Why the Xen flaw NDA represents good responsible disclosure

Many have criticised AWS, Rackspace and IBM for not going public straightaway with Xen flaw details, but Davey Winder thinks they're wrong

When Amazon Web Services, Rackspace and IBM all reboot their clouds, or at least some of the virtualised servers within it, in the space of a few days then you know the collective global IT security eyebrow will raise.

Initially, that eyebrow arched to form a point that was clearly indicating the direction of the Bash/Shellshock revelations. However, we now know it was prompted by a vulnerability within the Xen hypervisor, which is extensively used within the cloud sphere.

Advertisement - Article continues below

A patch was quickly rolled out to customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

The 'XSA-108' vulnerability, to give the flaw its cool and snazzy official name (irony alert, irony alert), was caused by a bug in the emulation code used when running HVM guests on x86 processors.

The bug lets an attacker with elevated guest OS privileges crash the host or to read up to three KiB of random memory that might not be assigned to the guest, according to the official advisory, which added "the memory could contain confidential information if it is assigned to a different guest or the hypervisor."

So far, so meh. I mean who really cares? It's just yet another vulnerability that has been caught and patched, something that sadly happens all the time. It's part of the software development circle of life, and as long as those bugs are spotted and squished efficiently and responsibly then all is well. Right?

Advertisement - Article continues below
Advertisement - Article continues below

Well, you'd think so, but here's the thing: responsible disclosure is a bitch. Off all the things that need to be done right when working with IT security, disclosure sits right at the top of a very shaky tree that threatens to topple over at the smallest gust of bad press and crush the reputation of whoever sits beneath it.

In the case of the Xen hypervisor problem, a patch was pretty quickly rolled out but only to those customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

In my view, this perfectly meets both the efficient and responsible requirements of disclosure. The patch itself was developed and made available as quickly as possible, and steps were taken to mitigate the window of opportunity opening that might allow the bad guys to exploit the vulnerability before that patch was applied. Yet still I hear complaints this was a case of private disclosure, and only by operating in public with 100 per cent transparency can the world be a safer place. What hogwash!

Advertisement - Article continues below

I understand there is some disquiet, shall we say, concerning the fact IBM SoftLayer took a few days longer than Amazon Web Services or Rackspace to apply the patch and reboot. This despite all being on the same Xen pre-disclosure list. The argument being if the vulnerability was publicly disclosed immediately then users of those services could have demanded an equally immediate response. Once again, hogwash!

If a vendor or supplier delays informing customers of the need to patch, then that's not a good thing and I'm not defending it. I am, however, defending Xen in this case as I think it did act responsibly by not disclosing the vulnerability until a patch was rolled out and deployed.

I am a huge transparency evangelist, but it has to be tempered by some real-world conditions that prevent the bad guys from being able to exploit vulnerabilities before a patch can be deployed.

Advertisement - Article continues below

The Xen security response document highlights this in some detail when dealing with a vulnerability that is not already in the public domain. Oh, and don't start rounding on me for being hypocritical here.

Regular readers of my output across the Dennis stable know I am very much in favour of responsible disclosure, and have argued for zero-day disclosure models to be adopted on more than one occasion.

However, the zero-day disclosure argument applies to breaches where customers need to be informed immediately to mitigate further knock-on data damage. What I'm talking about here is specifically vulnerability disclosure, and this comes with a need to heed the warning against speed as the only metric of responsibility.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020