Xen ProjectXSA-168VMX: intercept issue with INVLPG on non-canonical address
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.002 Low
EPSS
Percentile
58.7%
ISSUE DESCRIPTION
While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its “individual address” variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check.
IMPACT
A malicious guest can crash the host, leading to a Denial of Service.
VULNERABLE SYSTEMS
Xen versions from 3.3 onwards are affected.
Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected.
Only HVM guests using shadow mode paging can expose this vulnerability. PV guests, and HVM guests using Hardware Assisted Paging (also known as EPT on affected hardware), are unaffected.
Note that while unsupported, guests with enabled nested virtualization are vulnerable even when using EPT.
CHECKING FOR VULNERABLE CONFIGURATION
To discover whether your HVM guests are using HAP, or shadow page tables: request debug key q' (from the Xen console, or with xl debug-keys q’). This will print (to the console, and visible in xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of hap’ here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of shadow' indicates that the domain can exploit the vulnerability. Note that General information’ will also be printed for PV domains. For most PV domains there will be no paging assistance' reported. But PV guests currently being migrated will report (XEN) paging assistance: shadow log_dirty Overall: a domain can exploit the vulnerability if this debug output contains a paging assistance’ line which reports translate' and which does not report hap’.
Related
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.002 Low
EPSS
Percentile
58.7%