Xen x86 HVM Guest OS vHPET CVE-2018-10982 – Interrupt Injection

Authors:Roger Pau Monné      Risk:High

CVE:CVE-2018-10982          0day:Interrupt Injection 

0day -id:0DAY-176185         Date:2018-05-15

Description

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection.

Impact

A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation, or information leaks, cannot be excluded.

Vulnerable system

en versions 3.4 and later are vulnerable.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

Only x86 HVM guests can exploit the vulnerability. x86 PV and PVH
guests cannot exploit the vulnerability.

Only x86 HVM guests provided with hypervisor-side HPET emulation can
exploit the vulnerability. That is the default configuration. x86
HVM guests whose configuration explicitly disables this emulation (via
“hpet=0”) cannot exploit the vulnerability.

Mitigation

Running only PV or PVH guests avoids the vulnerability.

Not exposing the hypervisor based HPET emulation to HVM guests, by
adding “hpet=0” to the guest configuration, also avoids the
vulnerability.

Credit

This issue was discovered by Roger Pau Monné of Citrix.

Resolution

Applying the appropriate attached patch resolves this issue.

xsa261.patch xen-unstable, Xen 4.10.x
xsa261-4.9.patch Xen 4.9.x
xsa261-4.8.patch Xen 4.8.x
xsa261-4.7.patch Xen 4.7.x, Xen 4.6.x

Leave a Reply