In-depth

Why the Xen flaw NDA represents good responsible disclosure

Many have criticised AWS, Rackspace and IBM for not going public straightaway with Xen flaw details, but Davey Winder thinks they're wrong

When Amazon Web Services, Rackspace and IBM all reboot their clouds, or at least some of the virtualised servers within it, in the space of a few days then you know the collective global IT security eyebrow will raise.

Initially, that eyebrow arched to form a point that was clearly indicating the direction of the Bash/Shellshock revelations. However, we now know it was prompted by a vulnerability within the Xen hypervisor, which is extensively used within the cloud sphere.

A patch was quickly rolled out to customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

The 'XSA-108' vulnerability, to give the flaw its cool and snazzy official name (irony alert, irony alert), was caused by a bug in the emulation code used when running HVM guests on x86 processors.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The bug lets an attacker with elevated guest OS privileges crash the host or to read up to three KiB of random memory that might not be assigned to the guest, according to the official advisory, which added "the memory could contain confidential information if it is assigned to a different guest or the hypervisor."

So far, so meh. I mean who really cares? It's just yet another vulnerability that has been caught and patched, something that sadly happens all the time. It's part of the software development circle of life, and as long as those bugs are spotted and squished efficiently and responsibly then all is well. Right?

Well, you'd think so, but here's the thing: responsible disclosure is a bitch. Off all the things that need to be done right when working with IT security, disclosure sits right at the top of a very shaky tree that threatens to topple over at the smallest gust of bad press and crush the reputation of whoever sits beneath it.

In the case of the Xen hypervisor problem, a patch was pretty quickly rolled out but only to those customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

In my view, this perfectly meets both the efficient and responsible requirements of disclosure. The patch itself was developed and made available as quickly as possible, and steps were taken to mitigate the window of opportunity opening that might allow the bad guys to exploit the vulnerability before that patch was applied. Yet still I hear complaints this was a case of private disclosure, and only by operating in public with 100 per cent transparency can the world be a safer place. What hogwash!

I understand there is some disquiet, shall we say, concerning the fact IBM SoftLayer took a few days longer than Amazon Web Services or Rackspace to apply the patch and reboot. This despite all being on the same Xen pre-disclosure list. The argument being if the vulnerability was publicly disclosed immediately then users of those services could have demanded an equally immediate response. Once again, hogwash!

Advertisement - Article continues below

If a vendor or supplier delays informing customers of the need to patch, then that's not a good thing and I'm not defending it. I am, however, defending Xen in this case as I think it did act responsibly by not disclosing the vulnerability until a patch was rolled out and deployed.

I am a huge transparency evangelist, but it has to be tempered by some real-world conditions that prevent the bad guys from being able to exploit vulnerabilities before a patch can be deployed.

The Xen security response document highlights this in some detail when dealing with a vulnerability that is not already in the public domain. Oh, and don't start rounding on me for being hypocritical here.

Regular readers of my output across the Dennis stable know I am very much in favour of responsible disclosure, and have argued for zero-day disclosure models to be adopted on more than one occasion.

However, the zero-day disclosure argument applies to breaches where customers need to be informed immediately to mitigate further knock-on data damage. What I'm talking about here is specifically vulnerability disclosure, and this comes with a need to heed the warning against speed as the only metric of responsibility.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/cloud/33999/ibm-doubles-down-on-red-hat-independence
Cloud

IBM doubles down on Red Hat independence

10 Jul 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020