In-depth

Why the Xen flaw NDA represents good responsible disclosure

Many have criticised AWS, Rackspace and IBM for not going public straightaway with Xen flaw details, but Davey Winder thinks they're wrong

When Amazon Web Services, Rackspace and IBM all reboot their clouds, or at least some of the virtualised servers within it, in the space of a few days then you know the collective global IT security eyebrow will raise.

Initially, that eyebrow arched to form a point that was clearly indicating the direction of the Bash/Shellshock revelations. However, we now know it was prompted by a vulnerability within the Xen hypervisor, which is extensively used within the cloud sphere.

A patch was quickly rolled out to customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

The 'XSA-108' vulnerability, to give the flaw its cool and snazzy official name (irony alert, irony alert), was caused by a bug in the emulation code used when running HVM guests on x86 processors.

The bug lets an attacker with elevated guest OS privileges crash the host or to read up to three KiB of random memory that might not be assigned to the guest, according to the official advisory, which added "the memory could contain confidential information if it is assigned to a different guest or the hypervisor."

So far, so meh. I mean who really cares? It's just yet another vulnerability that has been caught and patched, something that sadly happens all the time. It's part of the software development circle of life, and as long as those bugs are spotted and squished efficiently and responsibly then all is well. Right?

Well, you'd think so, but here's the thing: responsible disclosure is a bitch. Off all the things that need to be done right when working with IT security, disclosure sits right at the top of a very shaky tree that threatens to topple over at the smallest gust of bad press and crush the reputation of whoever sits beneath it.

In the case of the Xen hypervisor problem, a patch was pretty quickly rolled out but only to those customers on a 'predisclosure list,' which effectively requires them to be party to a Non-Disclosure Agreement regarding the nature of the vulnerability.

In my view, this perfectly meets both the efficient and responsible requirements of disclosure. The patch itself was developed and made available as quickly as possible, and steps were taken to mitigate the window of opportunity opening that might allow the bad guys to exploit the vulnerability before that patch was applied. Yet still I hear complaints this was a case of private disclosure, and only by operating in public with 100 per cent transparency can the world be a safer place. What hogwash!

I understand there is some disquiet, shall we say, concerning the fact IBM SoftLayer took a few days longer than Amazon Web Services or Rackspace to apply the patch and reboot. This despite all being on the same Xen pre-disclosure list. The argument being if the vulnerability was publicly disclosed immediately then users of those services could have demanded an equally immediate response. Once again, hogwash!

If a vendor or supplier delays informing customers of the need to patch, then that's not a good thing and I'm not defending it. I am, however, defending Xen in this case as I think it did act responsibly by not disclosing the vulnerability until a patch was rolled out and deployed.

I am a huge transparency evangelist, but it has to be tempered by some real-world conditions that prevent the bad guys from being able to exploit vulnerabilities before a patch can be deployed.

The Xen security response document highlights this in some detail when dealing with a vulnerability that is not already in the public domain. Oh, and don't start rounding on me for being hypocritical here.

Regular readers of my output across the Dennis stable know I am very much in favour of responsible disclosure, and have argued for zero-day disclosure models to be adopted on more than one occasion.

However, the zero-day disclosure argument applies to breaches where customers need to be informed immediately to mitigate further knock-on data damage. What I'm talking about here is specifically vulnerability disclosure, and this comes with a need to heed the warning against speed as the only metric of responsibility.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

McAfee’s MVISION XDR takes security beyond the endpoint
cloud security

McAfee’s MVISION XDR takes security beyond the endpoint

28 Jan 2021
What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
Hackers are actively exploiting three Apple iOS flaws
exploits

Hackers are actively exploiting three Apple iOS flaws

27 Jan 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

26 Jan 2021