[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Xen Security Advisory 376 v1 - frontends vulnerable to backends
From: Xen.org security team <security () xen ! org>
Date: 2021-12-20 12:04:21
Message-ID: E1mzHOv-0005Fc-RG () xenbits ! xenproject ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory XSA-376
frontends vulnerable to backends
ISSUE DESCRIPTION
=================
Xen offers the ability to run PV backends in regular unprivileged
guests, typically referred to as "driver domains". Running PV backends
in driver domains has one primary security advantage: if a driver domain
gets compromised, it doesn't have the privileges to take over the
system.
However, a malicious driver domain could try to attack other guests via
the PV protocol. Many PV frontends are hardened against misbehaving PV
backends, but a few of them are not and might be susceptible to Denial
of Service attacks and metadata manipulation triggered by malicious PV
backends.
IMPACT
======
Potentially malicious PV backends can cause guest DoS due to unhardened
frontends in the guests, even though this ought to have been prevented by
containing them within a driver domain.
VULNERABLE SYSTEMS
==================
All guests with non-hardened frontends being serviced by potentially
malicious backends are vulnerable, even if those backends are running in a
less privileged environment. The vulnerability is not affecting the host,
but the guests using non-hardened frontends.
The console, block and net frontends have been hardened in the Linux kernel
5.16, so guests running Linux with kernel 5.16 or newer are not currently
known to be vulnerable to potentially malicious console, block or net
backends.
MITIGATION
==========
In case of running potentially malicious backends, using only hardened
frontend counterparts in guests will mitigate the problem.
NOTE REGARDING LACK OF EMBARGO
==============================
This issue was discussed in public already.
RESOLUTION
==========
The related patch is just a clarification of the security statement,
so it will NOT mitigate anything.
As there is no urgent need for this patch to go into the Xen tree it
will be posted on the xen-devel mailing list after disclosure of this
advisory.
xsa376.patch xen-unstable
$ sha256sum xsa376*
b18551f7800d5a232bbe6953b1222ecb2c5a2058285c6fbc8d64f9b7dea2415f xsa376.patch
$
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmG8rFMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZSP4H/RcD4WLHi3TuSeNspsv/+dNb906LIueHFn/3U5Pg
5Jv8EHjv16apUhzgwTfTtx0pcCCDY2aEq0rdCziGpnTKiYzEarhTuVvc5igy9U0p
jqazRTyUkU1pV6HwFIGi/kHXTUpO60amWgKoFzyM9ZMl6WKDejb2rTu6TJC5FyiE
cxpe79GC98ECw8d131EfQgRx2/TIZuVQmKZlx3vVNG1lBlMZpFX2iioR7ajCQmdu
XWt14kDYdLvmZ1UzlrOH9+jhMRIyFZ1jBZXtXEUN0zSC+aTje6nPO3WSf/gXbmNF
COUrd7JPIMEO8PvnjzM3l1PS3XltIf2wTaVr5LjmkyBoMyM=
=J4gx
-----END PGP SIGNATURE-----
["xsa376.patch" (application/octet-stream)]
From 02d3a57d6466363b316b60ffbba414a4a2cb90c5 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 25 Nov 2021 13:38:29 +0100
Subject: [PATCH] SUPPORT.md: limit support statement for Linux and Windows
frontends
Change the support state of Linux and Windows pv frontends from
"supported" to "supported with caveats" in order to reflect that the
frontends can probably be harmed by their respective backends.
Some of the Linux frontends have been hardened already.
This is XSA-376
Signed-off-by: Juergen Gross <jgross@suse.com>
---
SUPPORT.md | 57 +++++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 48 insertions(+), 9 deletions(-)
diff --git a/SUPPORT.md b/SUPPORT.md
index 3a34933c89..6e3e305b01 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -411,7 +411,11 @@ Guest-side driver capable of speaking the Xen PV block protocol
Status, FreeBSD: Supported, Security support external
Status, NetBSD: Supported, Security support external
Status, OpenBSD: Supported, Security support external
- Status, Windows: Supported
+ Status, Windows: Supported, with caveats
+
+Windows frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### Netfront
@@ -421,20 +425,32 @@ Guest-side driver capable of speaking the Xen PV networking protocol
Status, FreeBSD: Supported, Security support external
Status, NetBSD: Supported, Security support external
Status, OpenBSD: Supported, Security support external
- Status, Windows: Supported
+ Status, Windows: Supported, with caveats
+
+Windows frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### PV Framebuffer (frontend)
Guest-side driver capable of speaking the Xen PV Framebuffer protocol
- Status, Linux (xen-fbfront): Supported
+ Status, Linux (xen-fbfront): Supported, with caveats
+
+Linux frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### PV display (frontend)
Guest-side driver capable of speaking the Xen PV display protocol
- Status, Linux: Supported (outside of "backend allocation" mode)
- Status, Linux: Experimental (in "backend allocation" mode)
+ Status, Linux, outside of "backend allocation" mode: Supported, with caveats
+ Status, Linux, "backend allocation" mode: Experimental
+
+Linux frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### PV Console (frontend)
@@ -443,7 +459,11 @@ Guest-side driver capable of speaking the Xen PV console protocol
Status, Linux (hvc_xen): Supported
Status, FreeBSD: Supported, Security support external
Status, NetBSD: Supported, Security support external
- Status, Windows: Supported
+ Status, Windows: Supported, with caveats
+
+Windows frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### PV keyboard (frontend)
@@ -451,11 +471,19 @@ Guest-side driver capable of speaking the Xen PV keyboard protocol.
Note that the "keyboard protocol" includes mouse / pointer /
multi-touch support as well.
- Status, Linux (xen-kbdfront): Supported
+ Status, Linux (xen-kbdfront): Supported, with caveats
+
+Linux frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### PV USB (frontend)
- Status, Linux: Supported
+ Status, Linux: Supported, with caveats
+
+Linux frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
### PV SCSI protocol (frontend)
@@ -464,6 +492,10 @@ multi-touch support as well.
NB that while the PV SCSI frontend is in Linux and tested regularly,
there is currently no xl support.
+Linux frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
+
### PV TPM (frontend)
Guest-side driver capable of speaking the Xen PV TPM protocol
@@ -486,7 +518,11 @@ Guest-side driver capable of making pv system calls
Guest-side driver capable of speaking the Xen PV sound protocol
- Status, Linux: Supported
+ Status, Linux: Supported, with caveats
+
+Linux frontend currently trusts the backend;
+bugs in the frontend which allow backend to cause mischief will not be
+considered security vulnerabilities.
## Virtual device support, host side
@@ -987,6 +1023,9 @@ are given the following labels:
This feature is security supported
by a different organization (not the XenProject).
+ The extent of support is defined by that organization.
+ It might be limited, e.g. like described in **Supported, with caveats**
+ below.
See **External security support** below.
* **Supported, with caveats**
--
2.26.2
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic