Information

Advisory XSA-77
Public release 2013-12-10 12:00
Updated 2013-12-10 12:58
Version 3
CVE(s) none (yet) assigned
Title Disaggregated domain management security status

Files

advisory-77.txt (signed advisory file)
xsa77-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-77
                              version 3

              Disaggregated domain management security status

UPDATES IN VERSION 3
====================

Public release.

The included documentation patch now updates the xsm-flash.txt
documentation rather than the Xen public headers. The advisory has
been updated to reflect this.

Made the warning about the documentation patch stand out more clearly.

ISSUE DESCRIPTION
=================

Xen supports disaggregation of various support and management
functions into their own domains; this is often done for security and
robustness reasons.

In Xen 4.3 additional functionality was introduced to allow further
disaggregation: the Xen Security Modules mechanism was enhanced to
make it possible to delegate various domain control hypercalls to
particular other domains, rather than only permitting use by dom0.

However the several affected hypercall implementations were
originally written to be used only by the totally-privileged dom0, and
have not been reviewed for security when exposed to
supposedly-only-semi-privileged disaggregated management domains.  But
such management domains are (in such a design) to be seen as
potentially hostile, e.g. due to privilege escalation following
exploitation of a bug in the management domain.

As a result, the potential security benefits of toolstack
disaggregation are not always fully realised.  This constitutes a
breach of the enhanced security promises implied by the Xen APIs in
Xen in 4.3 and later.

The affected hypercalls are:
  __HYPERVISOR_domctl: The majority of the XEN_DOMCTL_* subops are
        affected. Exceptions are listed below.
  __HYPERVISOR_sysctl: All XEN_SYSCTL_* subops are affected.
  __HYPERVISOR_memory_op: A small number of XENMEM_* subops are
        affected. See below.
  __HYPERVISOR_tmem_op: All TMEMC_* sub-subops of the TMEM_CONTROL
        subop are affected.

The majority of the domctls are subject to this issue. Prior to 4.3,
only the following domctls were disaggregatable, and they are NOT
affected by these problems:
  XEN_DOMCTL_ioport_mapping   XEN_DOMCTL_bind_pt_irq
  XEN_DOMCTL_memory_mapping   XEN_DOMCTL_unbind_pt_irq
The implementations of these were written with semi-trusted callers
in mind.

Only the following memory op subops are affected:
  XENMEM_set_pod_target       XENMEM_get_pod_target
  XENMEM_claim_pages
The remainder of the memory ops were written with untrusted or
semi-trusted callers in mind.

IMPACT
======

Domains deliberately given partial management control may be able to
deny service to the entire host or even escalate their privileges.

As a result, in a system designed to enhance security by radically
disaggregating the management, the security may be reduced.  But, the
security will be no worse than a non-disaggregated design.


VULNERABLE SYSTEMS
==================

This issue is only relevant to systems which intend to increase
security through the use of advanced disaggregated management
techniques.

This does not include systems using libxl, libvirt, xm/xend,
XCP/XenServer, OpenStack or CloudStack (unless substantially modified
or supplemented, as compared to versions supplied by the respective
upstreams).

This issue is not relevant to stub device models, driver domains, or
stub xenstored.  Those disaggregation techniques do not rely on
granting the semi-privileged support domains access to the affected
interfaces, and are believed to provide the intended security
benefits.

This issue is only relevant to Xen 4.3 and xen-unstable, and not to
any earlier version.


PROCESS FOR VULNERABILITIES IN AFFECTED INTERFACES
==================================================

Until the interfaces have been properly reviewed for security against
hostile callers, the Xen.org security team intends (subject of course
to the permission of anyone disclosing to us) to handle these and
future vulnerabilities in these interfaces in public, as if they were
normal non-security-related bugs.

This applies only to bugs which do no more than reduce the security of
a radically disaggregated system to the security of a
non-disaggregated one.  Here a "radically disaggregated system" is one
which uses the XSM mechanism to delegate the affected interfaces to
other-than-fully-trusted domains.

This policy does not apply to bugs which affect stub device models,
driver domains, or stub xenstored - even if those bugs do no worse
than reduce the security of such a system to one whose device models,
backend drivers, or xenstore, run in dom0.

The list of interfaces which are subject to the above process
exception are listed in the Xen Source tree in docs/misc/xsm-flask
under the heading "Security Status of dom0 disaggregation". This
document is also available at
http://xenbits.xen.org/docs/unstable/misc/xsm-flask.txt.

We intend that currently-known problems will be publicly disclosed on
the xen-devel mailing list, as normal bug reports, at the expiry of
the XSA-77 embargo.

In the meantime the list below may be helpful.


MITIGATION
==========

The issues discussed in this advisory are themselves bugs in features
used for a security risk mitigation.

There is no further mitigation available, beyond general measures to
try to avoid parts of the system management becoming controlled by
attackers.  Those are the kind of measures which we expect any users
of radical disaggregation to have already deployed.

Switching from disaggregated to a non-disaggregated operation does NOT
mitigate these vulnerabilities.  Rather, it simply recategorises the
vulnerability to hostile management code, regarding it "as designed";
thus it merely reclassifies these issues as "not a bug".

Users and vendors of disaggregated systems should not change their
configuration.  The robustness benefits of disaggregation are
unaffected, and (depending on system design) security benefits are
likely to remain despite the vulnerabilities.


RESOLUTION
==========

We hope that the control interface attack surface can be reviewed and
improved so that disaggregation can deliver its security benefits more
fully.

Patches resulting from this process will be developed in public and
applied to the Xen trees as if they were ordinary bugfixes.

In the meantime the attached patch will be applied to the unstable
branch in order to track which interfaces are subject to this
exception.

This patch is purely documentary and DOES NOT resolve any issue.

$ sha256sum xsa77*.patch
bd9daffa8abfb05fb4a474e903dcd777352a705c1cf6e89343ea6545d545e4cb  xsa77-unstable.patch
$


CREDITS
=======

The issues which prompted this advisory were discovered by Jan
Beulich and Don Slutz.


LIST OF KNOWN VULNERABILITIES
=============================

**NOTE** that this is unlikely to be a complete list of problems.

**NOTE** that after publication of this advisory, after the embargo
ends, the advisory will no longer be updated to extend this list of
vulnerabilities.  See `Process for domctl vulnerabilities', above.

Multiple domctls can be made, by the caller, to perform excessively
long-running operations.  This can result in host-wide denial of
service and watchdog-induced crashes.

XEN_DOMCTL_gethvmcontext_partial allows access to guest state, in
particular certain pieces that are per-vCPU. If one or more of a
guest's vCPU-s are offline, the space internally allocated to store
each individual vCPU's state would not get fully used and, due to
another bug, information from the portion that didn't get initialized
may be returned back to the caller.

In the course of processing the request to set register state for
another PV guest's vCPU, the hypervisor updated the in memory copy of
the debug register values twice - first by simply copying over the
values, and in a second step through code properly verifying them.
Between the two operations there are, however, other error exit paths,
making it possible that unvalidated state could remain in place and be
loaded when the vCPU is next scheduled to run.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSpw/NAAoJEIP+FMlX6CvZBskH/j4YsHS48A82IEez4Zn7m+m6
n2d3UjT7fAAgxvqD3YJ7gsZI0Xi4PKw4ThHmmV6ZIdE18jju9ByrcsLLA/z77sO4
eUEastK49XKQ1Him7v+XB2/zfZ2ty/grnWS9dk5r18hVQLv+KIuQoyB+/QHt3bD4
i06R6iyhE57yJiD72bTNflITioyuZybMG/MM+7Pby8OVblagNgUS3YK9Z5J246/e
fWDTUsgI6c63zWRjqwBZB0vI+omr/GfNUX0e77LMnv/f/X6jwVBdNML2RDI9HDRO
lWdfQQeYHQN/mK6OD5s13+qIonv3iq8wJjeRxvQpQKAnjynFu61VDnp/ghN6xnE=
=lQLn
-----END PGP SIGNATURE-----

Xenproject.org Security Team