Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3966 certain VT-d IOMMUs may not work in shared page table mode 22 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen Virtualisation Impact/Access: Increased Privileges -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-28710 Original Bulletin: http://xenbits.xen.org/xsa/advisory-390.html - --------------------------BEGIN INCLUDED TEXT-------------------- Xen Security Advisory CVE-2021-28710 / XSA-390 certain VT-d IOMMUs may not work in shared page table mode ISSUE DESCRIPTION ================= For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries. IMPACT ====== A malicious guest may be able to escalate its privileges to that of the host. VULNERABLE SYSTEMS ================== Xen version 4.15 is vulnerable. Xen versions 4.14 and earlier are not vulnerable. Only x86 Intel systems with IOMMU(s) in use are affected. Arm systems, non-Intel x86 systems, and x86 systems without IOMMU are not affected. Only HVM guests with passed-through PCI devices and configured to share IOMMU and EPT page tables are able to leverage the vulnerability on affected hardware. Note that page table sharing is the default configuration on capable hardware. Systems are only affected if the IOMMU used for a passed through device requires the use of page tables less than 4 levels deep. We are informed that this is the case for some at least Ivybridge and earlier "client" chips; additionally it might be possible for such a situation to arise when Xen is running nested under another hypervisor, if an (emulated) Intel IOMMU is made available to Xen. MITIGATION ========== Suppressing the use of shared page tables avoids the vulnerability. This can be achieved globally by passing "iommu=no-sharept" on the hypervisor command line. This can also be achieved on a per-guest basis via the "passthrough=sync_pt" xl guest configuration file option. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa390.patch xen-unstable - Xen 4.15.x $ sha256sum xsa390* 34d3b59a52c79bd7f9d963ca44ee5cfee08274d49961726e81c34eeff6e6cd37 xsa390.patch $ CREDITS ======= This issue was discovered by Jan Beulich of SUSE. NOTE REGARDING LACK OF EMBARGO ============================== This fix for issue was submitted in public before realizing the security aspect. - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmGXsGUMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZiMkH/2t+q/yAO7srnKdt1yLhOcG/tok0pdSLe5b3ayES ZktW69wnSlQ/TeH96A64pZKxXbQpRh3cDbjn2xedCDGIOyaKuObgPY7aYfuvtOxN /6a3P3qUf2oxm5/nS0KG6kHX69gptXupvgCPwl2i1KWARi4uMEm76N7lCe3o8fFd s8HNfLvJ0tX6pXtOQjeQEt73fDWQ/hwKGGJctFI1hrvy01erqHDdZrYiJAO6vp8z c9LU1o8dIQSUg2dm5GSX5DCX6xEzOh6sT53CDQ7W5gTn+SnCGr7FT1iTeXYeTFSN EaYZVynkaxQeCXsoJO0K2o7lwwKvUrQ6GNhqdd4iOR/annY= =P/qb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZsXR+NLKJtyKPYoAQgn3g//XyBwVh7Sst5MfrATvuV4LC2YeWtZsflS DH2GazU8LZdctOviPlX6NWQjvoDRs4YpjnvKin0i4ABk74d/LTei+dQpMDvYHI9D fuwAPJz0dXdkdjZg1+/OshFYUFMYGG5JPktbiRLBmTkN7tt/ZItm4JPVHgNZFs6X J5weYbSg9tuCR8igALJNurI4iXHTsSFZEr04C3mJpNiomhHXS5XRdTs0dqfCMsoA nHz7+BumzN8NrTFLEouPjR8IvlL+bIIcEdtLWfK8C0D9kEygGYS/ZD5fitGbTl7w QcEN9yQE5obUwD3VWeLBKLVOkZ3IWvt1S1UvOYbq4OAG3iEJrHjN5c8qwwOTBUop MxT3KwGj6sJ3tYt8iJZ8noAK4UZsqdejdCfdRWuzpaMI+rZaJyCa68YkMIbOVokP xVi28RAe854JISn5OpAy2ieeuQxmDq2zM4sBigiVcmGHUXq0F0MKfE1RAoEnSVXs 8oJpQiC/UbDUC8pxZdXjlbRRKPacvP9CGmRFVyIoNG9bCfeI32DwxYer3YvRQP2n oV0SrmKqKObhTVsJMMaU71CO+ZgLVd1var9XYPnqN8itjWW3VVlvXEOceO9FVUAz z4Zs4A5L4p6ej7SH4c8oEjKAVve2N0rh4A4Rq6XHccd07Wnv/PKRFkNA7q8XqMvr bWGlKZK0ytA= =rrt3 -----END PGP SIGNATURE-----