[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Xen Security Advisory 465 v3 (CVE-2024-53240) - Backend can crash Linux netfront
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2024-53240 / XSA-465 version 3 Backend can crash Linux netfront UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= After a suspend/resume cycle of a Linux guest (e.g. via "virsh dompmsuspend"/ "virsh dompmwakeup") a malicious network backend can crash the guest via a NULL-pointer dereference in the guest's xen-netfront driver. During the resume operation the xen-netfront driver will release some data structures used for communication with the backend, in order to reallocate these data structures with possibly different parameters specified by the backend. If the backend is triggering a network device removal in the guest before any network I/O has happened, the NULL-pointer dereference may happen, causing a crash of the guest. IMPACT ====== In setups with non-trusted network backends (e.g. when using untrusted network driver domains) suspend/resume cycles of guests can result in those guests being crashed by a malicious network backend. VULNERABLE SYSTEMS ================== Only systems with non-trusted network backends are vulnerable. As far as known only Linux guests with the fix for CVE-2022-48969 applied are vulnerable (this includes all kernel versions from 6.1 onwards). All guest types (x86 PV, x86 PVH/HVM and Arm32/Arm64) are vulnerable. MITIGATION ========== Not doing guest suspend/resume cycles will avoid the vulnerability. Using emulated NICs instead of PV ones will avoid the vulnerability. CREDITS ======= This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab. RESOLUTION ========== Applying the attached patch resolves this issue. xsa465-linux.patch Linux $ sha256sum xsa465* 7207a22e1e70d0b00278d90e797313bee9d72a968ddd38464b90f0612667826e xsa465-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patches need to be applied to the guests and using emulated NICs is a guest visible configuration change. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmdhaw0MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ1kYH/3u0RtjvoOLf2CTFAPhBfgVXZ0nbaQAVeVY14OXL 3WAOQzrspobwSJtVUqRCg14NllEkM2ityeAlussY++b9BFW7nqxji9yL/rSMpuPh vsH/sDByBSUYxpaw/LgbkZVvhRq3vbK6E7fnXCw8BO9LYA+uTZRf4P6PRe0JeQtz t0IyHsECXaPoSWzX18OtSrg1JFYhgBqB9vK4rKMvMjPpqZDIKlEgIpFwNlywZ6jx H6T3CCKUPUZqmVegxJtXIof3STEr9bzd4StPaUrRXfToOg5ZsknUkari0Nr8xW27 mcTZaFVWgWwfI0irMs9jTp2agfQ6T+yptA8ZfM3J7kGvGcc= =+A6o -----END PGP SIGNATURE----- Attachment:
xsa465-linux.patch
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |