Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2887
New Xen bulletin: long running loops in grant table handling
26 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
Virtualisation
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-28698
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-380.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2021-28698 / XSA-380
version 2
long running loops in grant table handling
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
In order to properly monitor resource use, Xen maintains information on
the grant mappings a domain may create to map grants offered by other
domains. In the process of carrying out certain actions, Xen would
iterate over all such entries, including ones which aren't in use
anymore and some which may have been created but never used. If the
number of entries for a given domain is large enough, this iterating of
the entire table may tie up a CPU for too long, starving other domains
or causing issues in the hypervisor itself.
Note that a domain may map its own grants, i.e. there is no need for
multiple domains to be involved here. A pair of "cooperating" guests
may, however, cause the effects to be more severe.
IMPACT
======
Malicious or buggy guest kernels may be able to mount a Denial of
Service (DoS) attack affecting the entire system.
VULNERABLE SYSTEMS
==================
All Xen versions from at least 3.2 onwards are vulnerable in principle.
Systems running with default settings are generally believed to not be
vulnerable.
MITIGATION
==========
The problem can be avoided by reducing the number of grant mappings Xen
would allow guests to establish. For example, setting
"gnttab_max_maptrack_frames=256" on the Xen command line (available
from Xen 4.5 onwards) or "max_maptrack_frames=256" in the xl domain
configurations (available from Xen 4.10 onwards) may be low enough for
all hardware Xen is able to run on. Note that except for driver
domains, guests don't normally have a need to establish grant mappings,
i.e. they may be okay to run with "max_maptrack_frames=0" in their xl
domain configurations.
- - From Xen 4.14 onwards it is also possible to alter the system wide upper
bound of the number of grant mappings Xen would allow guests to
establish by writing to the /params/gnttab_max_maptrack_frames
hypervisor file system node. Note however that changing the value this
way will only affect guests yet to be created on the respective host.
CREDITS
=======
This issue was discovered by Andrew Cooper of Citrix.
RESOLUTION
==========
Applying the appropriate pair of attached patches resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa380/xsa380-.patch xen-unstable - Xen 4.15.x
xsa380/xsa380-4.14-.patch Xen 4.14.x
xsa380/xsa380-4.13-.patch Xen 4.13.x
xsa380/xsa380-4.12-.patch Xen 4.12.x
xsa380/xsa380-4.11-.patch Xen 4.11.x
$ sha256sum xsa380* xsa380*/*
3b1938277665c195f6822a1170c50a853efa6bc3dcd6b2b0b9bbb0849a57bbf6 xsa380.meta
65411a0fd05d534ed2238b259aa2877331ac0e79f2dda80b424f34fffcce108a xsa380/xsa380-1.patch
e6cd6d345abaad38e10d6f680fe881e874e35a7295199e5430bacd209f0b7304 xsa380/xsa380-2.patch
f3b486aa99a75ab54f9e26e21a721a413f993b27dbc3e6f2fda976fe20ddbae3 xsa380/xsa380-4.11-1.patch
96a09c05ca87fe3590064ca6d269ca47b97c732401cb593ff1068ac91009f51a xsa380/xsa380-4.11-2.patch
496063cd4641258e1854a77f626cdd86c866c3ed8603bdc2ff9ab709008c84a7 xsa380/xsa380-4.12-1.patch
d850e1263e89c7a718f2cddcfb639fe4a5095a1852fc35499ed16a4075d225e5 xsa380/xsa380-4.12-2.patch
c23d34527a2ec68015ad78cd90365e4d80bce842ce01eeaa8cd2246021a55693 xsa380/xsa380-4.13-1.patch
bd40ce749d02f343c79325488ac1348e1c9e88e698bbad351bdb0a0d3995f3e0 xsa380/xsa380-4.13-2.patch
9b06085f9a4b93c465563cd76fdc682ddb9dba968c214259425b234e7053a809 xsa380/xsa380-4.14-1.patch
bf6b53880abd53b56226080d1a32839c7c8c459867104697cd76eeafc2ea382a xsa380/xsa380-4.14-2.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators. HOWEVER, care has to be taken to avoid restricting
guests too much, as them suddenly being unable to map grants they used
to be able to map may lead to re-discovery of the issue.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmEmMPYMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ73gH/2PAcHwXHW46ckOpcCfRn+Vx/zBK4Dzcq2/PciB9
0u7rrqzkOwiimK/6l1tcnG9yWE8LqBeHwXYidN3/qHc2pqDc3+vErk7bXtXghjdO
18FioW0g+25ogPoPT+lyqP0C+MV1d4jIygQVWuUepfIAa1OwOo12MDmUjt7AdnTs
T9L/ZS2D9Ho97X3Wkit62hCer2ucQ63HLtQ1Dz9N/zon5lI5HkO+nRyvjKm+l5G4
MmuUrlFM8Fwp0MjxxJtKn/6HCgnQlSfm8g+2MQ3UNbHZ8g44ipGTnCO/Q1GEmcvj
Q9IkZNZ0kBHF47R1AbcZDavv7XjNNo4j8NvT/D+yjPzI4bE=
=jE86
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYSctNeNLKJtyKPYoAQh5wA//WPkp3nXhsQgIGT/68q9orS7AuGmCLfUr
WMXV1KOBGOvwhH1iYZmLkPfg8O399TeK144QkE3Qysv2hXYWLZ7mYg1MjkaClAhx
ymjBQWGusTR4/zhebbkDcQyPEdMgLcSnnxYRk6q1anN46s42k7Y9FoVkU4TOrMdu
GFZG5Vq4jjGbdbTIbrlarNk8uQw3OrWLW8T3M+kfLrVEUTPnEYXZpqfr87JUC4dy
3B4o0Opxl0adjTawNruMaCm6cK9UExLBYD4QdnVhgCiWLgEZhHwiTbeFld2TxpGE
YZPa25ULwC8wkX57G+PLpXKMvsIhTYYQrXa3b7ADNvqU9PiF8+9IQ2TszxDf/csx
/Wf1kxr12pwvxGJl8+rzzFXUdlMU5AlevmmwtT0hgj0XA0MQkYkWowxvhdOn//5k
/rqFO0wBeHoqWzbjJk5+aUMVydwApoCrMYa41otdAzdQtw6JM+azmXGr03vdKERh
Fszi3CUdA9om9jLnSfIBGkdYvxSPBROm/wtHq30zuUUhFx0bIjk4QgV6h1a3Pfx8
ZBc5RYEIyaXADkzXR56tlwxNA1e0YO44F3ptjMKNCCLNPAyiZRlyYs+kNvyp4fQz
ldWQ4JANuvClDI4JZf4px3wxHCnLE149BUtstueR3FgQSoewaCI9SPSqoGW7QOMU
qB6dC/OSAx8=
=RZ6t
-----END PGP SIGNATURE-----