Mailing List Archive

Xen Security Advisory 376 v1 - frontends vulnerable to backends
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Xen Security Advisory XSA-376

frontends vulnerable to backends

ISSUE DESCRIPTION
=================

Xen offers the ability to run PV backends in regular unprivileged
guests, typically referred to as "driver domains". Running PV backends
in driver domains has one primary security advantage: if a driver domain
gets compromised, it doesn't have the privileges to take over the
system.

However, a malicious driver domain could try to attack other guests via
the PV protocol. Many PV frontends are hardened against misbehaving PV
backends, but a few of them are not and might be susceptible to Denial
of Service attacks and metadata manipulation triggered by malicious PV
backends.

IMPACT
======

Potentially malicious PV backends can cause guest DoS due to unhardened
frontends in the guests, even though this ought to have been prevented by
containing them within a driver domain.

VULNERABLE SYSTEMS
==================

All guests with non-hardened frontends being serviced by potentially
malicious backends are vulnerable, even if those backends are running in a
less privileged environment. The vulnerability is not affecting the host,
but the guests using non-hardened frontends.

The console, block and net frontends have been hardened in the Linux kernel
5.16, so guests running Linux with kernel 5.16 or newer are not currently
known to be vulnerable to potentially malicious console, block or net
backends.

MITIGATION
==========

In case of running potentially malicious backends, using only hardened
frontend counterparts in guests will mitigate the problem.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was discussed in public already.

RESOLUTION
==========

The related patch is just a clarification of the security statement,
so it will NOT mitigate anything.

As there is no urgent need for this patch to go into the Xen tree it
will be posted on the xen-devel mailing list after disclosure of this
advisory.

xsa376.patch xen-unstable

$ sha256sum xsa376*
b18551f7800d5a232bbe6953b1222ecb2c5a2058285c6fbc8d64f9b7dea2415f xsa376.patch
$

-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmG8rFMMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZSP4H/RcD4WLHi3TuSeNspsv/+dNb906LIueHFn/3U5Pg
5Jv8EHjv16apUhzgwTfTtx0pcCCDY2aEq0rdCziGpnTKiYzEarhTuVvc5igy9U0p
jqazRTyUkU1pV6HwFIGi/kHXTUpO60amWgKoFzyM9ZMl6WKDejb2rTu6TJC5FyiE
cxpe79GC98ECw8d131EfQgRx2/TIZuVQmKZlx3vVNG1lBlMZpFX2iioR7ajCQmdu
XWt14kDYdLvmZ1UzlrOH9+jhMRIyFZ1jBZXtXEUN0zSC+aTje6nPO3WSf/gXbmNF
COUrd7JPIMEO8PvnjzM3l1PS3XltIf2wTaVr5LjmkyBoMyM=
=J4gx
-----END PGP SIGNATURE-----