Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1138
Xen Security Advisory CVE-2013-3495 / XSA-59
21 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen.org security team
Operating System: Xen
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2013-3495
Comment: While there is currently no patch to correct this vulnerability,
the following mitigation has been provided by the Xen.org security
team: "This issue can be avoided by not assigning PCI devices to
untrusted guests."
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-3495 / XSA-59
version 4
Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
UPDATES IN VERSION 4
====================
Public release.
Extensive changes to Description, Vulnerable Systems and Mitigation.
Additional technical information has been supplied by the vendor, Intel.
ISSUE DESCRIPTION
=================
Message Signaled Interrupts (MSI) interrupts on Intel platforms are defined as
DWORD writes to a special address location (0xFEE?????). MSIs on Intel
Platforms supporting VT-d have two defined formats - Remappable format
interrupts, and Compatibility (not remappable) format interrupts, based on the
format of their data payload. Remappable interrupts are subject to
interrupt-remapping protection checks, while compatibility format interrupts
are not. For protection reasons, host software disables compatibility format
interrupts (causing them to be blocked by interrupt translation hardware) and
manages the remappable interrupts through programming of interrupt-remapping
table entries.
Malformed MSIs are transactions to the special (0xFEE?????) address range that
do not have proper attributes of MSI requests (e.g., size of request is
invalid). Such malformed transactions are detected and aborted by the platform,
before they are subject to further interrupt remapping/processing. For RAS
purposes, some platforms may be configured to support System Error Reporting
(SERR) capability. These platforms raise a PCI system error (SERR#) due to
Unsupported Request, which are typically delivered as Non-Maskable Interrupts
(NMI), to report such errors to software. Depending on hypervisor and Dom0
kernel configuration, such an NMI may be handled by the hypervisor/Dom0 or can
result in a host software halt ("panic"). On platforms with SERR enabled, such
malformed MSI requests can be generated by guest OS with an assigned device,
causing hypervisor/Dom0 receive NMI despite using VT-d and interrupt remapping
for device assignment.
IMPACT
======
A malicious domain, given access to a device which bus mastering capable, can
mount a denial of service attack affecting the whole system.
VULNERABLE SYSTEMS
==================
Xen version 3.3 onwards is vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable where system
firmware (BIOS) may enable SERR in Host Bridge device. In order to verify
whether SERR is enabled, one can read the SERR Enable (SERRE) bit (bit 8) in
PCICMD register (offset 0x4) in PCI configuration space of the Host Bridge
device (BDF 00:00.0). Value 1 of PCICMD[SERRE] indicates SERR logic is enabled.
It is currently not known whether all or just some chipsets supporting VT-d are
affected.
Any domain which is given access to a PCI device that is bus mastering capable
can take advantage of this vulnerability.
MITIGATION
==========
This issue can be avoided by not assigning PCI devices to untrusted guests.
There are possible workarounds, but none of these have been
implemented at the current time:
A possible workaround is for hypervisor or Dom0 to disable SERR in the
Host Bridge device by clearing SERRE bit in PCICMD register in PCI
configuration space of Host Bridge device (BDF 00:00.0) which will
block all system error messages generated by the Host Bridge. This is
applicable to all chipsets.
Alternatively hypervisor or Dom0 can block SERR error signaling due to
Unsupported Request error resulting from malformed MSI requests by setting bit
20 ("Unsupported Request Error Mask") in memory configuration register at
offset 0x1C8 (DMIUEMSK) in Root Complex Register Range. The base address of
Root Complex Register Range is defined by DMIBAR register (offset 0x68) in PCI
configuration space of the Host Bridge (BDF 00:00.0). For this alternative,
less intrusive workaround it was so far not determined whether it is applicable
to all or just some Intel chipsets.
CREDITS
=======
This vulnerability was discovered by Gbor PK (from CrySyS Lab).
RESOLUTION
==========
There is currently no resolution to this issue.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJSE1wVAAoJEIP+FMlX6CvZVe0H/jyjKdVst3QCLPG7wJXEILVi
K2/Pr8G2N4BnugO34qpPyfh3N81D5jhdwHec75NyXbZ+lbrdSChXYGI72ST8sV7S
kTTnXAZAxf19UemyzF5Mv+mbu5YYgcU/XfOE1z7GBJqYFnD4QxxatlJuABcThl8S
nUvFrRz0Pqg68LqztRMF+Fj16DtgbFO6UrCHoFcs00rolGfx/W9DMnSOntlwhT+u
ajPR+glDGvQSMzer3IVpC6igtH1gCTfc3o8uiPnQRv9oWHfV+D+/GEjClV33gEgI
KhzTnA460gnjDSipNlk9mLI/H0Fk/Ter5zjrKzHZpvF4zr1v5H1eSAGmZ0AmqhQ=
=ochw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBUhRAvxLndAQH1ShLAQJRhw/3WhY/XLPE5jl63rhJDtX2Q1UkLs35CQJf
M0f962rs5eRcX9/iz/LGCZ3zUBxuBug0r+kvLkZO1GzGaneTH9dXaTFESW63P3bq
X5YYD19E+GyDfTb1ZHeSwQ9dIkrv5lsB+MELmWLta4hmy8tUOKymmR5ClSzY1sT6
o8d8LXfiU/y/n2BJEIiNW+zO+gEl9iXGaqDqcUcRPqvAupYbP4o9SQZZot3kYTKX
xljo67ABpFklB1JqhqsOtSeTIXP1kyzT2eitNKt8/RKd28lfF56HkXlEbxzG2hFO
z0r9bn5duHnDJVRke9bQ6ytpVJiTpk6uyEkYeSy2VN9H0ZVm1b7O4kyAaaPk6eTB
fkwRe4DdF9jQwEClKtlKUYkjMfX8MW0vzAbAzmjbbPWTHmbbO/bjJVIVq8jgsOV+
iJujx9HeHFGwDOZYLajf3XYWZW4in8qczErg6iYtj0KVQikF00iH/fakTqfkI6K6
tkQeoNeVjEArohUvmWQi4EdvkbxJbhTfe61F3U3Q3BmwmQ2YCKWSO8OUKAj22l9H
U5X5hc23WHLNmv+ZAzohosSCSnCPFkUmHuVPxf/Vh/7OHHwnVambp1xIZ9+GUgPf
AJYecGg6D8VFYGGPI8XNC2L7dc/nczVpUBFtA5HIsgH3eba8Irus/d8mpK7mq7ng
fErhDE9Eag==
=qYgD
-----END PGP SIGNATURE-----