Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0587 Xen Security Advisory CVE-2014-2915 / XSA-93 24 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-2915 Original Bulletin: http://xenbits.xenproject.org/xsa/advisory-93.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-2915 / XSA-93 version 2 Hardware features unintentionally exposed to guests on ARM UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2014-2915. ISSUE DESCRIPTION ================= When running on an ARM platform Xen was not correctly configuring the hardware virtualisation platform and therefore did not prevent guests from accessing various hardware features including cache control, coprocessors, debug registers and various processor specific registers. IMPACT ====== By accessing these hardware facilities a malicious or buggy guest may be able to cause various issues, including crashing the host, crashing other guests (including control domains) and data corruption. Privilege escalation is not thought to be possible but has not been ruled out. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards. x86 systems are not vulnerable. MITIGATION ========== None. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. The public mailing list thread contains information strongly suggestive of a security bug and included example code which can crash the host. CREDITS ======= The initial bug was discovered by Thomas Leonard and further followup issues were discovered by Julien Grall. RESOLUTION ========== Applying the attached patches resolves this issue. xsa93-unstable-{01..06}.patch xen-unstable xsa93-4.4-{01..06}.patch Xen 4.4.x $ sha256sum xsa93*.patch 9a01ed1c7d33d2381594af3b0985df50f3aa7f13f5a9989595427407c5a5eb06 xsa93-4.4-01.patch 68ec2bdb48dd232dbabefbe7c971546b52d7001a128471226a41f36e27a806f2 xsa93-4.4-02.patch 541d2d57ee85a9603ae4bf00bb321f6f491354df9e15eb09ddb5ccba68333ecc xsa93-4.4-03.patch 6a3736e5dea1d45df6b979f02e06e058d8dffdbcf128d2d0984db404a87ebb62 xsa93-4.4-04.patch 282e2cf82ad4345573d21351c242684cd09f384bcd76c262740f9e33f8b04c9c xsa93-4.4-05.patch e212ad288eaeccf6a33cab27ecc6515a889365b0c56b5010e91a603ce239a38b xsa93-4.4-06.patch 9a01ed1c7d33d2381594af3b0985df50f3aa7f13f5a9989595427407c5a5eb06 xsa93-unstable-01.patch 9b472975087dee1d22db8e5f3e55b1589910d84de86b2cad218bfd540fbbd92e xsa93-unstable-02.patch f921ba7c1b216dd425035f94ac9eef9374ae5eba4af4cb5a3b7aa3f958a0a767 xsa93-unstable-03.patch 45b7e6b226a4449370c4dbe21aa71c398955e4ed2bc7cf9e4426f29583af14be xsa93-unstable-04.patch 282e2cf82ad4345573d21351c242684cd09f384bcd76c262740f9e33f8b04c9c xsa93-unstable-05.patch e2668f0ecf1e79aa30928791b92a15c15821c8bce7958a5c3fee7563cf81960b xsa93-unstable-06.patch $ NOTE: These patches unconditionally deny access by all guests (including control domains) to various hardware features in order to close the vulnerability. Specifically guests are prevented from accessing: * coprocessors 0..9, 12 and 13; * coprocessor 14 (trace registers); * coprocessor 15 encodings: CRn==c9, opc1=={0-7}, CRm=={c0-c2, c5-c8}, opc2=={0-7}, CRn==c10, opc1=={0-7}, CRm=={c0, c1, c4, c8}, opc2=={0-7} CRn==c11, opc1=={0-7}, CRm=={c0-c8, c15}, opc2=={0-7} (IMPLEMENTATION DEFINED cache, TCM, branch predictor, memory remapping, and TLB control registers); * cp15 c15 (IMPLEMENTATION DEFINED); * Debug and Performance monitor registers. We have checked common Operating Systems which are known to run on Xen on ARM and not found any default uses of these registers. However it is expected that tools such as the Linux perf tool which make use of debug and performance registers will no longer function correctly in guest context. In addition if your use case requires access to specific coprocessors by one or more guest domains then additional local patches may be required to enable this. Where feasible we hope to reenable these use cases in the future. If this affects you then please contact the xen-devel mailing list http://lists.xen.org/mailman/listinfo/xen-devel. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTV5O6AAoJEIP+FMlX6CvZt7MH+wYxthL+nxagERvLrXQdXlF6 XYctN9gb5iEGwKLI4MLuVYdMqXIa2NfTvTEHfwNyWEp6sS/+nc2V0h8qAqDdhdtO cNuxV2zK7Ab328SkNVy17y6j0Jgyen0QrOGBwTaNb5CXUHkg3J+YppObvGlTqjDi HoXeX7Whv4CSqOjgua189e9uNzKtBNsZZepqerli1/tIazWSuOT8KIHp92NKAbLv hwm9HUS7gN2JmR8wU3DD3DxJp+bfTDXBCKOvGmYILxN+X0pzAtfDgK+RMOBwSD05 iJ3rcs83VR6ITRqdI+hRifesSiS6Yi7OFi3xB2vAdSm6IjsA06pARYPCIPGCQh0= =Nnq0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBU1hcPRLndAQH1ShLAQKsFA/4itBukYz1T/pbnGauuwR374lPgrLw4rri Ogl8ZWAWIL8cpglrsFzEcaPXw+lBsRT0SAIW1TeXPRUPoTKgxAu447JHvvltimW6 5mnfTQOI2OxrYFB7A5H/kPWa37xoAWHqvN2kwYXhF5scxqCLRFN4lK6qqusDcfn0 WgGp5Mt1GEpKkER4UWLmsDJkjYwHXONS++fG64SubL6XGoUct7loSdORnPQ/DuI1 QFHpu1s3IuhKxVZZqfhiTrsmHoPlLS2aVVBPVL1AATq4jEkmKQJ6ot5cmoxCRLGR vecW1X0H7EiEH4kkecaIQfm1irvskCGbZMnIVjRlQudI56e1xpJiVj9jr+8k242O uhDgR8l8L+g1p0CRd7fbgDYMhejmRYxaZwAaXnJtZfD7uSnNi5nIcDXW5mo8om6C qHOsj7rRBQ9M1pztWpdsKsD4hZ26b5jg2sqRXaLYn1qB9Nu0h8v/Ajq/u8gttNB4 KNtth59Sw2G1yct541/vvQ7Bmkt5CO04cPJLV0fWq6cs2crPEqfk4On811rGvJbq umlNjjQeCi3UwJDyXEIw9rwjMu8niTGjyINw6BGYPGF6oQ4uO8B8bziBCUQ34eKD vFhIHX6eVGy7wX4q3qwh2z5pXXBg/NoJPyvy8yazGzQpDE+x6woGFJKUvFzKIPZ2 Ba9SEM3nLQ== =w7mB -----END PGP SIGNATURE-----