September 2024 Security Updates

Update Sep 27, 2024

New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.

ℹī¸
These will also be available on day 1 of the 8.3 release.
📔
To update, follow this guide. You can also join the discussion on our community forum. Host reboots are necessary after this update.

📋 Summary

On the 10th of September, Intel published a microcode update in the form of an updated IPU 2024.3.

On the 24th of September, the Xen Project published a new XSA regarding the error handling in x86's APIC (Advanced Programmable Interrupt Controller).

On the 26th of September a set of vulnerabilities were published for the CUPS project which do not impact XCP-ng directly.

🔒 Security Updates

  • xen:
    • XSA-462 - CVE-2024-45817 - x86: Deadlock in vlapic_error(). The way x86's APIC handles errors can cause Xen to recurse in the vlapic_error() function. Althrough protected, the function was trying to take the lock recursively leading to a DoS of the host. This can be caused by buggy or malicious HVM and PVH guests.
  • microcode_ctl: We include the updated version of Intel's IPU 2024.3 including mitigations for the following Intel Security Advisories:

đŸ–ļ CUPS vulnerabilities

First, the cups package is not installed by default in XCP-ng, and it is not recommended to make modifications to your dom0 anyway. But the package is indeed available in our repositories. In case you did install this package, it is highly recommended to quickly remove it, stop the service, or in the worst case, create the appropriate firewall rules to limit access to the port 631 to be accessible only on fully trusted networks.

As XCP-ng is not impacted by default, I will not dive into the details here, but to summarize there are multiple vulnerabilities that allow Remote Code Execution (RCE) that have been reported across the various parts of the CUPS project. At the time of this writing 4 CVEs have been assigned, and the reporter (Simone Margaritelli, known online under the nickname evilsocket) consider there should have been more.

If you want to know more about this, here are some useful links:

Tags

David Morel

Hypervisor & Kernel Software Engineer at Vates and XCP-ng Security Coordinator. Open Source enthousiast, using IRC for everything. Raccoons lover.