Information
Files
advisory-391.txt (signed advisory file)
xsa391-linux-1.patch
xsa391-linux-2.patch
xsa391-linux-3.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2021-28711,CVE-2021-28712,CVE-2021-28713 / XSA-391
version 3
Rogue backends can cause DoS of guests via high frequency events
UPDATES IN VERSION 3
====================
Public release
ISSUE DESCRIPTION
=================
Xen offers the ability to run PV backends in regular unprivileged
guests, typically referred to as "driver domains". Running PV backends
in driver domains has one primary security advantage: if a driver domain
gets compromised, it doesn't have the privileges to take over the
system.
However, a malicious driver domain could try to attack other guests via
sending events at a high frequency leading to a Denial of Service in the
guest due to trying to service interrupts for elongated amounts of time.
There are three affected backends:
* blkfront patch 1, CVE-2021-28711
* netfront patch 2, CVE-2021-28712
* hvc_xen (console) patch 3, CVE-2021-28713
IMPACT
======
Potentially malicious PV backends can cause guest DoS due to unhardened
frontends in the guests, even though this ought to have been prevented by
containing them within a driver domain.
VULNERABLE SYSTEMS
==================
All guests being serviced by potentially malicious backends are vulnerable,
even if those backends are running in a less privileged environment. The
vulnerability is not affecting the host, but the guests.
MITIGATION
==========
There is no known mitigation available.
RESOLUTION
==========
Applying the attached patches resolves this issue.
xsa391-linux-1.patch Linux 5.15
xsa391-linux-2.patch Linux 5.15
xsa391-linux-3.patch Linux 5.15
$ sha256sum xsa391*
e55d3f15a85ff31e62a291981de89f7b0c08da807db9b2a6a2b9cbb2e29847cd xsa391-linux-1.patch
163fc4b9966768eb74e3bc1858a0b0254eff771898bd5f4d71806beeae0ffd2a xsa391-linux-2.patch
de888abe8d11d3204b4033b304cf3d66104a65956089e23f1736db682d3cedc4 xsa391-linux-3.patch
$
CREDITS
=======
This issue was discovered by Jürgen Groß of SUSE.
DEPLOYMENT DURING EMBARGO
=========================
Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List). Specifically, deployment on public cloud systems
is NOT permitted.
This is because the patches need to be applied to the guests, which will
be visible by the guest administrators.
Deployment is permitted only AFTER the embargo ends.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmG8srwMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZz/kH/RFI60D9qJnbNmDMgtbvihwn+jeHI0ejS7en8Ojf
CL9QftZ2+YdyxjMISOHCCaWgUKQQyF/n9chF5sMMOkWRfUPL2TDPPKTmEnC9XMOq
MYIftwT0OoMAVVhrRU3FZUZtpvTeQstofOYhBGhElmeEibYU+DbjKiv4agTEE3+8
9M3cxDk3Zw9cO1/6tU3kYtPkbxVP3r6kZQSHnpRnKLbABXWJB3Y02cX09tU//mV7
2REisCWKViLcKoupYTUOQHPWOD+VFE48mwKB4D9H9t9aTyn5PVjH/jVhiGrqbbic
ia8a0AKi5F9l8xIKha81+TGIbjCY+HCuLbaShRDnaU9/2Qc=
=wKo2
-----END PGP SIGNATURE-----
Xenproject.org Security Team