa391-linux-3.patch" of type "application/octet-stream" (4416 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.