Linux Kernel Xen Privcmd Driver Secure Boot Bypass Vulnerability in Unprivileged DomU

A vulnerability in the Linux kernel's Xen privcmd driver allows unprivileged user processes in certain guest domains to issue arbitrary hypercalls. This could lead to modifications of kernel memory, potentially disrupting secure boot processes. The issue arises when the privcmd driver is used in an unprivileged domU acting as a device model for another guest, where it can target and affect that other guest. Although the privcmd driver can be restricted to specific domains, this lockdown feature is currently only available through userland, creating a window for exploitation.

Impact

Exploitation of this vulnerability could break the secure boot feature by allowing unauthorized modifications to kernel memory from unprivileged user processes in domU.

Reproduction

To reproduce this vulnerability, boot a Xen guest with secure boot enabled. Then, in an unprivileged domU, use a root user process to interact with the privcmd driver. This will enable the process to issue hypercalls that can modify the kernel memory of the guest, thereby disrupting the secure boot integrity.

Remediation

The privcmd driver can be configured to restrict hypercalls to specific domains, but this must be done from userland. Ensure that the privcmd driver is locked down to the appropriate target domain before any hypercalls are made.