together with the debug option enabled in which case the debugger will be attached to the request/response which can lead to DoS due to long response times. The last two cause the most critical issue where an attacker can create non-trivial requests which can cause huge memory consumption when executed by a malicious guest. When the malicious guest does not have the ability to run large amounts of requests (e.g. due to insufficient memory) then it can still cause large memory consumption by doing many watches and deleting many xenstore nodes at once. The last scenario can be handled by restricting the maximum allowed path length or maximum allowed size in each transaction. When limiting the path length, the maximum allowed path length should be set to a value high enough to avoid being reached in the future. When limiting the size, the maximum allowed size should be set to avoid being reached in the future. The limit can be set in the configuration file or can be changed dynamically via the --max-path-length or --max-size command line options. A script can be used to automate the setting of these limits.
Protecting against persistent XENMEM bug
The bug was first identified in 2003 and has been backported to newer kernels.
The bug was likely introduced by a compiler optimization.
The kernel can only be protected against the bug by disabling the optimization or by recompiling the kernel with a sufficiently recent version of gcc.
It is possible to make an unprivileged guest more resilient to the bug, but it is not known how this can be done. The mitigation strategy for the vulnerability is to prevent malicious guests from making persistent requests that consume a lot of memory. The following strategies are suggested:
- limit the maximum allowed path length to avoid reaching paths that are too long,
- limit the maximum allowed size in each transaction so malicious guests cannot create large transactions which will cause huge memory consumption when executed, - restrict watch operations which have a high probability of causing long responses, and
- restrict delete operations which have a high probability of causing long responses.
Limitation of max allowed path length
The default path length is unlimited, but a maximum allowed path length can be configured to avoid being reached in the future.
Xend limiting the amount of watches
The Xend server limits the amount of watches it will execute for each node by default, which can be configured in the xf_server.conf file.
For example, the default setting is to limit the number of watches to 256 and if this is exceeded, then all new requests will be rejected.
CVE-2023-42319
The CVE-2023-42319 issue is caused by excessive watch kludges. This can be fixed by reducing the number of watches that are allowed on a xenstore node.
Timeline
Published on: 11/01/2022 13:15:00 UTC
Last modified on: 11/03/2022 13:55:00 UTC