Xen ProjectXSA-368HVM soft-reset crashes toolstack
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
12.6%
ISSUE DESCRIPTION
libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them.
When the “soft reset” feature was implemented, the libxl__domain_suspend_state structure didn’t require any initialization or disposal. At some point later, an initialization function was introduced for the structure; but the “soft reset” path wasn’t refactored to call the initialization function. When a guest nwo initiates a “soft reboot”, uninitialized data structure leads to an assert() when later code finds the structure in an unexpected state.
The effect of this is to crash the process monitoring the guest. How this affects the system depends on the structure of the toolstack.
For xl, this will have no security-relevant effect: every VM has its own independent monitoring process, which contains no state. The domain in question will hang in a crashed state, but can be destroyed by xl destroy just like any other non-cooperating domain.
For daemon-based toolstacks linked against libxl, such as libvirt, this will crash the toolstack, losing the state of any in-progress operations (localized DoS), and preventing further administrator operations unless the daemon is configured to restart automatically (system-wide DoS). If crashes “leak” resources, then repeated crashes could use up resources, also causing a system-wide DoS.
IMPACT
A malicious guest can crash the management daemon, leading to at least a localized, possibly system-wide denial-of-service.
VULNERABLE SYSTEMS
Only Xen versions 4.12 through 4.14 are affected. Earlier versions are not affected.
The issue affects only systems with a guest monitoring process, which is linked against libxl, and which is important other than simply for the functioning of one particular guest. libvirt is one common toolstack affected. Systems using the xl command-line tool should generally suffer no security-relevant effects.
The xapi toolstack does not currently link against libxl, and so is not affected.
Related
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
12.6%