Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1375
Xen Security Advisory CVE-2013-4355 / XSA-63 version 3
2 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Modify Arbitrary Files -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4361 CVE-2013-4356 CVE-2013-4355
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-63.txt
http://xenbits.xen.org/xsa/advisory-64.txt
http://xenbits.xen.org/xsa/advisory-66.txt
Comment: This bulletin contains three (3) Xen security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4355 / XSA-63
version 3
Information leaks through I/O instruction emulation
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
Insufficient or missing error handling in certain routines dealing
with guest memory reads can lead to uninitialized data on the
hypervisor stack (potentially containing sensitive data from prior
work the hypervisor performed) being copied to guest visible storage.
This allows a malicious HVM guest to craft certain operations (namely,
but not limited to, port or memory mapped I/O writes) involving
physical or virtual addresses that have no actual memory associated
with them, so that hypervisor stack contents are copied into the
destination of the operation, thus becoming visible to the guest.
IMPACT
======
A malicious HVM guest might be able to read sensitive data relating
to other guests.
VULNERABLE SYSTEMS
==================
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
Only HVM guests can take advantage of this vulnerability.
MITIGATION
==========
Running only PV guests will avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and diagnosed by Andrew
Cooper & Tim Deegan.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa63.patch Xen 4.2.x, 4.3.x, and unstable
$ sha256sum xsa63*.patch
32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSSUhEAAoJEIP+FMlX6CvZGUsH/13jBs/EU8H/mqXCO7gQXIrm
tPp/gsjxxxhVrwOjmmJZShQ8CWU8T3zL0RKaaGBJzAd+imnXQdb+il1vkNYT8edH
zSB9WN3o/WNu7bzlhm3ro67WlwhXSY2yea7Bj/9bg2//T5RgoXsewX+LbCAJ3Z44
fflCQsCuvpl77oIcftIe5rcJAtHR4Jb5/4Ps+MzxI52oS3m2BGXv/qOTpDfy7qsp
7j/219hChnGVoZ1u/2m0i1789/9tYWM7jFbvqVYH6yHTEgk1ds8Cnn/uHQ8zXjKI
CW8E5HGKOHOpTtJjDF0h3OqcK8vG7qKgHULDziXV//QWPP3uH/dAQCjQO9uS8r4=
=RilU
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4356 / XSA-64
version 3
Memory accessible by 64-bit PV guests under live migration
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
On some hardware, during live migration of 64-bit PV guests, some
parts of the guest's shadow pagetables are mistakenly filled in with
hypervisor mappings. This causes Xen to crash when those mappings are
later cleared. Before the crash, a malicious guest could use
hypercalls to cause Xen to read and write the parts of memory pointed
to by the stray mappings.
IMPACT
======
A malicious 64-bit PV guest, on a vulnerable host system, that can
arrange for itself to be live-migrated, could read or write memory at
high physical addresses on the host.
Note that once such a guest begins live migration the host is likely
to eventually crash, either when the live migration completes or on an
earlier page fault. This crash could be avoided if the malicious
guest uses its improperly escalated privilege to prevent it.
VULNERABLE SYSTEMS
==================
Xen 4.3.x and xen-unstable are vulnerable.
Xen 4.2.x and earlier releases are not vulnerable.
In addition, only hosts with RAM extending past 5TB are affected.
On any host that is affected (and has not yet been successfully
attacked), live migration of a 64-bit PV guest will deterministically
crash the host. If you can migrate a 64-bit PV guest from from host A
to host B, without crashing host A, then host A is not affected by
this bug.
MITIGATION
==========
Running only HVM and 32-bit PV guests or preventing live migration of
64-bit PV guests will avoid this issue.
CREDITS
=======
Andrew Cooper found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa64.patch xen-unstable, xen-4.3
$ sha256sum xsa64.patch
061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSSUynAAoJEIP+FMlX6CvZbVsH/i4Lqqfrx+cKZJwVWEqc9Ufz
YT9nJzy0nyHPmS8SB4CluhE6Uiy8xi0MwNZLRVTrpuchoFbnWETOpplaKbKasMs3
OtHtmYKxdZWWYGl5kNydx5d8pJ4OCftJ/zJbSQRBG2buORF8by1MTzq2sVzJRca6
PcJqruGXlscsPo9B9OxAg4zH5rQo+E3jg0JuuG2qNDYzSDB/tx4WO0uOjkhwxyR6
eL/sHIzNqUcTLxGUhS4xjfnbjfLJ+WaHUvTJOC3Hu6tmcIBke9p99sRZV8dgToxp
OB4i02D8z3Rskjda8KgddWGbaOZPM75N47TCgGxh2r0Z46Eg5Pjye/2+VFHpW9U=
=7bGU
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4361 / XSA-66
version 3
Information leak through fbld instruction emulation
UPDATES IN VERSION 3
====================
Public Release.
ISSUE DESCRIPTION
=================
The emulation of the fbld instruction (which is used during I/O
emulation) uses the wrong variable for the source effective address.
As a result, the actual address used is an uninitialised bit pattern
from the stack.
A malicious guest might be able to find out information about the
contents of the hypervisor stack, by observing which values are
actually being used by fbld and inferring what the address must have
been. Depending on the actual values on the stack this attack might
be very difficult to carry out.
IMPACT
======
A malicious guest might conceivably gain access to sensitive data
relating to other guests.
VULNERABLE SYSTEMS
==================
Xen 3.3.x and later are vulnerable.
Only HVM guests can take advantage of this vulnerability.
MITIGATION
==========
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests. We believe this
vulnerability would require significant research to exploit.
CREDITS
=======
Jan Beulich discovered this issue.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa66.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa66.patch
3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSSUhOAAoJEIP+FMlX6CvZdTsIAISzxoVv5PVKcT3RlikuDPdS
AN4b5d/AJHGUcVg0K8CAd5UpvP0y5UfVhMFc+LCNDoeTE6a+4PsS/2V49HX259tT
oX1HDZUxzfDbNTgZL5/hS3RUNZvTlWxVS0E5SMRW5jDrScPFUOqliD9hNj2cyvlq
Ne362V5VFFb9AcZsMPnl2V4FerUyyuTCncxcvsvDshFIhBaqBY8G/LBqIHE7CKZF
qCK9688RIMlwgNag7fbSloCLOifC7Jrfp9k+wfhAUdLj6R6l2SuyItYa7KufTAof
/bWddQVFxhxcapYMDiNExZNxbHoM51rAeSkC3eYn6BGWKjqfIetA4X+uzfP3LNc=
=PSEF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUktz5BLndAQH1ShLAQK1eA/9HC8aa+eJTBt8N6KONqW5eoBmsRYpRTOx
kT58sisbO4ZhytM+UFqkXbTaMQgfUpgzN7DKZa9jkYSBSjlelvOjukGo8EhxoySk
BeAIj9b899N0LZwcnX605cnJr5+dGhK+Uhlh5OEQJFVJRjyUerid1b9hy8RTp7eI
wCE7ZFYV8A1A/rGdVWieJcXItxSDoQrD1yOn6TThze7jfvXjFB3tI3Q/ejyyQm16
+ibPMIAhClaedPX0OBiRVKCpBVbA0VeAdZGr8mXB9Zd9v9WX2GL4IFmHz/hzVsKC
ehoyfrsc+PY8Bt/kceoXbjEfS4BkD/9PsUTk0/ouk36r3PHH6qXShpWPPiYArQTX
6tuhgmVx+Z1wJxgNMZr65Sb94vX/nJzD7nQE3jJrx5Ih5GTWqa7xv6WyfjYWnTgc
/aC9a6Vot2L4xGBqhdkULC/ixCf8sA25YFkeWmcCr7ogGaxZqhTEGy5WoP5AEqhk
pO55gNWELgsrnkc7PH5ygE8sWuZZSY8w8DIoC1+pALbU5K83qvSW39MW7KdXdZju
wR+B9XVqq7JnI2qN9/wuiKUbWun0kOw5cKt5W3C8lmaScFAwP4qSde0f+D82ZKPH
QsjK8YlNjse9Y7naHusN2ayUqlo9jXs4+ngWBR8d37vXQv/vyRLhsLxKCWheVOPJ
rF4gV0c/5M0=
=5yyE
-----END PGP SIGNATURE-----