CVE-2021-28702 – This vulnerability allows PCI devices with Rese... (How to Fix)

Q: What is the severity of CVE-2021-28702?

CVE-2021-28702 has a CVSS score of 7.6 (HIGH). This vulnerability allows PCI devices with Reserved Memory Region Reporting (RMRR) to be improperly deassigned when passed through to virtual machine guests. On guest shutdown, the IOMMU configuration points to freed memory structures, potentially causing DMA/interrupt corruption. Affects systems using PCI passthrough with RMRR-enabled devices in virtualization environments.

📋 TL;DR

This vulnerability allows PCI devices with Reserved Memory Region Reporting (RMRR) to be improperly deassigned when passed through to virtual machine guests. On guest shutdown, the IOMMU configuration points to freed memory structures, potentially causing DMA/interrupt corruption. Affects systems using PCI passthrough with RMRR-enabled devices in virtualization environments.

💻 Affected Systems

Products:

Xen Hypervisor

Versions: Xen versions prior to 4.14.2, 4.13.4, 4.12.5, and 4.11.6

Operating Systems: Linux distributions with Xen virtualization

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using PCI passthrough with devices that have RMRR (typically legacy USB emulation devices).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to system crashes, data loss, or potential privilege escalation through DMA attacks.

🟠

Likely Case

IOMMU faults causing system instability, guest crashes, or denial of service.

🟢

If Mitigated

No impact if PCI passthrough with RMRR devices is not used or proper patches are applied.

🌐 Internet-Facing: LOW - Requires local access to virtualization infrastructure.

🏢 Internal Only: MEDIUM - Affects virtualization hosts with PCI passthrough configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires administrative access to virtualization host and specific PCI passthrough configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen 4.14.2, 4.13.4, 4.12.5, or 4.11.6

Vendor Advisory: http://www.openwall.com/lists/oss-security/2021/10/07/2

Restart Required: Yes

Instructions:

1. Update Xen to patched version. 2. Reboot hypervisor. 3. Verify no guests are using PCI passthrough with RMRR devices during update.

🔧 Temporary Workarounds

Disable PCI passthrough for RMRR devices

linux

Prevent assignment of PCI devices with RMRR to virtual machine guests

xl pci-assignable-list | grep -i rmrr
xl pci-assignable-remove <device_id>

🧯 If You Can't Patch

Avoid PCI passthrough for devices with RMRR (check with 'xl pci-assignable-list')
Isolate virtualization hosts from untrusted networks and limit administrative access

🔍 How to Verify

Check if Vulnerable:

Check Xen version: 'xl info | grep xen_version' and compare to vulnerable versions. Also check for PCI passthrough usage: 'xl list --long'

Check Version:

xl info | grep xen_version

Verify Fix Applied:

Confirm Xen version is 4.14.2, 4.13.4, 4.12.5, or 4.11.6 or newer: 'xl info | grep xen_version'

📡 Detection & Monitoring

Log Indicators:

IOMMU fault messages in dmesg
Xen hypervisor crash logs
Guest VM unexpected shutdowns after PCI device removal

Network Indicators:

Unusual virtualization management traffic patterns

SIEM Query:

source="xen" AND ("IOMMU" OR "RMRR" OR "deassign")

📊 Metadata

CVE ID: CVE-2021-28702

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-269

Published: October 6, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/10/07/2 Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OIHEJ3R3EH5DYI2I5UMD2ULJ2ELA3EX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDPRMOBBLS74ONYP3IXZZXSTLKR7GRQB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRAWV6PO2KUGVZTESERECOBUBZ6X45I7/
https://security.gentoo.org/glsa/202208-23 Third Party Advisory
https://www.debian.org/security/2021/dsa-5017 Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-386.txt Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/10/07/2 Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2OIHEJ3R3EH5DYI2I5UMD2ULJ2ELA3EX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDPRMOBBLS74ONYP3IXZZXSTLKR7GRQB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRAWV6PO2KUGVZTESERECOBUBZ6X45I7/
https://security.gentoo.org/glsa/202208-23 Third Party Advisory
https://www.debian.org/security/2021/dsa-5017 Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-386.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28702, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Xen by Xen

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PCI passthrough for RMRR devices

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities