|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Clarification on security advisory
On Fri, Jan 12, 2018 at 7:30 PM, <who.are.you@xxxxxxxxx> wrote:
>
>>
>> IMPACT
>> ======
>>
>> Xen guests may be able to infer the contents of arbitrary host memory,
>> including memory assigned to other guests.
>>
>
> So an exploit utilised within one Dom-U can then go on to exploit another
> Dom-U. This is easy to read.
>
>
>>
>> Additionally, in general, attacks within a guest (from guest user to
>> guest kernel) will be the same as on real hardware. Consult your
>> operating system provider for more information.
>>
>
> I really don't understand the meaning of this.
> Does this mean that a Dom-U exploit can then go on to exploit the Dom-0 too?
> A Dom-U exploit == a baremetal exploit?
No. If you're running Linux in an HVM guest, and your Linux kernel
doesn't have the KPTI patches, then a userspace process ("guest user")
can use Meltdown to attack the kernel ("guest kernel").
In other words, to protect your systems from Meltdown, you need to do
two things:
1. Move your PV Linux guests to HVM or PVH
2. Install the Linux KPTI patches / Windows Meltdown hotfixes.
-George
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |