CVE-2017-15594

Vulnerability

An issue in Xen versions 3.2 through 4.9.x on x86 systems using AMD SVM extensions allows incorrect handling of Interrupt Descriptor Table (IDT) settings during CPU hotplugging [1]. When a new CPU is brought online, its IDT is copied from CPU0, and if CPU0 is in HVM guest context at that moment, the selector fields for Interrupt Stack Table (IST) entries are incorrectly installed on the new CPU [1]. This condition exposes a vulnerability only exploitable by PV guests, requiring the presence of an HVM guest on CPU0 during hotplug [1].

Exploitation

An attacker with control of a PV guest can exploit this vulnerability when a CPU is hotplugged while CPU0 is running an HVM guest [1]. The PV guest must be the first vCPU scheduled on the newly hotplugged CPU [1]. No additional authentication or network access is required beyond guest-level privileges. The incorrect IDT settings allow the PV guest to manipulate interrupt handling to escalate privileges or crash the hypervisor [1].

Impact

A malicious or buggy x86 PV guest can escalate its privileges to the hypervisor level or cause a denial of service (hypervisor crash) [1]. The impact is severe because it allows a guest to compromise the entire host system.

Mitigation

Xen has released patches for this issue (XSA-244) on 2017-10-12 [1]. Affected users should apply the corresponding patch for their Xen version (4.5, 4.6, 4.7, or 4.9) [1]. For Gentoo systems, upgrading to app-emulation/xen-4.9.1-r1 and app-emulation/xen-tools-4.9.1-r1 mitigates the vulnerability [2]. As a workaround, avoid hotplugging CPUs while any HVM guest is running [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.