CVE-2022-42320 - Xenstore: Guests can get access to Xenstore nodes of deleted domains potentially leading to information leaks and other unintended consequences

The Xen project recently disclosed a new vulnerability (CVE-2022-42320) in their popular open-source hypervisor, which could potentially allow rogue guests to access Xenstore nodes originally designated for already deleted domains. These leftover nodes might have access rights containing Domain Identifiers (domid) of the removed domains, leading to unintended access by newly created domains with the same domid. This post provides a comprehensive guide about this vulnerability, its potential impact, code snippets demonstrating the issue, and useful links to original references and exploit details.

Vulnerability Details

Xenstore is a centralized storage system designed for the Xen hypervisor to store configuration data and metadata for domains, acting as a communication channel between the Domain  (dom) and other guest domains. Access permissions in Xenstore are granted based on domids, and when a domain is deleted, access rights associated with its domid might still persist in the system.

This vulnerability creates a race condition where a new domain with the same domid as the recently deleted domain can be assigned access rights to the lingering Xenstore nodes before the system corrects those access rights. This can only happen if another domain writes to the node before dom introduces the new domain to Xenstore.

The following code snippet demonstrates how this vulnerability might occur

1. Domain A (with domid 1) creates a Xenstore node with access rights:
   A: Read/Write, Domain B (with domid 2): Read
2. Domain A gets deleted, but the Xenstore node still contains access rights for domid 1.
3. Domain C gets created with the same domid (1) as the deleted Domain A.
4. Domain B writes to the Xenstore node, as it has read-write access.
5. Domain C now has access to the Xenstore node, as it shares the same domid with the previously deleted Domain A.

Exploit Details

An attacker would have to time the rogue domain creation and the writing of a Xenstore node with the node's access rights update to successfully exploit this vulnerability. While the race window is small, it still poses a risk of information leak if a rogue domain gains access to a node meant for a previously deleted domain, especially in multi-tenant environments where secure isolation is essential.

Mitigation and Patch

The Xen Project provided a patch for this vulnerability in their advisory. The patch ensures that access rights for deleted domains are cleared immediately, closing the brief race window for newly created domains to gain unintended access to lingering Xenstore nodes.

Users are encouraged to apply this patch or upgrade their Xen installation to a version containing the fix. The patch can be found in the Xen Advisory XSA-392.

Important References

- Original Advisory by Xen Project (XSA-392)
- Xen Project - Xenstore Documentation

Conclusion

CVE-2022-42320 is a notable vulnerability affecting the Xen hypervisor, specifically the Xenstore component. By successfully exploiting this issue, a rogue domain could potentially gain unintended access to leftover Xenstore nodes, which could lead to security concerns, especially in shared hosting environments. It is crucial for users of the Xen hypervisor to be aware of this vulnerability and apply the provided patch as soon as possible to ensure the security of their virtualization infrastructure.

Timeline

Published on: 11/01/2022 13:15:00 UTC
Last modified on: 11/29/2022 18:29:00 UTC