CVE-2021-28697
📋 TL;DR
This Xen hypervisor vulnerability allows guest virtual machines to retain access to freed memory pages after switching from grant table v2 to v1. A race condition during mapping requests can cause pages to remain mapped in multiple locations, potentially exposing sensitive data or enabling privilege escalation. Affects systems running Xen with grant table v2 enabled.
💻 Affected Systems
- Xen Hypervisor
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Xen by Xen
⚠️ Risk & Real-World Impact
Worst Case
Guest VM gains unauthorized access to sensitive hypervisor memory, potentially leading to full hypervisor compromise, data exfiltration, or escape to host system.
Likely Case
Guest VM reads previously freed memory containing sensitive data from other guests or hypervisor, potentially enabling information disclosure attacks.
If Mitigated
With proper isolation and monitoring, impact limited to information disclosure within the affected guest's security context.
🎯 Exploit Status
Exploitation requires guest VM access and ability to trigger grant table mode switching. Race condition makes reliable exploitation challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Xen 4.15.1 and later, backported to earlier versions
Vendor Advisory: https://xenbits.xen.org/xsa/advisory-378.html
Restart Required: Yes
Instructions:
1. Update Xen hypervisor to patched version. 2. Reboot all affected systems. 3. Verify no guests are using vulnerable grant table configurations.
🔧 Temporary Workarounds
Disable grant table v2
linuxPrevent guests from using grant table v2 to avoid the vulnerability
xl set-parameters <domain-id> grant-table-version=1
🧯 If You Can't Patch
- Isolate affected Xen hosts from sensitive networks
- Monitor for unusual guest behavior or memory access patterns
🔍 How to Verify
Check if Vulnerable:
Check Xen version with 'xl info' or 'xm info' and verify if grant table v2 is enabled for any domainsCheck Version:
xl info | grep xen_versionVerify Fix Applied:
Verify Xen version is 4.15.1+ or has XSA-378 patches applied, and no guests are using grant table v2📡 Detection & Monitoring
Log Indicators:
- Xen hypervisor logs showing grant table mode switching
- Unexpected memory access patterns in guest VMs
Network Indicators:
- Unusual outbound traffic from Xen hosts
SIEM Query:
source="xen" AND ("grant table" OR "XSA-378")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/
- https://security.gentoo.org/glsa/202208-23
- https://www.debian.org/security/2021/dsa-4977
- https://xenbits.xenproject.org/xsa/advisory-379.txt
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/
- https://security.gentoo.org/glsa/202208-23
- https://www.debian.org/security/2021/dsa-4977
- https://xenbits.xenproject.org/xsa/advisory-379.txt
