Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1440
Xen Security Advisory XSA-67, XSA-68, XSA-69, XSA-70 & XSA-71
11 October 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4375 CVE-2013-4371 CVE-2013-4370
CVE-2013-4369 CVE-2013-4368
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-67.html
http://xenbits.xen.org/xsa/advisory-68.html
http://xenbits.xen.org/xsa/advisory-69.html
http://xenbits.xen.org/xsa/advisory-70.html
http://xenbits.xen.org/xsa/advisory-71.html
Comment: This bulletin contains five (5) Xen security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4368 / XSA-67
version 2
Information leak through outs instruction emulation
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The emulation of the outs instruction for 64-bit PV guests uses an
uninitialized variable as the segment base for the source data if an FS: or
GS: segment override is used, and if the segment descriptor the respective
non-null selector in the corresponding selector register points to cannot be
read by the emulation code (this is possible if the segment register was
loaded before a more recent GDT or LDT update, i.e. the segment register
contains stale data).
A malicious guest might be able to get hold of contents of the hypervisor
stack, through the fault address passed to the page fault handler if the outs
raises such a fault (which is mostly under guest control). Other methods for
indirectly deducing information also exist.
IMPACT
======
A malicious 64-bit PV guest might conceivably gain access to sensitive data
relating to other guests.
VULNERABLE SYSTEMS
==================
Xen 3.1.x and later are vulnerable.
Only 64-bit PV guests can take advantage of this vulnerability.
MITIGATION
==========
Running only HVM or 32-bit PV guests will avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa67*.patch
7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpv2AAoJEIP+FMlX6CvZBl4H/RAC7wtn0iA5AGj8197NJC0q
kZDOT0h9QAgecWtYLaZ249MIWeFRGDLjw5IQKxQG+0c/BJyTZzyvLqbfAA/rjjX2
FVSi9+6qtr23WTIgoMKDuSvO/MaC55Y2hkZ/9+j8c+jUD9OyOdbGpjYMF+n3ARB7
GYJkDomxTD/5N8D25wCciaR3fKepM4eaBayXrjIVP2S/k6aQ8QQCjSLP+ito8EG8
RD+MaRlYyBYrO3Q9hZdNju6AREKphpS0WEHqlChmql8Ij8+88ZFYXVHHmhw70G6D
1d6OSm1kFikmroWby9AD97qDwX+estTA4kwKnXYxmcrgyWvkE7O9/uVQJbGGNwg=
=thOF
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4369 / XSA-68
version 2
possible null dereference when parsing vif ratelimiting info
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The libxlu library function xlu_vif_parse_rate does not properly
handle inputs which consist solely of the '@' character, leading to a
NULL pointer dereference.
IMPACT
======
A toolstack which allows untrusted users to specify an arbitrary
configuration for the VIF rate can be subjected to a DOS.
The only known user of this library is the xl toolstack which does not
have a central long running daemon and therefore the impact is limited
to crashing the process which is creating the domain, which exists
only to service a single domain.
VULNERABLE SYSTEMS
==================
The vulnerable code is present from Xen 4.2 onwards.
MITIGATION
==========
Disallowing untrusted users from specifying arbitrary VIF rate limits
will avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue in all branches
xsa68.patch xen-unstable, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa68*.patch
64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpv6AAoJEIP+FMlX6CvZh5AH/3eMQvmLfgXNbr/vBFKwwJFc
FXd/5N76S17ZI5jTPLoXc1GiXOI9MhPNazKo6e/RLYkVrxgK4Cq8jowBJBgg8Q4R
egOlTinu87uT3ik6DP1ZQVQXEC2Wot0lJwjkN5B/72Tx/ldnS7i/Wi7P5QW7kzcJ
3FWSoCP/degKK/pBbPbt6keUjsUgkIXR3S0Vx/5+NXWeGMfjBFMqV6O1TQ1COkjw
GrvYzXBPAnhmw0fUSYdh87Ed2MH0nZqBGuP/b4wlXqoYWBZN/1xs8M+txnfGLyRm
+vvoM5shs+IiC0cVUcOPF+o7xZRiF6ZNdEMZdMV0NPHNeVEKtdXd6zlc/7VWuvM=
=9/V5
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4370 / XSA-69
version 2
misplaced free in ocaml xc_vcpu_getaffinity stub
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The ocaml binding for the xc_vcpu_getaffinity function incorrectly
frees a pointer before using it and subsequently freeing it again
afterwards. The code therefore contains a use-after-free and
double-free flaws.
IMPACT
======
An attacker may be able to cause a multithreaded toolstack written in
ocaml and using this function to race against itself leading to heap
corruption and a potential DoS.
Depending on the malloc implementation code execution cannot be ruled
out.
VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.
Systems using an ocaml based toolstack (e.g. xapi) are vulnerable.
MITIGATION
==========
Not calling the vcpu_getaffinity function will avoid this issue.
Not allowing untrusted users access to toolstack functionality will
avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa69*.patch
d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ
m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ
ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA
MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU
oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL
nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8=
=4eSf
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4371 / XSA-70
version 2
use-after-free in libxl_list_cpupool under memory pressure
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.
IMPACT
======
An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.
Depending on the malloc implementation code execution cannot be ruled
out.
VULNERABLE SYSTEMS
==================
The flaw is present in Xen 4.2 onwards.
Systems using the libxl toolstack library are vulnerable.
MITIGATION
==========
Not calling the libxl_list_cpupool function will avoid this issue.
Not allowing untrusted users access to toolstack functionality will
avoid this issue.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa70*.patch
2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo
BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6
AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf
q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5
Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2
ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4=
=5x/x
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-4375 / XSA-71
version 2
qemu disk backend (qdisk) resource leak
UPDATES IN VERSION 2
====================
Public release
Fix patch header corruption in xsa71-qemu-xen-unstable.patch.
ISSUE DESCRIPTION
=================
The qdisk PV disk backend in the qemu-xen flavour of qemu ("upstream
qemu") can be influenced by a malicious frontend to leak mapped grant
references.
IMPACT
======
A malicious HVM guest can cause the backend domain to run out of grant
references, leading to a DoS for any other domain which shares that
driver domain.
VULNERABLE SYSTEMS
==================
Any system which is using the qemu-xen qdisk backend for HVM guests is
vulnerable.
qemu-xen and qdisk are exposed by systems using libxl from Xen 4.2.0
onwards. In Xen 4.2.0 qemu-xen was a non-default option, from Xen
4.3.0 onwards qemu-xen is the default.
Xen 4.1.0 exposes qdisk via libxl but does not support qemu-xen and
therefore is not vulnerable.
The xend toolstack has never supported qdisk as a disk backend and
therefore such systems are not vulnerable.
Upstream qemu is vulnerable from version 1.1 onwards.
MITIGATION
==========
This vulnerability can be avoided by using a different block backend
(e.g. blkback or blktap2) or by using the qemu-xen-traditional version
of qemu.
Users of the xl toolstack, see docs/misc/xl-disk-configuration.txt for
information on forcing the use of a particular disk backend and
xl.cfg(5) for information on forcing the use of qemu-xen-traditional.
Systems which only run PV guests and/or run HVM guests without PV
drivers are not vulnerable.
CREDITS
=======
This issue was discovered by Coverity Scan and Matthew Daley.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa71-qemu-xen-unstable.patch xen-unstable, Xen 4.3.x
xsa71-qemu-xen-4.2.patch Xen 4.2.x
$ sha256sum xsa71*.patch
a3f667e251a32fa5eff4a78eae49acd020b2f340fb203dc08a033d43841b0a2a xsa71-qemu-xen-4.2.patch
f5ec607babb01dc8f8065dfe121882af4c3d93c035bafbfed48825dea684d6d9 xsa71-qemu-xen-unstable.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSVp1bAAoJEIP+FMlX6CvZ8nMH/1sMYLD38viMSIJndL3Nlfz4
cj5AaTHyPIYaX3RzLZfM08+qeRIcXcPDAcNwaYn97IOv0JJ/gppfNOeCdmHGvWhl
z88vKbzI0RaDv3pL+eKo7RiGN/T32gsh6H4ltjrNGyO0LiDI4rfbxTBjVlzE8bB8
M4weAWtgEa7/VAYeM4g7cOoCD7goE15lYLSRsrQJGn/iizLdL/I+IqSvTaGwgE+I
yKvl7wJ1fEfy9sKCTls9INZdMnJXmlC4+Pq8phmW9QoSSIxNFqRDZ13IduXHbpXe
xyeAr7U5b5GzPtGclu6XX0vyuOct2mf984xHbe06ecJF2KjsXi44spszPP2elHQ=
=hcxy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUleZCxLndAQH1ShLAQIBJg//QQu3xrtuu9ih58oH8qM7DMO/AJ221gtL
ON7CHDwIU0K+T/dNFW2UU42SQ1l93m1MCwvQeE8slaLvtKTHFMXAqFQ2pAJrIw5n
+7yN7RwwCE/EOn4W/KDwtYId76RkivRMXMiJO/BBlda5cLahJqNO5D90p7c3VXe9
pKKpd6Lek88DGPFMqy1ID8WrQ7t6KnQeb5vuJFN8cYyhdzcATHJZHz2gtCgPVv9F
IGswFGqRGaPsEhNqbsuDXPbG6I9IU2vWVuhHaJdESgx74ezJRpIkj8yuR0ANwroN
Oo/JLt/3xO/mnNywe6WVyOEzirW20tGtbklSKBSamkpBNVJIf8jDi9sWEVqcZayU
id8iMYFAvrDL7/MDyDEF5iAaH4nJd/bt29/xIvqmdHEvq3bRahrbCA9j7szbKBiD
AWW+VEZfvtiIO6T+cX6ZMH+RkgqaQEn4jisPrBKqgNoMyiNutz8qhI+wcBunCXcu
xjuef9HpwO1QPQ8Do9cySuhEHuhr8AGue8D+/UnGEuYJpnPMa6aLrCabQO4twTL+
3H6EJ3uQE8n5APhvAFDYfJnlL/tqH98+qPbZW7beijGwFDfRVXW48gVFsMGEKtGJ
8yUZP++ttxphPQCb4dK28NVcrzJrVQUHuhaA6Q+MqemgVzd/8AWCCyLj6Tydobdx
YHnkITs3p1M=
=+ALg
-----END PGP SIGNATURE-----