CVE-2021-28705: 
NixOS vulnerability analysis and mitigation

CVE-2021-28705 is a vulnerability discovered in Xen hypervisor versions from 3.4 onwards, disclosed in November 2021. The issue affects x86 HVM and PVH guests started in populate-on-demand (PoD) mode, where error handling in certain PoD cases was insufficient, particularly regarding partial success of page removal operations (Xen Advisory).

The vulnerability occurs when guests control P2M (physical-to-machine) aspects of individual pages via hypercalls. These hypercalls can act on ranges of pages specified via page orders, resulting in power-of-2 number of pages. The hypervisor sometimes splits these requests into smaller chunks, but error handling in certain PoD cases was insufficient, specifically in accounting for partial success of operations. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Malicious or buggy guest kernels can potentially mount a Denial of Service (DoS) attack affecting the entire system. Additionally, privilege escalation and information leaks cannot be ruled out. The vulnerability specifically affects systems where guests are started in populate-on-demand mode, which is activated when the guest's xl configuration file specifies a 'maxmem' value larger than the 'memory' value (Xen Advisory).

The primary mitigation is to not start x86 HVM or PVH guests in populate-on-demand mode. For a permanent fix, system administrators should apply the security patches provided for their specific Xen version. Various distributions have released security updates addressing this vulnerability, including Debian (version 4.14.3+32-g9de3671772-1~deb11u1), Fedora (versions 4.15.1-4.fc35 and 4.14.3-3.fc34), and Gentoo (version >= 4.16.6_pre1) (Debian Advisory, Fedora Update, Gentoo Advisory).