June 2022 Security and Bugfix Update #1

Security Jun 13, 2022

A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.

­čôö
To update, follow this guide. You can also join the discussion on our community forum. Hosts reboot necessary after this update.

Summary

Several vulnerabilities have been discovered and fixed in the Xen hypervisor.

To address them, we released updates for this component in XCP-ng.

We also released a maintenance update of the secureboot-certs script included in the uefistored RPM.

Impact

When the conditions are met, an attacker in a malicious PV VM may escalate privilege and control the whole host.

Conditions described below for each one of the two vulnerabilities (XSA-401 and XSA-402).

XSA-401

Xen Project Security Advisory: https://xenbits.xen.org/xsa/advisory-401.html

"Malicious x86 PV guest administrators may be able to escalate privilege so as to control the whole system", by exploiting a race condition.

Vulnerable systems:

To exploit the vulnerability, there needs to be an undue delay at just the wrong moment in _get_page_type(). The degree to which an x86 PV guest can practically control this race condition is unknown.

Bold casing was added by us.

XSA-402

Xen Project Security Advisory: https://xenbits.xen.org/xsa/advisory-402.html

"Malicious x86 PV guest administrators can escalate privilege so as to control the whole system."

Vulnerable systems:

Only x86 PV guests configured with access to devices (e.g. PCI Passthrough) can trigger the vulnerability.

Only CPUs which can issue non-coherent memory accesses are impacted. CPUs which enumerate the SelfSnoop feature are not impacted, except as noted in errata.  Therefore, we believe that Xen running on Intel IvyBridge or later CPUs is not impacted by the vulnerability.

Bold casing was added by us.

Bugfix update: uefistored

Due to changes on the Microsoft website where UEFI Secure Boot are download from when you setup your pool for Guest UEFI Secure Boot, we had to update the secureboot-certs utility for it to be able to continue downloading from it.

Two changes:

  1. We modified the user agent the utility uses when it downloads the files from microsoft.com.
  2. If this new user agent is blocked in the future, the command will give you instructions for you to either use the new --user-agent parameter or download and install the certificates manually.

Tags

Samuel Verschelde

XCP-ng release manager: pushes the big red "Release" button. Part developer, part packager, part QA, part manager. Open Source enthusiast since 2002.