Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1699 x86 shadow plus log-dirty mode use-after-free 22 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Linux variants Virtualisation Resolution: Patch/Upgrade CVE Names: CVE-2022-42332 Original Bulletin: http://xenbits.xen.org/xsa/advisory-427.html Comment: CVSS (Max): 7.5 CVE-2022-42332 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42332 / XSA-427 version 2 x86 shadow plus log-dirty mode use-after-free UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated. IMPACT ====== Guests running in shadow mode and being subject to migration or snapshotting may be able to cause Denial of Service and other problems, including escalation of privilege. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected. Only x86 systems are vulnerable. The vulnerability is limited to migration and snapshotting of guests, and only to PV ones as well as HVM or PVH ones run with shadow paging. MITIGATION ========== Not migrating or snapshotting guests will avoid the vulnerability. Running only HVM or PVH guests and only in HAP (Hardware Assisted Paging) mode will also avoid the vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa427.patch xen-unstable - Xen 4.17.x xsa427-4.16.patch Xen 4.16.x xsa427-4.15.patch Xen 4.15.x xsa427-4.14.patch Xen 4.14.x $ sha256sum xsa427* 5ebcdc495ba6f439e47be7e17dbb8fbdecf4de66d2fac560d460f6841bd3bef3 xsa427.meta aa39316cbb81478c62b3d5c5aea7edfb6ade3bc5e6d0aa8c4677f9ea7bcc97a2 xsa427.patch 5ba679bc2170b0d9cd4c6ce139057e3287a6ee00434fa0e9a7a02441420030ff xsa427-4.14.patch 410ee6be28412841ab5aba1131f7dd7b84b9983f6c93974605f196fd278562e1 xsa427-4.15.patch 76c1850eb9a274c1feb5a8645f61ecf394a0551278f4e40e123ec07ea307f101 xsa427-4.16.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlVkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgRMH/RU6mB8M/feJeZDkYbrLPmT3yLiw6BpWroMTUTpv 5kIlixxlfQqyv8gqd25p5WMMKUsZlPZdLCT0iOlyMTNz6EUPRBME2Yb3ByiM7O7/ kFtlFDk5ZY5c/Vk1w0XuLm+YcABj0xnsn003YvgknmZfBJ2HWdR2iIayT/NjfQ+u twErqUqa7il2Em5M8ZwHZeJjCUN9t+g2sv5sdI/rQeRge8ofjsquLubpgUVMGjiV xwwUPCn3co0/2WArB4mHjWCNcoATk1NVZ3CTUyKGl5Mr+EvdmYWvzmlDa4wc8QPV tNoASqXw0MbOOTy+RnZQHwappCDP371MirPq4IaTwiXy7eo= =0flx - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZBpoIMkNZI30y1K9AQhG3g/+L3BY5c/25nqtpofRB/5NiQVn3lGY+q4y UC/bh4FsGpbJjC+mZ/mS3AjMUkfCCQc8U2LmosI5+GdBjxAu8FdF6THVUzpbfeX5 28moF640JMcHMTq9lfXOnk8PRwa929k1+/WNFAlZosNqk46rx/IQvCr0tDhVrT75 R7it1BNxqdef194KKRo8NB/tqRgx2+3yXuARy5ld/6k271K/cxwhB3JwLPwWWMHV ef1xLUcLkfCBQTi1h4gPSJErCFN9mR6ceM07ZnqWDYkpRn8URdI32yGEOP74QFTf 1zAD324P8p85PIkxgnXcnQEWcNM3ayHd6vb3yRGPrBba/QF52UJ3HMK8gIcDgi8v QSWCFfZ3toXo3X3EXKR0uIK+0UYIOoYarS5iz/4U/UAcNaP8vstlx2TV+OyeCj38 2/iTYX4mL6yzt7vTZ+UajHqyMFHI8YXWYsc4onizhJ6v76lvteL9v5UwEZuK9YQN ZoHHHkzpFPy/sc2OrT0E62uuOdwWIB08rQOjfuYpoK0RDB65vQko+Zl7jz7kEG4V h9PvAQP5pr2M/2wdHFHWh9I1UEJb+Euk6I0d4X7QxzJMKSqeM1Ic+qyjQV8N6S5d YlyGUFbJyrbfnN1QdRBrmAZ2m4ZIxMLv2vrK5fa5SrOi1LAQK4yZkII/+HJHpRh5 SkjLB2/BKuc= =jN9b -----END PGP SIGNATURE-----