Xen and Intel microcode security updates

Security Dec 16, 2019

New security updates are available for Xen and for Intel microcode.

Security updates are available for the two supported releases of XCP-ng: 7.6 and 8.0.

To update, follow this guide. Join the discussion on our community forum.
Reboot after updating.

Related: https://support.citrix.com/article/CTX266932

XSA-308: possible guest crash

Reference: http://xenbits.xen.org/xsa/advisory-308.html

Impact

HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service.

Vulnerable systems

Only systems supporting VMX hardware virtual extensions (Intel, Cyrix or Zhaoxin CPUs) are affected. [...] AMD systems are unaffected.

Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.

Resolution

Apply the updates on your XCP-ng hosts and reboot.

XSA-309: possible host crash from PV guest

Reference: http://xenbits.xen.org/xsa/advisory-309.html

Impact

A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leak possibilities cannot be excluded as well.

Vulnerable systems

Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability.

Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables [...] [by] adding pv-linear-pt=false on the command-line, are not vulnerable.

Mitigation

If you don't have any guests which need linear pagetables, you can disable the feature by adding pv-linear-pt=false to your Xen command-line. NetBSD is known to use linear pagetables; Linux and MiniOS are known not to use linear pagetables.

Resolution

Apply the updates on your XCP-ng hosts and reboot.

XSA-310: privilege escalation from malicious PV guests

Reference: http://xenbits.xen.org/xsa/advisory-310.html

Impact

A malicious PV guest administrator may be able to escalate their privilege to that of the host.

Vulnerable systems

Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability.

Note that these attacks require very precise timing, which may be difficult to exploit in practice.

Mitigation

If you don't have any guests which need linear pagetables, you can disable the feature by adding pv-linear-pt=false to your Xen command-line. NetBSD is known to use linear pagetables; Linux and MiniOS are known not to use linear pagetables.

Resolution

Apply the updates on your XCP-ng hosts and reboot.

XSA-311: malicious HVM guest with PCI pass-through on AMD may crash the host

Reference: http://xenbits.xen.org/xsa/advisory-311.html

Impact

A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out.
Additionally, there is a potential memory leak of 4kb per guest boot, under memory pressure.

Vulnerable systems

Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable.

Only systems where guests are given direct access to physical devices are vulnerable. Systems which do not use PCI pass-through are not vulnerable.

Only HVM guests can exploit the vulnerability. PV and PVH guests cannot.

Resolution

Apply the updates on your XCP-ng hosts and reboot.

Intel microcode update

Impact

Due to an issue in some Intel CPU hardware, unprivileged code running within a guest VM may be able to compromise that guest VM.

Vulnerable systems

The list of vulnerable CPUs can be found at: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00317.html.

Resolution

Apply the updates on your XCP-ng hosts and reboot.

Tags

Samuel Verschelde

XCP-ng Lead Maintainer, Release Manager and Technical Product Manager. Open Source enthusiast since 2002.