Xen.org security team
2018-11-01 11:10:46 UTC
x86: Nested VT-x usable even when disabled
UPDATES IN VERSION 2
When running HVM guests, virtual extensions are enabled in hardware because
Xen is using them. As a result, a guest can blindly execute the
virtualisation instructions, and will exit to Xen for processing.
In the case that the guest hasn't followed the correct (virtual) configuration
procedure, it shouldn't be able to use the instructions, and Xen should
respond with #UD exception. When nested virtualisation is disabled for the
guest, it is not permitted to complete the configuration procedure.
Unfortunately, when nested virtualisation is intended to be disabled for the
guest, an incorrect default value leads Xen to believe that the configuration
procedure has already been completed.
Guest software which blindly plays with the VT-x instructions can cause Xen to
operate on uninitialised data. As the backing memory is zeroed, this causes
Xen to suffer a NULL pointer dereference, causing a host Denial of Service.
Other behaviours such as memory corruption or privilege escalation have not
been ruled out.
Systems running Xen 4.9 or later are vulnerable. Systems running Xen 4.8 or
earlier are not vulnerable.
Only Intel x86 systems are vulnerable. Systems from other x86 vendors, and
other hardware vendors are not vulnerable.
Only x86 HVM and PVH guests can leverage this vulnerability. x86 PV guests
cannot leverage this vulnerability.
Running only x86 PV guests will avoid the issue.
For x86 HVM guests, while enabling nested virtualisation for affected guests
does work around this particular DoS, it is not a security supported
configuration and has other know DoS and suspected privilege escalation
vulnerabilities. Therefore, it is not a mitigation.
This issue was discovered by Sergey Dyasli of Citrix.
Applying the appropriate attached patch resolves this issue.
xsa278-4.11.patch Xen 4.11, 4.10, 4.9
$ sha256sum xsa278*
NOTE CONCERNING LACK OF EMBARGO
This issue was first reported in private and was in the usual XSA process.
It was later independently reported in public with enough detail for the issue
to be considered fully public.