Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1375 Xen Security Advisory CVE-2013-4355 / XSA-63 version 3 2 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen UNIX variants (UNIX, Linux, OSX) Impact/Access: Modify Arbitrary Files -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-4361 CVE-2013-4356 CVE-2013-4355 Original Bulletin: http://xenbits.xen.org/xsa/advisory-63.txt http://xenbits.xen.org/xsa/advisory-64.txt http://xenbits.xen.org/xsa/advisory-66.txt Comment: This bulletin contains three (3) Xen security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4355 / XSA-63 version 3 Information leaks through I/O instruction emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Insufficient or missing error handling in certain routines dealing with guest memory reads can lead to uninitialized data on the hypervisor stack (potentially containing sensitive data from prior work the hypervisor performed) being copied to guest visible storage. This allows a malicious HVM guest to craft certain operations (namely, but not limited to, port or memory mapped I/O writes) involving physical or virtual addresses that have no actual memory associated with them, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious HVM guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper & Tim Deegan. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa63.patch Xen 4.2.x, 4.3.x, and unstable $ sha256sum xsa63*.patch 32fa93d8ebdfbe85931c52010bf9e561fdae8846462c5b1f2fbc217ca36f3005 xsa63.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUhEAAoJEIP+FMlX6CvZGUsH/13jBs/EU8H/mqXCO7gQXIrm tPp/gsjxxxhVrwOjmmJZShQ8CWU8T3zL0RKaaGBJzAd+imnXQdb+il1vkNYT8edH zSB9WN3o/WNu7bzlhm3ro67WlwhXSY2yea7Bj/9bg2//T5RgoXsewX+LbCAJ3Z44 fflCQsCuvpl77oIcftIe5rcJAtHR4Jb5/4Ps+MzxI52oS3m2BGXv/qOTpDfy7qsp 7j/219hChnGVoZ1u/2m0i1789/9tYWM7jFbvqVYH6yHTEgk1ds8Cnn/uHQ8zXjKI CW8E5HGKOHOpTtJjDF0h3OqcK8vG7qKgHULDziXV//QWPP3uH/dAQCjQO9uS8r4= =RilU - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4356 / XSA-64 version 3 Memory accessible by 64-bit PV guests under live migration UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to cause Xen to read and write the parts of memory pointed to by the stray mappings. IMPACT ====== A malicious 64-bit PV guest, on a vulnerable host system, that can arrange for itself to be live-migrated, could read or write memory at high physical addresses on the host. Note that once such a guest begins live migration the host is likely to eventually crash, either when the live migration completes or on an earlier page fault. This crash could be avoided if the malicious guest uses its improperly escalated privilege to prevent it. VULNERABLE SYSTEMS ================== Xen 4.3.x and xen-unstable are vulnerable. Xen 4.2.x and earlier releases are not vulnerable. In addition, only hosts with RAM extending past 5TB are affected. On any host that is affected (and has not yet been successfully attacked), live migration of a 64-bit PV guest will deterministically crash the host. If you can migrate a 64-bit PV guest from from host A to host B, without crashing host A, then host A is not affected by this bug. MITIGATION ========== Running only HVM and 32-bit PV guests or preventing live migration of 64-bit PV guests will avoid this issue. CREDITS ======= Andrew Cooper found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa64.patch xen-unstable, xen-4.3 $ sha256sum xsa64.patch 061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUynAAoJEIP+FMlX6CvZbVsH/i4Lqqfrx+cKZJwVWEqc9Ufz YT9nJzy0nyHPmS8SB4CluhE6Uiy8xi0MwNZLRVTrpuchoFbnWETOpplaKbKasMs3 OtHtmYKxdZWWYGl5kNydx5d8pJ4OCftJ/zJbSQRBG2buORF8by1MTzq2sVzJRca6 PcJqruGXlscsPo9B9OxAg4zH5rQo+E3jg0JuuG2qNDYzSDB/tx4WO0uOjkhwxyR6 eL/sHIzNqUcTLxGUhS4xjfnbjfLJ+WaHUvTJOC3Hu6tmcIBke9p99sRZV8dgToxp OB4i02D8z3Rskjda8KgddWGbaOZPM75N47TCgGxh2r0Z46Eg5Pjye/2+VFHpW9U= =7bGU - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4361 / XSA-66 version 3 Information leak through fbld instruction emulation UPDATES IN VERSION 3 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out. IMPACT ====== A malicious guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.3.x and later are vulnerable. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. We believe this vulnerability would require significant research to exploit. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa66.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa66.patch 3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSSUhOAAoJEIP+FMlX6CvZdTsIAISzxoVv5PVKcT3RlikuDPdS AN4b5d/AJHGUcVg0K8CAd5UpvP0y5UfVhMFc+LCNDoeTE6a+4PsS/2V49HX259tT oX1HDZUxzfDbNTgZL5/hS3RUNZvTlWxVS0E5SMRW5jDrScPFUOqliD9hNj2cyvlq Ne362V5VFFb9AcZsMPnl2V4FerUyyuTCncxcvsvDshFIhBaqBY8G/LBqIHE7CKZF qCK9688RIMlwgNag7fbSloCLOifC7Jrfp9k+wfhAUdLj6R6l2SuyItYa7KufTAof /bWddQVFxhxcapYMDiNExZNxbHoM51rAeSkC3eYn6BGWKjqfIetA4X+uzfP3LNc= =PSEF - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUktz5BLndAQH1ShLAQK1eA/9HC8aa+eJTBt8N6KONqW5eoBmsRYpRTOx kT58sisbO4ZhytM+UFqkXbTaMQgfUpgzN7DKZa9jkYSBSjlelvOjukGo8EhxoySk BeAIj9b899N0LZwcnX605cnJr5+dGhK+Uhlh5OEQJFVJRjyUerid1b9hy8RTp7eI wCE7ZFYV8A1A/rGdVWieJcXItxSDoQrD1yOn6TThze7jfvXjFB3tI3Q/ejyyQm16 +ibPMIAhClaedPX0OBiRVKCpBVbA0VeAdZGr8mXB9Zd9v9WX2GL4IFmHz/hzVsKC ehoyfrsc+PY8Bt/kceoXbjEfS4BkD/9PsUTk0/ouk36r3PHH6qXShpWPPiYArQTX 6tuhgmVx+Z1wJxgNMZr65Sb94vX/nJzD7nQE3jJrx5Ih5GTWqa7xv6WyfjYWnTgc /aC9a6Vot2L4xGBqhdkULC/ixCf8sA25YFkeWmcCr7ogGaxZqhTEGy5WoP5AEqhk pO55gNWELgsrnkc7PH5ygE8sWuZZSY8w8DIoC1+pALbU5K83qvSW39MW7KdXdZju wR+B9XVqq7JnI2qN9/wuiKUbWun0kOw5cKt5W3C8lmaScFAwP4qSde0f+D82ZKPH QsjK8YlNjse9Y7naHusN2ayUqlo9jXs4+ngWBR8d37vXQv/vyRLhsLxKCWheVOPJ rF4gV0c/5M0= =5yyE -----END PGP SIGNATURE-----