In-depth

Why the Xen flaw NDA represents good responsible disclosure

Many have criticised AWS, Rackspace and IBM for not going public straightaway with Xen flaw details, but Davey Winder thinks they're wrong

When Amazon Web Services, Rackspace and IBM all reboot their clouds, or at least some of the virtualised servers within it, in the space of a few days then you know the collective global IT security eyebrow will raise.

Initially, that eyebrow arched to form a point that was clearly indicating the direction of the Bash/Shellshock revelations. However, we now know it was prompted by a vulnerability within the Xen hypervisor, which is extensively used within the cloud sphere.

A patch was quickly rolled out to customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

The 'XSA-108' vulnerability, to give the flaw its cool and snazzy official name (irony alert, irony alert), was caused by a bug in the emulation code used when running HVM guests on x86 processors.

The bug lets an attacker with elevated guest OS privileges crash the host or to read up to three KiB of random memory that might not be assigned to the guest, according to the official advisory, which added "the memory could contain confidential information if it is assigned to a different guest or the hypervisor."

So far, so meh. I mean who really cares? It's just yet another vulnerability that has been caught and patched, something that sadly happens all the time. It's part of the software development circle of life, and as long as those bugs are spotted and squished efficiently and responsibly then all is well. Right?

Well, you'd think so, but here's the thing: responsible disclosure is a bitch. Off all the things that need to be done right when working with IT security, disclosure sits right at the top of a very shaky tree that threatens to topple over at the smallest gust of bad press and crush the reputation of whoever sits beneath it.

In the case of the Xen hypervisor problem, a patch was pretty quickly rolled out but only to those customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

In my view, this perfectly meets both the efficient and responsible requirements of disclosure. The patch itself was developed and made available as quickly as possible, and steps were taken to mitigate the window of opportunity opening that might allow the bad guys to exploit the vulnerability before that patch was applied. Yet still I hear complaints this was a case of private disclosure, and only by operating in public with 100 per cent transparency can the world be a safer place. What hogwash!

I understand there is some disquiet, shall we say, concerning the fact IBM SoftLayer took a few days longer than Amazon Web Services or Rackspace to apply the patch and reboot. This despite all being on the same Xen pre-disclosure list. The argument being if the vulnerability was publicly disclosed immediately then users of those services could have demanded an equally immediate response. Once again, hogwash!

If a vendor or supplier delays informing customers of the need to patch, then that's not a good thing and I'm not defending it. I am, however, defending Xen in this case as I think it did act responsibly by not disclosing the vulnerability until a patch was rolled out and deployed.

I am a huge transparency evangelist, but it has to be tempered by some real-world conditions that prevent the bad guys from being able to exploit vulnerabilities before a patch can be deployed.

The Xen security response document highlights this in some detail when dealing with a vulnerability that is not already in the public domain. Oh, and don't start rounding on me for being hypocritical here.

Regular readers of my output across the Dennis stable know I am very much in favour of responsible disclosure, and have argued for zero-day disclosure models to be adopted on more than one occasion.

However, the zero-day disclosure argument applies to breaches where customers need to be informed immediately to mitigate further knock-on data damage. What I'm talking about here is specifically vulnerability disclosure, and this comes with a need to heed the warning against speed as the only metric of responsibility.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021
Malicious ‘dependency confusion’ packages are stealing password files
hacking

Malicious ‘dependency confusion’ packages are stealing password files

2 Mar 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021