===================================================================== CERT-Renater Note d'Information No. 2022/VULN445 _____________________________________________________________________ DATE : 06/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen using the Linux kernel based network backend xen-netback, Linux based network backend with kernel 3.19 and newer. ===================================================================== https://xenbits.xen.org/xsa/advisory-423.html https://xenbits.xen.org/xsa/advisory-424.html _____________________________________________________________________ Xen Security Advisory CVE-2022-3643 / XSA-423 Guests can trigger NIC interface reset/abort/crash via netback ISSUE DESCRIPTION ================= It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior. IMPACT ====== An unprivileged guest can cause network Denial of Service (DoS) of the host by sending network packets to the backend causing the related physical NIC to reset, abort, or crash. Data corruption or privilege escalation seem unlikely but have not been ruled out. VULNERABLE SYSTEMS ================== All systems using a Linux based network backend with kernel 3.19 and newer are vulnerable. Systems using other network backends are not known to be vulnerable. Systems using Cisco (enic driver) and Broadcom NetXtrem II BCM5780 (bnx2x driver) NICs for guest network access are known to be vulnerable. Systems using other NICs for guest network access cannot be ruled out to be vulnerable. MITIGATION ========== Using another PV network backend (e.g. the qemu based "qnic" backend) will mitigate the problem. Using a dedicated network driver domain per guest will mitigate the problem. NOTE REGARDING LACK OF EMBARGO ============================== This issue was discussed in public already. RESOLUTION ========== Applying the attached patch resolves this issue. xsa423-linux.patch Linux 4.14 - 6.1-rc $ sha256sum xsa423* 6b11934a428ca990ee870b793c700064342b8d83bd6632a4c417de05d5c95dad xsa423-linux.patch $ _____________________________________________________________________ Xen Security Advisory CVE-2022-42328,CVE-2022-42329 / XSA-424 Guests can trigger deadlock in Linux netback driver ISSUE DESCRIPTION ================= The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329). IMPACT ====== A malicious guest could cause Denial of Service (DoS) of the host via the paravirtualized network interface. VULNERABLE SYSTEMS ================== All systems using the Linux kernel based network backend xen-netback are vulnerable. MITIGATION ========== Using another PV network backend (e.g. the qemu based "qnic" backend) will mitigate the problem. Using a dedicated network driver domain per guest will mitigate the problem. NOTE REGARDING LACK OF EMBARGO ============================== This issue was discussed in public already. RESOLUTION ========== Applying the attached patch resolves this issue. xsa424-linux.patch Linux 6.0, 6.1-rc $ sha256sum xsa424* 89db7cad9694f498c4ac450356932fb69fb514162e07aea0343776effa821fc8 xsa424-linux.patch $ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================