Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1440 Xen Security Advisory XSA-67, XSA-68, XSA-69, XSA-70 & XSA-71 11 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-4375 CVE-2013-4371 CVE-2013-4370 CVE-2013-4369 CVE-2013-4368 Original Bulletin: http://xenbits.xen.org/xsa/advisory-67.html http://xenbits.xen.org/xsa/advisory-68.html http://xenbits.xen.org/xsa/advisory-69.html http://xenbits.xen.org/xsa/advisory-70.html http://xenbits.xen.org/xsa/advisory-71.html Comment: This bulletin contains five (5) Xen security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4368 / XSA-67 version 2 Information leak through outs instruction emulation UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register points to cannot be read by the emulation code (this is possible if the segment register was loaded before a more recent GDT or LDT update, i.e. the segment register contains stale data). A malicious guest might be able to get hold of contents of the hypervisor stack, through the fault address passed to the page fault handler if the outs raises such a fault (which is mostly under guest control). Other methods for indirectly deducing information also exist. IMPACT ====== A malicious 64-bit PV guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.1.x and later are vulnerable. Only 64-bit PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa67.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa67*.patch 7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028 xsa67.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv2AAoJEIP+FMlX6CvZBl4H/RAC7wtn0iA5AGj8197NJC0q kZDOT0h9QAgecWtYLaZ249MIWeFRGDLjw5IQKxQG+0c/BJyTZzyvLqbfAA/rjjX2 FVSi9+6qtr23WTIgoMKDuSvO/MaC55Y2hkZ/9+j8c+jUD9OyOdbGpjYMF+n3ARB7 GYJkDomxTD/5N8D25wCciaR3fKepM4eaBayXrjIVP2S/k6aQ8QQCjSLP+ito8EG8 RD+MaRlYyBYrO3Q9hZdNju6AREKphpS0WEHqlChmql8Ij8+88ZFYXVHHmhw70G6D 1d6OSm1kFikmroWby9AD97qDwX+estTA4kwKnXYxmcrgyWvkE7O9/uVQJbGGNwg= =thOF - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4369 / XSA-68 version 2 possible null dereference when parsing vif ratelimiting info UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The libxlu library function xlu_vif_parse_rate does not properly handle inputs which consist solely of the '@' character, leading to a NULL pointer dereference. IMPACT ====== A toolstack which allows untrusted users to specify an arbitrary configuration for the VIF rate can be subjected to a DOS. The only known user of this library is the xl toolstack which does not have a central long running daemon and therefore the impact is limited to crashing the process which is creating the domain, which exists only to service a single domain. VULNERABLE SYSTEMS ================== The vulnerable code is present from Xen 4.2 onwards. MITIGATION ========== Disallowing untrusted users from specifying arbitrary VIF rate limits will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue in all branches xsa68.patch xen-unstable, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa68*.patch 64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32 xsa68.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv6AAoJEIP+FMlX6CvZh5AH/3eMQvmLfgXNbr/vBFKwwJFc FXd/5N76S17ZI5jTPLoXc1GiXOI9MhPNazKo6e/RLYkVrxgK4Cq8jowBJBgg8Q4R egOlTinu87uT3ik6DP1ZQVQXEC2Wot0lJwjkN5B/72Tx/ldnS7i/Wi7P5QW7kzcJ 3FWSoCP/degKK/pBbPbt6keUjsUgkIXR3S0Vx/5+NXWeGMfjBFMqV6O1TQ1COkjw GrvYzXBPAnhmw0fUSYdh87Ed2MH0nZqBGuP/b4wlXqoYWBZN/1xs8M+txnfGLyRm +vvoM5shs+IiC0cVUcOPF+o7xZRiF6ZNdEMZdMV0NPHNeVEKtdXd6zlc/7VWuvM= =9/V5 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4370 / XSA-69 version 2 misplaced free in ocaml xc_vcpu_getaffinity stub UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The ocaml binding for the xc_vcpu_getaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT ====== An attacker may be able to cause a multithreaded toolstack written in ocaml and using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using an ocaml based toolstack (e.g. xapi) are vulnerable. MITIGATION ========== Not calling the vcpu_getaffinity function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa69.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa69*.patch d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc xsa69.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpv9AAoJEIP+FMlX6CvZDDsIALyFWH1+Ox87+kncvYUHu6UJ m4r85Jqp7pD97hAWP0mbVu/RxZgIE2mUaLDruuRvyaA940HtmsYxYRd010uqxUGQ ouFdaChJpfyGAgKn15INEQnj7giX5Kd6tPFyza5N4TBm8HbK1N83rpGHDT8+unzA MTAPk5KXCiIJ0LBU23Ce5ryXwXIkDjwPP+hJ+G0Axv1UpBTn6BhxE135m7cTOemU oWHSrYbrM4zBpVPQHl1NX8YGtjbBILwDZOmtfJD/EDI2i7iqiIbVAAEoY6xFIHmL nk0ZSN/rLSBXV+FH+sdJJunQzj4MOXg+nTx6ptO2T1pzTssEVsz6JOgUcCEMIy8= =4eSf - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4371 / XSA-70 version 2 use-after-free in libxl_list_cpupool under memory pressure UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= If realloc(3) fails then libxl_list_cpupool will incorrectly return the now-free original pointer. IMPACT ====== An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc implementation code execution cannot be ruled out. VULNERABLE SYSTEMS ================== The flaw is present in Xen 4.2 onwards. Systems using the libxl toolstack library are vulnerable. MITIGATION ========== Not calling the libxl_list_cpupool function will avoid this issue. Not allowing untrusted users access to toolstack functionality will avoid this issue. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the attached patch resolves this issue. xsa70.patch Xen 4.3.x, Xen 4.2.x, xen-unstable $ sha256sum xsa70*.patch 2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56 xsa70.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVpwCAAoJEIP+FMlX6CvZRskH/1fMuZLw8xSFT0L6piYvTudo BYqm+xxOR9dFMVKWMb0Pqk9nhLlYXXAn6pZV0KsoUIaA81Qx+fTkRpafVG9FGoD6 AG2TWijVmG3kyQdEcjxBPKLont2COupTwKUU4wusvLq3adYu7s4CaxUrVLZrhbCf q8EfmBA9rf1sLw2SiNXPT1o0XZjXJgiRbf5T4ggjJKUsb5+QMb0qXVFPHIqaAcZ5 Jf0HGRi+irH5thRx7hY3mprcGNx5WAWTiKOrzvQH6eDJjAlcAeS5YrDpBn1Z8lA2 ep2c758y6+ZcMfOffU9kHA9wybnZLq+yGIIgS2vcnbpiYHp29JFVEJ6ZIXp/4+4= =5x/x - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4375 / XSA-71 version 2 qemu disk backend (qdisk) resource leak UPDATES IN VERSION 2 ==================== Public release Fix patch header corruption in xsa71-qemu-xen-unstable.patch. ISSUE DESCRIPTION ================= The qdisk PV disk backend in the qemu-xen flavour of qemu ("upstream qemu") can be influenced by a malicious frontend to leak mapped grant references. IMPACT ====== A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain which shares that driver domain. VULNERABLE SYSTEMS ================== Any system which is using the qemu-xen qdisk backend for HVM guests is vulnerable. qemu-xen and qdisk are exposed by systems using libxl from Xen 4.2.0 onwards. In Xen 4.2.0 qemu-xen was a non-default option, from Xen 4.3.0 onwards qemu-xen is the default. Xen 4.1.0 exposes qdisk via libxl but does not support qemu-xen and therefore is not vulnerable. The xend toolstack has never supported qdisk as a disk backend and therefore such systems are not vulnerable. Upstream qemu is vulnerable from version 1.1 onwards. MITIGATION ========== This vulnerability can be avoided by using a different block backend (e.g. blkback or blktap2) or by using the qemu-xen-traditional version of qemu. Users of the xl toolstack, see docs/misc/xl-disk-configuration.txt for information on forcing the use of a particular disk backend and xl.cfg(5) for information on forcing the use of qemu-xen-traditional. Systems which only run PV guests and/or run HVM guests without PV drivers are not vulnerable. CREDITS ======= This issue was discovered by Coverity Scan and Matthew Daley. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa71-qemu-xen-unstable.patch xen-unstable, Xen 4.3.x xsa71-qemu-xen-4.2.patch Xen 4.2.x $ sha256sum xsa71*.patch a3f667e251a32fa5eff4a78eae49acd020b2f340fb203dc08a033d43841b0a2a xsa71-qemu-xen-4.2.patch f5ec607babb01dc8f8065dfe121882af4c3d93c035bafbfed48825dea684d6d9 xsa71-qemu-xen-unstable.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSVp1bAAoJEIP+FMlX6CvZ8nMH/1sMYLD38viMSIJndL3Nlfz4 cj5AaTHyPIYaX3RzLZfM08+qeRIcXcPDAcNwaYn97IOv0JJ/gppfNOeCdmHGvWhl z88vKbzI0RaDv3pL+eKo7RiGN/T32gsh6H4ltjrNGyO0LiDI4rfbxTBjVlzE8bB8 M4weAWtgEa7/VAYeM4g7cOoCD7goE15lYLSRsrQJGn/iizLdL/I+IqSvTaGwgE+I yKvl7wJ1fEfy9sKCTls9INZdMnJXmlC4+Pq8phmW9QoSSIxNFqRDZ13IduXHbpXe xyeAr7U5b5GzPtGclu6XX0vyuOct2mf984xHbe06ecJF2KjsXi44spszPP2elHQ= =hcxy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUleZCxLndAQH1ShLAQIBJg//QQu3xrtuu9ih58oH8qM7DMO/AJ221gtL ON7CHDwIU0K+T/dNFW2UU42SQ1l93m1MCwvQeE8slaLvtKTHFMXAqFQ2pAJrIw5n +7yN7RwwCE/EOn4W/KDwtYId76RkivRMXMiJO/BBlda5cLahJqNO5D90p7c3VXe9 pKKpd6Lek88DGPFMqy1ID8WrQ7t6KnQeb5vuJFN8cYyhdzcATHJZHz2gtCgPVv9F IGswFGqRGaPsEhNqbsuDXPbG6I9IU2vWVuhHaJdESgx74ezJRpIkj8yuR0ANwroN Oo/JLt/3xO/mnNywe6WVyOEzirW20tGtbklSKBSamkpBNVJIf8jDi9sWEVqcZayU id8iMYFAvrDL7/MDyDEF5iAaH4nJd/bt29/xIvqmdHEvq3bRahrbCA9j7szbKBiD AWW+VEZfvtiIO6T+cX6ZMH+RkgqaQEn4jisPrBKqgNoMyiNutz8qhI+wcBunCXcu xjuef9HpwO1QPQ8Do9cySuhEHuhr8AGue8D+/UnGEuYJpnPMa6aLrCabQO4twTL+ 3H6EJ3uQE8n5APhvAFDYfJnlL/tqH98+qPbZW7beijGwFDfRVXW48gVFsMGEKtGJ 8yUZP++ttxphPQCb4dK28NVcrzJrVQUHuhaA6Q+MqemgVzd/8AWCCyLj6Tydobdx YHnkITs3p1M= =+ALg -----END PGP SIGNATURE-----