CVE-2021-28695 : What You Need to Know

This article provides insights into CVE-2021-28695, a vulnerability related to IOMMU page mapping issues on x86 found in Xen.

Understanding CVE-2021-28695

CVE-2021-28695 is a security vulnerability discovered by Jan Beulich of SUSE in Xen, affecting various versions of the software.

What is CVE-2021-28695?

The vulnerability arises from IOMMU page mapping issues on x86 systems, specifically on AMD hardware, causing identity mappings to be left in place after de-assignment of a physical device.

The Impact of CVE-2021-28695

The impact is system-specific but can lead to privilege escalation, denial of service, or information leaks on affected systems.

Technical Details of CVE-2021-28695

The vulnerability can only be exploited by guests granted access to physical devices, such as via PCI passthrough. All versions of Xen are affected, specifically on x86 systems with IOMMUs and firmware specifying memory regions to be identity mapped.

Vulnerability Description

Xen fails to prevent guests from undoing/replacing memory mappings in systems with specified memory regions, leading to continued access to unauthorized memory ranges.

Affected Systems and Versions

This vulnerability impacts multiple versions of Xen, including 4.11.x, xen-unstable, 4.12.x, 4.14.x, 4.15.x, and 4.13.x.

Exploitation Mechanism

Guests granted access to physical devices can exploit the vulnerability, retaining access to memory ranges post de-assignment.

Mitigation and Prevention

To address CVE-2021-28695, immediate steps should be taken alongside long-term security practices.

Immediate Steps to Take

Avoid granting untrusted guests access to physical devices to mitigate the vulnerability.

Long-Term Security Practices

Limit untrusted guest access to devices with firmware-provided ACPI tables declaring identity mappings to prevent the vulnerability.

Patching and Updates

Regularly update Xen to patched versions that address CVE-2021-28695.