September 2024 Security Updates
New security updates are available for the only currently supported release of XCP-ng: 8.2 LTS.
đ Summary
On the 10th of September, Intel published a microcode update in the form of an updated IPU 2024.3.
On the 24th of September, the Xen Project published a new XSA regarding the error handling in x86's APIC (Advanced Programmable Interrupt Controller).
On the 26th of September a set of vulnerabilities were published for the CUPS project which do not impact XCP-ng directly.
đ Security Updates
xen
:- XSA-462 - CVE-2024-45817 - x86: Deadlock in vlapic_error(). The way x86's APIC handles errors can cause Xen to recurse in the
vlapic_error()
function. Althrough protected, the function was trying to take the lock recursively leading to a DoS of the host. This can be caused by buggy or malicious HVM and PVH guests.
- XSA-462 - CVE-2024-45817 - x86: Deadlock in vlapic_error(). The way x86's APIC handles errors can cause Xen to recurse in the
microcode_ctl
: We include the updated version of Intel's IPU 2024.3 including mitigations for the following Intel Security Advisories:
đļ CUPS vulnerabilities
First, the cups
package is not installed by default in XCP-ng, and it is not recommended to make modifications to your dom0 anyway. But the package is indeed available in our repositories. In case you did install this package, it is highly recommended to quickly remove it, stop the service, or in the worst case, create the appropriate firewall rules to limit access to the port 631 to be accessible only on fully trusted networks.
As XCP-ng is not impacted by default, I will not dive into the details here, but to summarize there are multiple vulnerabilities that allow Remote Code Execution (RCE) that have been reported across the various parts of the CUPS project. At the time of this writing 4 CVEs have been assigned, and the reporter (Simone Margaritelli, known online under the nickname evilsocket) consider there should have been more.
If you want to know more about this, here are some useful links:
- A thread on the oss-security mailing list
- The reporter's blog post