-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-376 frontends vulnerable to backends ISSUE DESCRIPTION ================= Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via the PV protocol. Many PV frontends are hardened against misbehaving PV backends, but a few of them are not and might be susceptible to Denial of Service attacks and metadata manipulation triggered by malicious PV backends. IMPACT ====== Potentially malicious PV backends can cause guest DoS due to unhardened frontends in the guests, even though this ought to have been prevented by containing them within a driver domain. VULNERABLE SYSTEMS ================== All guests with non-hardened frontends being serviced by potentially malicious backends are vulnerable, even if those backends are running in a less privileged environment. The vulnerability is not affecting the host, but the guests using non-hardened frontends. The console, block and net frontends have been hardened in the Linux kernel 5.16, so guests running Linux with kernel 5.16 or newer are not currently known to be vulnerable to potentially malicious console, block or net backends. MITIGATION ========== In case of running potentially malicious backends, using only hardened frontend counterparts in guests will mitigate the problem. NOTE REGARDING LACK OF EMBARGO ============================== This issue was discussed in public already. RESOLUTION ========== The related patch is just a clarification of the security statement, so it will NOT mitigate anything. As there is no urgent need for this patch to go into the Xen tree it will be posted on the xen-devel mailing list after disclosure of this advisory. xsa376.patch xen-unstable $ sha256sum xsa376* b18551f7800d5a232bbe6953b1222ecb2c5a2058285c6fbc8d64f9b7dea2415f xsa376.patch $ -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmG8rFMMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZSP4H/RcD4WLHi3TuSeNspsv/+dNb906LIueHFn/3U5Pg 5Jv8EHjv16apUhzgwTfTtx0pcCCDY2aEq0rdCziGpnTKiYzEarhTuVvc5igy9U0p jqazRTyUkU1pV6HwFIGi/kHXTUpO60amWgKoFzyM9ZMl6WKDejb2rTu6TJC5FyiE cxpe79GC98ECw8d131EfQgRx2/TIZuVQmKZlx3vVNG1lBlMZpFX2iioR7ajCQmdu XWt14kDYdLvmZ1UzlrOH9+jhMRIyFZ1jBZXtXEUN0zSC+aTje6nPO3WSf/gXbmNF COUrd7JPIMEO8PvnjzM3l1PS3XltIf2wTaVr5LjmkyBoMyM= =J4gx -----END PGP SIGNATURE-----