Xen bends own embargo rules to unbork risky Cirrus video emulation

It's 2017 and a VGA driver can take down a cloud. Seriously

The Xen Project has bent its own rules of vulnerability disclosure for a buggy and possibly exploitable video component that needs urgent attention.

It's not a hypervisor escape yet, but as the Xen advisory notes, it could be a pathway to one.

The crashable component is a VGA driver, of all things – the default Cirrus video emulator, which can be crashed by fiddling with display settings.

The bug is triggered by changing the display geometry, while simultaneously selecting a blank screen mode. The resize doesn't happen, but “will be properly handled during the next time a non-blank mode is selected during an update.”

So far so good. The problem is that other console components (the advisory picks out VNC emulation) see the resize and try to apply it. “When the display is resized to be larger than before, this can result in a heap overflow as console components will expect the display buffer to be larger than it is currently allocated.”

For Hardware Virtual Machine (HVM) guests, the process will crash through, but should only get the privileges of their guest kernel.

The Xen Project usually slaps a two-week embargo on bugs, so that clouds that use the hypervisor can sort things out before every hacker capable of spelling "HTML" descends on the millions of VMs they run.

However, what led to this one being shipped ahead of the normal embargo cycle is that the developers couldn't rule out a more serious exploit emerging.

“But the ability of a userspace process to trigger this vulnerability via legitimate commands to the kernel driver (thus elevating its privileges to that of the guest kernel) cannot be ruled out,” the advisory says. It also offers another reason for the early public disclosure, namely "to enable the community to have oversight of the Xen Project Security Team's decision-making."

The advisory includes patches. Users can also mitigate by running HVM with a stub domain; the advisory says it can also be mitigated by using the stgvga, but warns against this until the embargo period ends:

“It is NOT permitted during the embargo to switch from Cirrus VGA to Stdvga on public-facing systems with untrusted guest users or administrators. This is because it may give a clue where the issue lies. This mitigation is only permitted AFTER the embargo ends.” ®

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Related

Citrix

Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

Unauthorised users able to perform 'arbitrary code execution'
sleep

Still losing sleep over that awful Citrix bug? This scanner is here to help... you realize you've already been pwned

Handy FireEye tool roots out indicators of compromise
Citrix Silicon Valley HQ building

Good: IT admins scrambled to patch 80 per cent of public-facing Citrix boxes to close nightmare hijack hole

Bad: The other 20 per cent are still wide open. Also bad: Some of those patched machines may have been hacked
band_aid_648

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though
hacker

'Friendly' hackers are seemingly fixing the Citrix server hole – and leaving a nasty present behind

Congratulations, you've won a secret backdoor
A close-up of the Windows key on a PC keyboard

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Vid Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder

Microsoft takes ExpressRoute to orbit to sling Azure services at backwaters via satellite

Updated Your planet is one of those scheduled for demolition, er, we mean Redmond pals up with SES, Intelsat and Viasat
Citrix

If you haven't shored up that Citrix hole, you were probably hacked over the weekend: Exploit code now available

Roundup Plus: TikTok clocked, Honey in a sticky situation, Arm's PAN mechanisms sidestepped

Biting the hand that feeds IT © 1998–2020