Login Sign Up

CVE-2021-28708

8.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Xen hypervisor allows x86 HVM and PVH guests to crash the host system through misaligned page operations in populate-on-demand mode. Specifically, XENMEM_decrease_reservation hypercalls with invalid page orders can trigger a host crash. Affects systems running Xen with HVM or PVH guests using PoD memory management.

💻 Affected Systems

Products:
  • Xen Hypervisor
Versions: All versions before the fix (specific versions in vendor advisories)
Operating Systems: Linux distributions with Xen packages (Fedora, Debian, Gentoo, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects x86 HVM and PVH guests using populate-on-demand memory mode. PV guests are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host system crash leading to denial of service for all virtual machines running on the affected hypervisor.

🟠

Likely Case

Host crash causing downtime for all VMs on the affected hypervisor instance.

🟢

If Mitigated

No impact if patches are applied or vulnerable configurations are avoided.

🌐 Internet-Facing: MEDIUM - Requires guest VM access, which could be obtained through compromised internet-facing services.
🏢 Internal Only: HIGH - Malicious or compromised internal VMs can exploit this to crash the hypervisor.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires guest VM access but uses documented hypercalls.

Exploitation requires guest VM privileges to make specific hypercalls. The vulnerability is in hypervisor handling of these calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available through Xen security advisory XSA-388

Vendor Advisory: https://xenbits.xenproject.org/xsa/advisory-388.txt

Restart Required: Yes

Instructions:

1. Apply Xen security patches from your distribution (Fedora, Debian, Gentoo updates). 2. Update Xen packages to fixed versions. 3. Reboot hypervisor host to load patched Xen kernel.

🔧 Temporary Workarounds

Disable PoD for HVM/PVH guests

linux

Avoid using populate-on-demand memory mode for x86 HVM and PVH guests

Configure Xen to not use PoD mode for vulnerable guest types

🧯 If You Can't Patch

  • Isolate vulnerable hypervisors from untrusted VMs
  • Monitor for suspicious hypercall patterns from guest VMs

🔍 How to Verify

Check if Vulnerable:

Check Xen version and if running HVM/PVH guests with PoD enabled

Check Version:

xl info | grep xen_version or xl --version

Verify Fix Applied:

Verify Xen package version matches patched versions from distribution security advisories

📡 Detection & Monitoring

Log Indicators:

  • Hypervisor crash logs
  • Unexpected host reboots
  • Xen error messages related to PoD operations

Network Indicators:

  • Sudden loss of connectivity to all VMs on a hypervisor

SIEM Query:

Search for: 'Xen crash', 'hypervisor panic', or unexpected host reboots in system logs

📊 Metadata

CVE ID: CVE-2021-28708
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: November 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON