CVE-2021-28702:PCI devices with RMRRs not properly deassigned in Xen, leading to potential memory corruption and privilege escalation.

splash
Back

Description Preview

In Xen hypervisor, a vulnerability exists in the handling of PCI devices with Reserved Memory Regions (RMRRs). When such devices are passed through to a guest VM and the guest shuts down, the devices are not properly deassigned from the guest. This causes the IOMMU configuration to point to freed data structures, including IO pagetables. Any subsequent DMA operations or interrupts from these improperly deassigned devices can result in unpredictable behavior, ranging from IOMMU faults to memory corruption, potentially allowing guest VMs to gain elevated privileges.

Overview

CVE-2021-28702 affects Xen hypervisor's handling of PCI device deassignment. When PCI devices with Reserved Memory Region Reporting (RMRR) capabilities are passed through to guest VMs, the hypervisor fails to properly clean up IOMMU mappings when the guest VM shuts down. This vulnerability is classified as CWE-269 (Improper Privilege Management) since it can allow guest VMs to potentially gain elevated privileges through memory corruption. The vulnerability specifically impacts systems where PCI passthrough is used with devices that have RMRR regions defined, which are commonly used for platform tasks such as legacy USB emulation.

Remediation

To address this vulnerability, system administrators should:

  1. Update to the latest version of Xen that contains the fix for CVE-2021-28702.
  2. Apply vendor-specific patches if available from your distribution (Fedora, Debian, and Gentoo have released security updates).
  3. If immediate patching is not possible, consider disabling PCI passthrough for devices with RMRR regions as a temporary mitigation.
  4. Restart the Xen hypervisor after applying updates to ensure the fix takes effect.
  5. Monitor system logs for any IOMMU-related errors that might indicate attempted exploitation.

References

  1. Xen Security Advisory 386: https://xenbits.xenproject.org/xsa/advisory-386.txt
  2. Openwall Security Announcement: http://www.openwall.com/lists/oss-security/2021/10/07/2
  3. Debian Security Advisory (DSA-5017): https://www.debian.org/security/2021/dsa-5017
  4. Gentoo Linux Security Advisory (GLSA-202208-23): https://security.gentoo.org/glsa/202208-23
  5. Fedora Security Updates:
    • FEDORA-2021-829f5f2f43: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2OIHEJ3R3EH5DYI2I5UMD2ULJ2ELA3EX/
    • FEDORA-2021-0b7a484688: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FDPRMOBBLS74ONYP3IXZZXSTLKR7GRQB/
    • FEDORA-2021-80bbe7def0: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRAWV6PO2KUGVZTESERECOBUBZ6X45I7/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  2. Manufacturing: Low
    Manufacturing
  3. Utilities: Low
    Utilities
  4. Accommodation & Food Services: Low
    Accommodation & Food Services
  5. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  6. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  7. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  8. Construction: Low
    Construction
  9. Educational Services: Low
    Educational Services
  10. Finance and Insurance: Low
    Finance and Insurance
  11. Information: Low
    Information
  12. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  13. Mining: Low
    Mining
  14. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  15. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  16. Public Administration: Low
    Public Administration
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Retail Trade: Low
    Retail Trade
  19. Transportation & Warehousing: Low
    Transportation & Warehousing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database