Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1uJt5c-007iTv-2W@xenbits.xenproject.org>
Date: Tue, 27 May 2025 12:07:28 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 468 v3 (CVE-2025-27462,CVE-2025-27463,CVE-2025-27464)
 - WinPVDrivers: Excessive permissions on user-exposed devices

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2025-27462,CVE-2025-27463,CVE-2025-27464 / XSA-468
                                   version 3

      WinPVDrivers: Excessive permissions on user-exposed devices

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The Windows PV drivers expose various facilities to userspace.  Several
of these have no security descriptor, and are therefore fully accessible
to unprivileged users.  These are:

  1. XenCons,  CVE-2025-27462
  2. XenIface, CVE-2025-27463
  3. XenBus,   CVE-2025-27464

IMPACT
======

Unprivileged users inside the guest can escalate privilege to that of
the guest kernel.

VULNERABLE SYSTEMS
==================

All Windows virtual machines running the Windows PV drivers are
vulnerable.

The xencons driver was first available in the 9.0.0 release, and is
vulnerable since its introduction.

The xeniface and xenbus drivers are vulnerable in all releases.

MITIGATION
==========

A PowerShell script to mitigate the issue in the XenIface driver has been
developed.  It is a single-shot script which can either scan for the
vulnerabilities, or fix them by inserting the relevant security descriptors
into the registry and the running device objects.  See the script for full
invocation information.

Because attaching PowerShell scripts to emails causes them to be
rejected by several major service providers, the script is instead
available from:

  https://paste.vates.tech/?415ce4adb9dde353#6REZBQosbawepd8RcCWrhZ5H3euYSNXGcfHr6hrwU2om
  password: 79322bc8-94fe-42f6-8b81-8373fa9458d0
  sha256: db45e6123312cf9a3a2136f903f82826556915b76b5149b00eeefbe0a2912107

It has only been lightly reviewed by the Xen Security Team.  Feedback
welcome.

CREDITS
=======

This issue was discovered by Tu Dinh of Vates

RESOLUTION
==========

Applying the attached paches resolves this issue.

xsa468/xenbus-01.patch             Windows xenbus
xsa468/xencons-0?.patch            Windows xencons
xsa468/xeniface-0?.patch           Windows xeniface

Note: xeniface-03 and 04 are not being treated as security issues, but
are included for downstreams wishing to include them in the same WHQL
testing run.

$ sha256sum xsa468*/*
3c4fbc0526c2a099e0866f9483c545605ab30c7bae8cfbfc7deea7f491b34ac3  xsa468/xenbus-01.patch
7336ce0fd1df73921ec4246bf71ccd8709a8fae20c056e7aba231f34ebccefc9  xsa468/xencons-01.patch
bbacf952c8f78ec6d0ea8ae25d6b1a5e4789c651bfbe6a357adbfc681c49809f  xsa468/xencons-02.patch
0e65525d0a89d693b0b62074e593be332a431cbe245aa8f7d94db4f93a0e7c78  xsa468/xeniface-01.patch
d9193ea2f120281b3ff0886f65ab87723520577826a347db539ef8904eaffa02  xsa468/xeniface-02.patch
f5a6da368cd0114e8d462d7959590e2abff0523574091427896d7092face0e6a  xsa468/xeniface-03.patch
01fadfd4906db35a14cba6d17cc2d28020f554564741c764db876dca43205ad3  xsa468/xeniface-04.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the fixes change in-guest behaviour.

Deployment is permitted only AFTER the embargo ends.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmg1o+EMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZB4IH+QGuIpu1qNVMNNL6rsWSHXJO764VIS8nn6sadMPI
heKoqWr9RMzPZsFDK5qWtckUR4Mfloj/3OD3VDb7a+qeeHFRHCvtpJ5L+q+JYAW6
5Fi5mGqNxTZWjCiwyKtKpJqRj7xSSb49TAi7BrshToV5jD66IyKUW44qFEeXPrs8
KTg2M3MhOO+OJrnHZHcKbhXd2IyhcYL96wg6KteVoQb35uyiDRpj1/mT4BQvp03n
3MJe3uQCavorEPiiWk+Zy/DXSBzFsGpsCSwGOYgjC7HZfWvtsmWeREQhai32LpBi
HW7yufiHwn/sC4hJT98CR1UvH/IJRbEG4kqVX4J6dxau9bw=
=QxLI
-----END PGP SIGNATURE-----

Download attachment "xsa468/xenbus-01.patch" of type "application/octet-stream" (2829 bytes)

Download attachment "xsa468/xencons-01.patch" of type "application/octet-stream" (3048 bytes)

Download attachment "xsa468/xencons-02.patch" of type "application/octet-stream" (4603 bytes)

Download attachment "xsa468/xeniface-01.patch" of type "application/octet-stream" (3637 bytes)

Download attachment "xsa468/xeniface-02.patch" of type "application/octet-stream" (1494 bytes)

Download attachment "xsa468/xeniface-03.patch" of type "application/octet-stream" (2180 bytes)

Download attachment "xsa468/xeniface-04.patch" of type "application/octet-stream" (784 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.