Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2887 New Xen bulletin: long running loops in grant table handling 26 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen Virtualisation Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-28698 Original Bulletin: http://xenbits.xen.org/xsa/advisory-380.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-28698 / XSA-380 version 2 long running loops in grant table handling UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of "cooperating" guests may, however, cause the effects to be more severe. IMPACT ====== Malicious or buggy guest kernels may be able to mount a Denial of Service (DoS) attack affecting the entire system. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable in principle. Systems running with default settings are generally believed to not be vulnerable. MITIGATION ========== The problem can be avoided by reducing the number of grant mappings Xen would allow guests to establish. For example, setting "gnttab_max_maptrack_frames=256" on the Xen command line (available from Xen 4.5 onwards) or "max_maptrack_frames=256" in the xl domain configurations (available from Xen 4.10 onwards) may be low enough for all hardware Xen is able to run on. Note that except for driver domains, guests don't normally have a need to establish grant mappings, i.e. they may be okay to run with "max_maptrack_frames=0" in their xl domain configurations. - - From Xen 4.14 onwards it is also possible to alter the system wide upper bound of the number of grant mappings Xen would allow guests to establish by writing to the /params/gnttab_max_maptrack_frames hypervisor file system node. Note however that changing the value this way will only affect guests yet to be created on the respective host. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa380/xsa380-.patch xen-unstable - Xen 4.15.x xsa380/xsa380-4.14-.patch Xen 4.14.x xsa380/xsa380-4.13-.patch Xen 4.13.x xsa380/xsa380-4.12-.patch Xen 4.12.x xsa380/xsa380-4.11-.patch Xen 4.11.x $ sha256sum xsa380* xsa380*/* 3b1938277665c195f6822a1170c50a853efa6bc3dcd6b2b0b9bbb0849a57bbf6 xsa380.meta 65411a0fd05d534ed2238b259aa2877331ac0e79f2dda80b424f34fffcce108a xsa380/xsa380-1.patch e6cd6d345abaad38e10d6f680fe881e874e35a7295199e5430bacd209f0b7304 xsa380/xsa380-2.patch f3b486aa99a75ab54f9e26e21a721a413f993b27dbc3e6f2fda976fe20ddbae3 xsa380/xsa380-4.11-1.patch 96a09c05ca87fe3590064ca6d269ca47b97c732401cb593ff1068ac91009f51a xsa380/xsa380-4.11-2.patch 496063cd4641258e1854a77f626cdd86c866c3ed8603bdc2ff9ab709008c84a7 xsa380/xsa380-4.12-1.patch d850e1263e89c7a718f2cddcfb639fe4a5095a1852fc35499ed16a4075d225e5 xsa380/xsa380-4.12-2.patch c23d34527a2ec68015ad78cd90365e4d80bce842ce01eeaa8cd2246021a55693 xsa380/xsa380-4.13-1.patch bd40ce749d02f343c79325488ac1348e1c9e88e698bbad351bdb0a0d3995f3e0 xsa380/xsa380-4.13-2.patch 9b06085f9a4b93c465563cd76fdc682ddb9dba968c214259425b234e7053a809 xsa380/xsa380-4.14-1.patch bf6b53880abd53b56226080d1a32839c7c8c459867104697cd76eeafc2ea382a xsa380/xsa380-4.14-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER, care has to be taken to avoid restricting guests too much, as them suddenly being unable to map grants they used to be able to map may lead to re-discovery of the issue. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmEmMPYMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ73gH/2PAcHwXHW46ckOpcCfRn+Vx/zBK4Dzcq2/PciB9 0u7rrqzkOwiimK/6l1tcnG9yWE8LqBeHwXYidN3/qHc2pqDc3+vErk7bXtXghjdO 18FioW0g+25ogPoPT+lyqP0C+MV1d4jIygQVWuUepfIAa1OwOo12MDmUjt7AdnTs T9L/ZS2D9Ho97X3Wkit62hCer2ucQ63HLtQ1Dz9N/zon5lI5HkO+nRyvjKm+l5G4 MmuUrlFM8Fwp0MjxxJtKn/6HCgnQlSfm8g+2MQ3UNbHZ8g44ipGTnCO/Q1GEmcvj Q9IkZNZ0kBHF47R1AbcZDavv7XjNNo4j8NvT/D+yjPzI4bE= =jE86 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYSctNeNLKJtyKPYoAQh5wA//WPkp3nXhsQgIGT/68q9orS7AuGmCLfUr WMXV1KOBGOvwhH1iYZmLkPfg8O399TeK144QkE3Qysv2hXYWLZ7mYg1MjkaClAhx ymjBQWGusTR4/zhebbkDcQyPEdMgLcSnnxYRk6q1anN46s42k7Y9FoVkU4TOrMdu GFZG5Vq4jjGbdbTIbrlarNk8uQw3OrWLW8T3M+kfLrVEUTPnEYXZpqfr87JUC4dy 3B4o0Opxl0adjTawNruMaCm6cK9UExLBYD4QdnVhgCiWLgEZhHwiTbeFld2TxpGE YZPa25ULwC8wkX57G+PLpXKMvsIhTYYQrXa3b7ADNvqU9PiF8+9IQ2TszxDf/csx /Wf1kxr12pwvxGJl8+rzzFXUdlMU5AlevmmwtT0hgj0XA0MQkYkWowxvhdOn//5k /rqFO0wBeHoqWzbjJk5+aUMVydwApoCrMYa41otdAzdQtw6JM+azmXGr03vdKERh Fszi3CUdA9om9jLnSfIBGkdYvxSPBROm/wtHq30zuUUhFx0bIjk4QgV6h1a3Pfx8 ZBc5RYEIyaXADkzXR56tlwxNA1e0YO44F3ptjMKNCCLNPAyiZRlyYs+kNvyp4fQz ldWQ4JANuvClDI4JZf4px3wxHCnLE149BUtstueR3FgQSoewaCI9SPSqoGW7QOMU qB6dC/OSAx8= =RZ6t -----END PGP SIGNATURE-----