together with the debug option enabled in which case the debugger will be attached to the request/response which can lead to DoS due to long response times. The last two cause the most critical issue where an attacker can create non-trivial requests which can cause huge memory consumption when executed by a malicious guest. When the malicious guest does not have the ability to run large amounts of requests (e.g. due to insufficient memory) then it can still cause large memory consumption by doing many watches and deleting many xenstore nodes at once. The last scenario can be handled by restricting the maximum allowed path length or maximum allowed size in each transaction. When limiting the path length, the maximum allowed path length should be set to a value high enough to avoid being reached in the future. When limiting the size, the maximum allowed size should be set to avoid being reached in the future. The limit can be set in the configuration file or can be changed dynamically via the --max-path-length or --max-size command line options. A script can be used to automate the setting of these limits.
Limiting the maximum allowed path length and size
When the path length limit is set to a value high enough, the malicious guest will not be able to reach the maximum allowed path length. If the size limit is set low enough however, it can still cause memory consumption by doing many watches and deleting many xenstore nodes. For this reason, we recommend not changing defaults on both limits. Instead, only change one that needs to be changed. The setting of these limits should be done via a script that uses either command line options or configuration file options.
If you need to set these limits dynamically, then use the --max-path-length or --max-size command line options. A script can be used to automate the setting of these limits and can optionally call an external daemon that keeps track of maximum allowed values for each path length and size and automatically updates them when they are changed.
Limiting the Maximum Path Length
A script can be used to automate the setting of these limits.
#!/bin/sh
while true; do for i in $(seq 1 100); do echo "Setting maximum path length to $i" export XENSTORE_OPTS="--max-path-length=$i" done echo "" done
How to detect if your host is vulnerable?
Running a simple scan for the size of xenstore files can show that your host is vulnerable. A script which is provided with this advisory shows how to detect the vulnerability in Xen.
Limiting the path length
For example, for a path length limit of 100:
xenstore-limit -L 100
This command will reduce the amount of memory consumed by xenstore for paths that are longer than 100. If you need to increase the path length limit, you can use
xenstore-limit -L unlimited
Limiting the number of watched xenstore nodes
The easiest way to limit the number of watched xenstore nodes is to use the --max-allowed-node-count command line option. Setting this option will limit the number of watched xenstore nodes that are allowed in the system. This can be set dynamically via the --max-allowed-node-count command line option, or it can be set statically in the configuration file.
Timeline
Published on: 11/01/2022 13:15:00 UTC
Last modified on: 12/12/2022 20:00:00 UTC
References
- https://xenbits.xenproject.org/xsa/advisory-326.txt
- http://xenbits.xen.org/xsa/advisory-326.html
- https://www.debian.org/security/2022/dsa-5272
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42312