Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0372
Xen Security Advisory CVE-2022-23035
27 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
Impact/Access: Denial of Service -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2022-23035
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-395.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2022-23035 / XSA-395
version 2
Insufficient cleanup of passed-through device IRQs
UPDATES IN VERSION 2
====================
Adjust patch subject.
Public release.
ISSUE DESCRIPTION
=================
The management of IRQs associated with physical devices exposed to x86
HVM guests involves an iterative operation in particular when cleaning
up after the guest's use of the device. In the case where an interrupt
is not quiescent yet at the time this cleanup gets invoked, the cleanup
attempt may be scheduled to be retried. When multiple interrupts are
involved, this scheduling of a retry may get erroneously skipped. At
the same time pointers may get cleared (resulting in a de-reference of
NULL) and freed (resulting in a use-after-free), while other code would
continue to assume them to be valid.
IMPACT
======
The precise impact is system specific, but would typically be a Denial
of Service (DoS) affecting the entire host. Privilege escalation and
information leaks cannot be ruled out.
VULNERABLE SYSTEMS
==================
Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier
are not vulnerable.
Only x86 HVM guests with one or more passed-through physical devices
using (together) multiple physical interupts can leverage the
vulnerability. x86 PV guests cannot leverage the vulnerability. x86
HVM guests without passed-through devices or with a passed-through
device using just a single physical interrupt also cannot leverage the
vulnerability. Device pass-through is unsupported for x86 PVH guests
and all Arm guests.
MITIGATION
==========
There is no mitigation (other than not passing through to x86 HVM guests
PCI devices with, overall, more than a single physical interrupt).
CREDITS
=======
This issue was discovered by Julien Grall of Amazon.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa395.patch xen-unstable - Xen 4.15.x
xsa395-4.14.patch Xen 4.14.x - Xen 4.12.x
$ sha256sum xsa395*
f460be598b936bb5cfb9276787f2f21d90b029d1fe10dabd572ae50f84a1124d xsa395.meta
295b876c52cf5efe19150757275da3d154beb72ac2d7be267e16c9262e410de3 xsa395.patch
5697f3137e0a202744f31b1c6cbcfa459d8fa9b4b68be59561b78c40fe1233c5 xsa395-4.14.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmHv39QMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZhowIAIZYZq4efyEAP5rB3zX4yRel2GNz+2Dpjok4PExB
uSOrPaH5dDILhNdVJNG48MckDe0dMDsn3OGr1I6lbxcV1TWR1JFrBQoxeUnwdiEf
GjeTni0hhefan3IEEd5HUDInQgf9oI7fUcgEdVAoIV87BQdlK0ofjJ3TggSrr8jl
pL5dmIh4OICD6YttR11Of1vhPY2WhZQb2xgSxzEQbDeY8k3JaRWy8mYwwxPD0HXn
+hmLK59ZhkJd5Sk8AxttRUTEsl6nKESrUz3vv/vFInV5Go+35AElL//gQNgOOTAS
nljLLtJdfHSuRy459Sw/lm4mwQ9zkfOFH6B+M6efSkHMyoE=
=Iv+w
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYfIsqONLKJtyKPYoAQhzyRAAoueNA4s1125V0AjZMV6shb4I/fEkxm9I
dMZQ2FFxZfkYCRHOU6Ju33I75FoCE1I3UtbDt3LdBlwtKwGNMCpZoZgDUTxoFVom
LN2vh6rxYjhc+qhESL9M6bL5k2DztdlUjYfB+i2xahALbQgmfc+TnVXgRixI6zWA
urzt1yfbhhSeIeA2b7n/T1zpLbUaY3Lqt2hKjogqpoqezR9XEp8ouNHG5KvDGlKa
zVjXW+Nb0fn96/SkLS36DxRqin2h2wEtopcCLvTYs1hxOSFUs9kjVD6kDEQ7ZH5r
Mp26cLwvoT2npPx1J2Osv5C1bAZhjNJhRcFOfnnvWs15Pf1I0yjedKBxpbeOsI5s
e4cmNiMXkfM5aku+HNZornhMU5Ck/RzUUKn7q0cY3/pDMIjpdxdZ2TAehFwvzJj0
tPeNA0pXpGxfs4lsvfg4oG0WhUqEPl05f0/0nrh7QOPxBJeh9NZLrM04xVylkdjn
HdFrhaH8wbB9xLWI+BoJWRpjMQbsdRVT478j3top/ZthhPOUNl8uOMoDmdjzIi8N
fuEEwOqKaFzFh5URKPMXLQU0s0/IZt1KMcIbC3W8L3HtAna9X8O4ka/Z8/CuKVg/
3fGgFneqThpZ6fHHrTL4qealOV7SXuj86S5GYxJOPAkNlQYDqESKUseX3A4K7BsI
jdFea7uapxM=
=6XM3
-----END PGP SIGNATURE-----