Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0683 Xen Security Advisory CVE-2014-3125 / XSA-91 version 3 7 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-3125 Original Bulletin: http://xenbits.xenproject.org/xsa/advisory-91.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3125 / XSA-91 version 3 Hardware timer context is not properly context switched on ARM UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-3125. ISSUE DESCRIPTION ================= When running on an ARM platform Xen was not context switching the CNTKCTL_EL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. IMPACT ====== A malicious guest kernel can reconfigure CNTKCTL_EL1 to block userspace access to the timer hardware for all domains, including control domains. Depending on the other guest kernels in use this may cause an unexpected exception in those guests which may lead to a kernel crash and therefore a denial of service. 64-bit ARM Linux is known to be susceptible to crashing in this way. A malicious guest kernel can also enable userspace access to the timer control registers, which may not be expected by kernels running in other domains. This can allow user processes to reprogram timer interrupts and therefore lead to unexpected behaviour, potentially up to and including crashing the guest. Userspace processes will also be able to read the current timestamp value for the domain perhaps leaking information to those processes. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards. x86 systems are not vulnerable. MITIGATION ========== None. CREDITS ======= Chen Baozi discovered this issue as a bug which was then diagnosed by Julien Grall. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa91-unstable.patch xen-unstable xsa91-4.4.patch Xen 4.4.x $ sha256sum xsa91*.patch 8a3dc1f001274550acfe929a0a443b09f8164001f6eea76821bd87292b8732e0 xsa91-4.4.patch 327ccd88f2d9bc21daf51f3e5c81cbae2e779a6f997715d9d0d95285c509ecbd xsa91-unstable.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTYidcAAoJEIP+FMlX6CvZKnIH/03L/vIaj+x9AIn0FjKw/ZgH lPP5tVQT4gvBrufxwKX7elH+XPu7bU6j8rQgAkno2VRVM6Emv5/Q41DJEMItG7sm Nfqd833Jdov/2aAGj1kiLsLTv3s72G3XV1hQRviy9Uu9c2JA0Ch2BhurKvwW5K3h 6bRwPljTTaa0GmONHBso9EKHztmf2dViQar9M8WYuVDFmQ8c6fhqUX2uHkkTtdol p2YVQgyej/cnKD1ZGVX9lLmHaw2+QbToY4SyUmRs/DmmK/T13Q+YUXuS3Nt0yY+m 12kkmMNRLvI/y9YHHxNMI9zDev2GpsdhKO3ScJ0iW9y7cC1/zPejWaPF+pU1nC0= =6vG1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU2nFgBLndAQH1ShLAQLjhQ//fif21wdxUFepRLQsDFV4UEN3cPijn19U +kz+HFLT71Mb+TY0CRpuFpBp1EGR51KNH1f238pJqeQTMjkHEbz7mWBddKyIgMTS LtzrmcugrT9R0dYO7pBIINcO/qh31LwoFUFqoJ54J7GkH7p0WKhDJ89drL07AmEk /HOt1EMs77LgIdRysclUyKQWWwoLNOcLtymILuylL4k4PE3igM5tNw2TWrmrcoxA crhi61h6wXpxUhQsrTFwp5e7PuU8GyQa4SSjeS9UpoXVhp8oLYexfCtx6b8JJ9ZC TyQDpId0nz4Uvvuxgk9gHfXxHilJDsxqlPQShBMauswTxg2m+BsDrDC4TomD0f9L Mj2Sv3fiQ4WtaqLUZ1K/YrTIPObN7Q4LsMmqq+Y8soQFAoKsiZOqAiEPFc06GIBJ wYGdN7nk14SsG+cxQdrd2cgZChQgkXEakTgZGAttYWO1Q51w8e/JgYRs3F7E4nUM 1YPx9tmqZs9pafC1ssx8osPXhZO2C48HdxwITt/eCV9rFQdE2nlxx6qy5pa5qrUy XD4tbB/q1jgZmAFjnQ2Rx7uEiD9sQxx9idRUxpbsq70Z42Gy4F3CbERhBzTC2WvD u0IkpghEuFaOJBCUGN9wsXrkeOpx5Xj3adaLM2b1zqf2/TqCpC3X+wp4kZxbDxtd WQLyA6BLG8Q= =0b3m -----END PGP SIGNATURE-----