Xen ProjectXSA-219x86: insufficient reference counts during shadow emulation
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.9%
ISSUE DESCRIPTION
When using shadow paging, writes to guest pagetables must be trapped and emulated, so the shadows can be suitably adjusted as well.
When emulating the write, Xen maps the guests pagetable(s) to make the final adjustment and leave the guest’s view of its state consistent.
However, when mapping the frame, Xen drops the page reference before performing the write. This is a race window where the underlying frame can change ownership.
One possible attack scenario is for the frame to change ownership and to be inserted into a PV guest’s pagetables. At that point, the emulated write will be an unaudited modification to the PV pagetables whose value is under guest control.
IMPACT
A malicious pair of guests may be able to elevate their privilege to that of Xen.
We have not ruled out the possibility that a single malicious HVM guest may be able to elevate their privilege to that of Xen.
VULNERABLE SYSTEMS
All versions of Xen are vulnerable.
Only x86 systems are affected. ARM systems are not vulnerable.
HVM guests using shadow mode paging can exploit this vulnerability. HVM guests using Hardware Assisted Paging (HAP) cannot exploit this vulnerability.
To discover whether your HVM guests are using HAP, or shadow page tables: request debug key q' (from the Xen console, or with xl debug-keys q’). This will print (to the console, and visible in xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of hap’ here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow’ indicates that the domain can exploit the vulnerability.
Xen 4.6 and later have the option to compile-out shadow paging support. (The default is to compile with shadow paging support). If Xen is built without shadow support, it is not vulnerable.
Exploiting this race condition requires coordination between an x86 HVM guest using shadow paging, and a PV guest.
Running only HVM guests avoids the vulnerability, unless stub device models are in use (since stub device models are PV domains, each controlled by the corresponding guest).
Running only PV guests avoids the vulnerability.
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.9%