Information
Files
advisory-468.txt (signed advisory file)
xsa468/xenbus-01.patch
xsa468/xencons-01.patch
xsa468/xencons-02.patch
xsa468/xeniface-01.patch
xsa468/xeniface-02.patch
xsa468/xeniface-03.patch
xsa468/xeniface-04.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2025-27462,CVE-2025-27463,CVE-2025-27464 / XSA-468
version 3
WinPVDrivers: Excessive permissions on user-exposed devices
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
The Windows PV drivers expose various facilities to userspace. Several
of these have no security descriptor, and are therefore fully accessible
to unprivileged users. These are:
1. XenCons, CVE-2025-27462
2. XenIface, CVE-2025-27463
3. XenBus, CVE-2025-27464
IMPACT
======
Unprivileged users inside the guest can escalate privilege to that of
the guest kernel.
VULNERABLE SYSTEMS
==================
All Windows virtual machines running the Windows PV drivers are
vulnerable.
The xencons driver was first available in the 9.0.0 release, and is
vulnerable since its introduction.
The xeniface and xenbus drivers are vulnerable in all releases.
MITIGATION
==========
A PowerShell script to mitigate the issue in the XenIface driver has been
developed. It is a single-shot script which can either scan for the
vulnerabilities, or fix them by inserting the relevant security descriptors
into the registry and the running device objects. See the script for full
invocation information.
Because attaching PowerShell scripts to emails causes them to be
rejected by several major service providers, the script is instead
available from:
https://paste.vates.tech/?415ce4adb9dde353#6REZBQosbawepd8RcCWrhZ5H3euYSNXGcfHr6hrwU2om
password: 79322bc8-94fe-42f6-8b81-8373fa9458d0
sha256: db45e6123312cf9a3a2136f903f82826556915b76b5149b00eeefbe0a2912107
It has only been lightly reviewed by the Xen Security Team. Feedback
welcome.
CREDITS
=======
This issue was discovered by Tu Dinh of Vates
RESOLUTION
==========
Applying the attached paches resolves this issue.
xsa468/xenbus-01.patch Windows xenbus
xsa468/xencons-0?.patch Windows xencons
xsa468/xeniface-0?.patch Windows xeniface
Note: xeniface-03 and 04 are not being treated as security issues, but
are included for downstreams wishing to include them in the same WHQL
testing run.
$ sha256sum xsa468*/*
3c4fbc0526c2a099e0866f9483c545605ab30c7bae8cfbfc7deea7f491b34ac3 xsa468/xenbus-01.patch
7336ce0fd1df73921ec4246bf71ccd8709a8fae20c056e7aba231f34ebccefc9 xsa468/xencons-01.patch
bbacf952c8f78ec6d0ea8ae25d6b1a5e4789c651bfbe6a357adbfc681c49809f xsa468/xencons-02.patch
0e65525d0a89d693b0b62074e593be332a431cbe245aa8f7d94db4f93a0e7c78 xsa468/xeniface-01.patch
d9193ea2f120281b3ff0886f65ab87723520577826a347db539ef8904eaffa02 xsa468/xeniface-02.patch
f5a6da368cd0114e8d462d7959590e2abff0523574091427896d7092face0e6a xsa468/xeniface-03.patch
01fadfd4906db35a14cba6d17cc2d28020f554564741c764db876dca43205ad3 xsa468/xeniface-04.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List). Specifically, deployment on public cloud systems
is NOT permitted.
This is because the fixes change in-guest behaviour.
Deployment is permitted only AFTER the embargo ends.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmg1o+EMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZB4IH+QGuIpu1qNVMNNL6rsWSHXJO764VIS8nn6sadMPI
heKoqWr9RMzPZsFDK5qWtckUR4Mfloj/3OD3VDb7a+qeeHFRHCvtpJ5L+q+JYAW6
5Fi5mGqNxTZWjCiwyKtKpJqRj7xSSb49TAi7BrshToV5jD66IyKUW44qFEeXPrs8
KTg2M3MhOO+OJrnHZHcKbhXd2IyhcYL96wg6KteVoQb35uyiDRpj1/mT4BQvp03n
3MJe3uQCavorEPiiWk+Zy/DXSBzFsGpsCSwGOYgjC7HZfWvtsmWeREQhai32LpBi
HW7yufiHwn/sC4hJT98CR1UvH/IJRbEG4kqVX4J6dxau9bw=
=QxLI
-----END PGP SIGNATURE-----
Xenproject.org Security Team