-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0179
           Multiple vulnerabilities have been identified in Xen
                             11 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Increased Privileges  -- Existing Account      
                   Denial of Service     -- Remote/Unauthenticated
                   Read-only Data Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1896 CVE-2014-1895 CVE-2014-1894
                   CVE-2014-1893 CVE-2014-1892 CVE-2014-1891

Original Bulletin: 
   http://xenbits.xenproject.org/xsa/advisory-84.html
   http://xenbits.xenproject.org/xsa/advisory-85.html
   http://xenbits.xenproject.org/xsa/advisory-86.html

Comment: This bulletin contains three (3) Xen security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Xen Security Advisory CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 / XSA-84
                              version 3

           integer overflow in several XSM/Flask hypercalls

UPDATES IN VERSION 3
====================

CVE numbers have been assigned.

ISSUE DESCRIPTION
=================

The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID
suboperations of the flask hypercall are vulnerable to an integer
overflow on the input size. The hypercalls attempt to allocate a
buffer which is 1 larger than this size and is therefore vulnerable to
integer overflow and an attempt to allocate then access a zero byte
buffer.  (CVE-2014-1891)

Xen 3.3 through 4.1, while not affected by the above overflow, have a
different overflow issue on FLASK_{GET,SET}BOOL (CVE-2014-1893) and
expose unreasonably large memory allocation to aribitrary guests
(CVE-2014-1892).

Xen 3.2 (and presumably earlier) exhibit both problems with the
overflow issue being present for more than just the suboperations
listed above.  (CVE-2014-1894 for the subops not covered above.)

The FLASK_GETBOOL op is available to all domains.

The FLASK_SETBOOL op is only available to domains which are granted
access via the Flask policy.  However the permissions check is
performed only after running the vulnerable code and the vulnerability
via this subop is exposed to all domains.

The FLASK_USER and FLASK_CONTEXT_TO_SID ops are only available to
domains which are granted access via the Flask policy.

IMPACT
======

Attempting to access the result of a zero byte allocation results in
a processor fault leading to a denial of service.

VULNERABLE SYSTEMS
==================

All Xen versions back to at least 3.2 are vulnerable to this issue when
built with XSM/Flask support. XSM support is disabled by default and is
enabled by building with XSM_ENABLE=y.

We have not checked earlier versions of Xen, but it is likely that
they are vulnerable to this or related vulnerabilities.

All Xen versions built with XSM_ENABLE=y are vulnerable.

MITIGATION
==========

There is no useful mitigation available in installations where XSM
support is actually in use.

In other systems, compiling it out (with XSM_ENABLE=n) will avoid the
vulnerability.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa84-unstable-4.3.patch        xen-unstable,Xen 4.3.x
xsa84-4.2.patch                 Xen 4.2.x
xsa84-4.1.patch                 Xen 4.1.x


$ sha256sum xsa84*.patch
e33dd94499959363ad01bebefda9733683c49fd42a9641cf2d7edcd87f853d55  xsa84-4.1.patch
433f3c8a202482c51a48dc0e9e47ac8751d1c0d0759b7bcd22804e1856279a89  xsa84-4.2.patch
64ae433eb606c5446184c08e6fceb9f660ed9a9c28ec112c8cc529251b3b49fb  xsa84-unstable-4.3.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS+LgGAAoJEIP+FMlX6CvZH1MH/00JKMYdEyaSA3oVGRTeV3Wk
/ZgZl0dTuEBYLWTh/sE8txPGVb7jOvc4pzuhZ8Z0rvh4J10EKjqIUutSs0QR6m3U
+3H+C/eHW98oselKT1csUoIZuf+3oTkZeryVeTyUi7g04xoYHpljT/u+gku8Twuz
G8D3ckchHx5Zi40u0hQWAIOyJxwlpXD74mv2hnHa7X30anpLgGhsBxGLoghJSJwd
x+i82krxbs0Ac7zKQBeVpPhVHE7QHR5Em1BqkxxtT8c93aujeD0Lkdw2H2ki1uOc
+XOEwl/kT9TqiiHy+D+wZwY08xwijC4MZrxvVW35M6DupAG/4i9mv/ICs1GGfK8=
=GrAi
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-1895 / XSA-85
                              version 3

          Off-by-one error in FLASK_AVC_CACHESTAT hypercall

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

The FLASK_AVC_CACHESTAT hypercall, which provides access to per-cpu
statistics on the Flask security policy, incorrectly validates the
CPU for which statistics are being requested.

IMPACT
======

An attacker can cause the hypervisor to read past the end of an
array. This may result in either a host crash, leading to a denial of
service, or access to a small and static region of hypervisor memory,
leading to an information leak.

VULNERABLE SYSTEMS
==================

Xen version 4.2 and later are vulnerable to this issue when built with
XSM/Flask support. XSM support is disabled by default and is enabled
by building with XSM_ENABLE=y.

Only systems with the maximum supported number of physical CPUs are
vulnerable. Systems with a greater number of physical CPUs will only
make use of the maximum supported number and are therefore vulnerable.

By default the following maximums apply:
 * x86_32: 128 (only until Xen 4.2.x)
 * x86_64: 256
These defaults can be overridden at build time via max_phys_cpus=N.

The vulnerable hypercall is exposed to all domains.

MITIGATION
==========

Rebuilding Xen with more supported physical CPUs can avoid the
vulnerability; provided that the supported number is strictly greater
than the actual number of CPUs on any host on which the hypervisor is
to run.

If XSM is compiled in, but not actually in use, compiling it out (with
XSM_ENABLE=n) will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa85.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa85*.patch
20571024e6815eeb40d2f92a3d70ae699047cffafb5431ec74b652e0843a5315  xsa85.patch
$

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS+LcqAAoJEIP+FMlX6CvZPk8H/iA8bLP81SKPT6IUlaw8RjzU
ZECj3ord+tLAcjvu93RmI5WVANNscwNdxhBIVQApzFOqMC5LGho5HHXgvi2WuRo4
zc3b4djT0PN6tTMAhJZU9WwZxIQx+60VSDpIJbVGyLrEjGHxS/l/liM3cOuj5FZs
ZpT3cQ47yHskkgCXGhdR4keAaXEA9qBtQ6EbraMWt/ynjXmZ2UGQyRB+md3IaG38
FOhzVIVvsGJ0ZrxhByrBrNYN04Fdnqx707dNIg5fYflqzuTJkuMiL4dLlBJBMeiP
aVEIAW1TD3ObiXNbC3/AjrXdgttA5e1JIHGJb9LV0RO1rhjuyZGLiLNp+Omx3KI=
=wpcu
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-1896 / XSA-86
                              version 3

           libvchan failure handling malicious ring indexes

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

libvchan (a library for inter-domain communication) does not correctly
handle unusual or malicious contents in the xenstore ring.  A
malicious guest can exploit this to cause a libvchan-using facility to
read or write past the end of the ring.

IMPACT
======

libvchan-using facilities are vulnerable to denial of service and
perhaps privilege escalation.

There are no such services provided in the upstream Xen Project
codebase.

VULNERABLE SYSTEMS
==================

All versions of libvchan are vulnerable.  Only installations which use
libvchan for communication involving untrusted domains are vulnerable.

libvirt, xapi, xend, libxl and xl do not use libvchan.  If your
installation contains other Xen-related software components it is
possible that they use libvchan and might be vulnerable.

Xen versions 4.1 and earlier do not contain libvchan.

MITIGATION
==========

Disabling libvchan-based facilities could be used to mitigate the
vulnerability.

CREDITS
=======

This issue was discovered by Marek Marczykowski-Górecki of Invisible
Things Lab.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

After the patch is applied to the Xen tree and built, any software
which is statically linked against libvchan will need to be relinked
against the new libvchan.a for the fix to take effect.

xsa86.patch        Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable

$ sha256sum xsa86*.patch
cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51  xsa86.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS+LcuAAoJEIP+FMlX6CvZBjgH/RdmdarkaX/Bravq46egUtWT
OohBLoP+tnkg3w3DSvWlD45dlnwH2ptD/PTxyoH7XMoiajX0h3WRYf8ddu63Nwtl
qghb6EDuYF+iLf9nthdYqreVLdKQOJYXCv6c3i6odHRzGadb3cWTIv1xSDZcn+Qw
djSk2huXpuRVkpJeX05PNCkBktRe0Shwy0zgTUNC0GjWItma+NIKdvRODkON1Ai9
ilRsmlQXc2BJ7RcJGmvtcHEdIgLMJ8MzRZWspFPTuqRbQ1+XUJUxxQvJBAqIYRQ3
29iS0GxqXZDSWtTlY4xwAEdwtzsqVZx8VMQioxLUSB4fqm1s4XEfQEkH5VwoBs8=
=HSDt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUvl8UhLndAQH1ShLAQLZWw/9Gxp6pC3RkUEvHaLJ0QM/rRY0kBBW5thi
9Ky1rFNmQTd5TBskbqKvEdlfkBETzom4mX9U2FdfTVPRtTlj9rjhiMnQtPutn2gs
Wkh2+XyQIitLKKYdtH/440d4plqDWGJGLJRtHOq8l2Ph7GeZ6/EoEXuVoFKLDfyW
fjXBICDUJGT9TSRrB6VhaaRHn4hvUf5MNF7aBbOiXs2cdRhYejpjHJn4gMMiEXIb
YddGbeG1SYc4/iJjwTf//s7azRtKIedKEdpYPMEqo8e+Qx8PyacCiq1xYBftHCZL
pNnM76PyBH9r/Zlts5v3AEmDgAmw58Fj71RR5jYFlPD6mLdlnf9TtvojSx7t43dr
NadC2Hr4w8ItTsK/F6x13dRyunEFLX/Xfd32ioYsvdpMmpr96EfTZ12J9NiJC5Vc
Bfhy0yQsk2r7XjIsWEcL/+gUdbi03cSIQ8kchAvwcujYBvfXK8m8tt+hclHHLzYK
RDTq0cF88jx33+LtT11CJtjTrDBvJ/nBDjEMa939VgaaGVzjirZu5joERf/wJ3/Z
1GLOQZVUsopR165xFbX6FSNwW0Xdyl+AjFX80KSCmWEEDXA5CjNvYNhNC7jFzKfi
hImta0DzNau7MmYFdm0e57Ty7gSAh8TbZdbNWOR9mJ97PVdgMUi3ZHYKqL5rI0vs
CND2l73+kU8=
=hCPW
-----END PGP SIGNATURE-----