June 2022 Security and Bugfix Update #1
A security update is available for the only currently supported release of XCP-ng: 8.2 LTS.
Summary
Several vulnerabilities have been discovered and fixed in the Xen hypervisor.
To address them, we released updates for this component in XCP-ng.
We also released a maintenance update of the secureboot-certs
script included in the uefistored
RPM.
Impact
When the conditions are met, an attacker in a malicious PV VM may escalate privilege and control the whole host.
Conditions described below for each one of the two vulnerabilities (XSA-401 and XSA-402).
XSA-401
Xen Project Security Advisory: https://xenbits.xen.org/xsa/advisory-401.html
"Malicious x86 PV guest administrators may be able to escalate privilege so as to control the whole system", by exploiting a race condition.
Vulnerable systems:
To exploit the vulnerability, there needs to be an undue delay at just the wrong moment in _get_page_type(). The degree to which an x86 PV guest can practically control this race condition is unknown.
Bold casing was added by us.
XSA-402
Xen Project Security Advisory: https://xenbits.xen.org/xsa/advisory-402.html
"Malicious x86 PV guest administrators can escalate privilege so as to control the whole system."
Vulnerable systems:
Only x86 PV guests configured with access to devices (e.g. PCI Passthrough) can trigger the vulnerability.
Only CPUs which can issue non-coherent memory accesses are impacted. CPUs which enumerate the SelfSnoop feature are not impacted, except as noted in errata. Therefore, we believe that Xen running on Intel IvyBridge or later CPUs is not impacted by the vulnerability.
Bold casing was added by us.
Bugfix update: uefistored
Due to changes on the Microsoft website where UEFI Secure Boot are download from when you setup your pool for Guest UEFI Secure Boot, we had to update the secureboot-certs
utility for it to be able to continue downloading from it.
Two changes:
- We modified the user agent the utility uses when it downloads the files from microsoft.com.
- If this new user agent is blocked in the future, the command will give you instructions for you to either use the new
--user-agent
parameter or download and install the certificates manually.