Options to address CVE-2017-5753 on XEN platforms

Resolution

Three CVEs were recently made public (CVE-2017-5754 CVE-2017-5753 CVE-2017-5715) that allowed a local attacker to access unauthorized data. CVE-2017-5753 documents the variant of this attack that allows virtualized guests to interact with the host and other guests on the same physical system.

Red Hat’s currently supported virtualization platforms, based on the KVM hypervisor, will have published errata correcting the issue. Red Hat’s older virtualization platform codebase (Xen) has technical limitations that prevent fully addressing these three vulnerabilities, particularly CVE-2017-5715. Some level of risk will exist for hypervisors and guests that use Xen paravirtualization (PV guests).

More recent versions of upstream Xen do allow for a more complete solution, but it is not feasible to apply this solution to the version of Xen shipped with Red Hat Enterprise Linux 5. Cloud providers that use the Xen hypervisor, however, have an option to secure paravirtualized guests running on their servers.

Xen also supports running guests under hardware virtualization (HVM guests). While HVM guests do not have the same limitations as PV guests, and a fix for all three vulnerabilities could be prepared for Red Hat Enterprise Linux 5, most of our customers running Xen are relying on it due to paravirtualized guest support. Therefore, Red Hat currently is not providing errata to correct the issue for HVM guests either.

Customers are advised to take a Risk-based approach in mitigating this issue. Systems running within XEN that require high-degrees of security and trust should be addressed first, and should be physically isolated from untrusted systems.