Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1392 Xen Security Advisory CVE-2014-5147 / XSA-102 version 3 & Xen Security Advisory CVE-2014-5148 / XSA-103 version 3 14 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: UNIX variants (UNIX, Linux, OSX) Xen Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-5148 CVE-2014-5147 Original Bulletin: http://xenbits.xen.org/xsa/advisory-102.html http://xenbits.xen.org/xsa/advisory-103.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-5147 / XSA-102 version 3 Flaws in handling traps from 32-bit userspace on 64-bit ARM UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain. IMPACT ====== Any user in a guest which is running a 64-bit kernel who is able to spawn a 32-bit process can crash the host. I.e. an unprivileged guest user can cause host-wide denial of service. VULNERABLE SYSTEMS ================== 32-bit ARM systems and and X86 systems are not vulnerable. 64-bit ARM systems which support 32-bit userspace are vulnerable. Not all 64-bit ARM CPUs support 32-bit userspace in the actual CPU hardware. Systems without that hardware support are not vulnerable. Also, not all 64-bit ARM guest kernels have support for 32-bit userspace. Systems without that kernel support are vulnerable to a malicious guest administrator, but not to an unprivileged guest user. MITIGATION ========== On systems where the guest kernel is controlled by the host rather than guest administrator, running only 32-bit kernels. On systems where the guest kernel is controlled by the host rather than guest administrator, running 64-bit kernels with support for 32-bit userspace disabled (e.g CONFIG_COMPAT=n under Linux) will prevent untrusted guest users from exploting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. CREDITS ======= This issue was reported as a bug by Riku Voipio, discovered via Linaro's LAVA testing and was diagnosed as a security issue by Ian Campbell. RESOLUTION ========== Applying the appropriate attached patches resolves these security issues. xsa102-unstable-*.patch xen-unstable xsa102-4.4-*.patch Xen 4.4.x $ sha256sum xsa102*.patch a5beb5c552e5bffe3e115905c478d6699c35df1d8721f8d6681099c38a974091 xsa102-4.4-01.patch 9f04ecda4dd9e31360daa27d87588d6017d866a97b84566241097def0af86a63 xsa102-4.4-02.patch a9860803ed5ed57bdc3ac94cdc924618b19e805b7f6a87bf9c1a9ea4b627281a xsa102-4.4-03.patch 7d0b5e05e5915c6c2d83590ba9acab0acfd1eba986a65a20ba69cf2c3394e062 xsa102-unstable-01.patch 7d5cf339a3f8c98b3e06852f845a2305df3f8ce195d243ee22d6783bb6904d60 xsa102-unstable-02.patch 3ca7b0632af36cc72ba59ed1822bcaebf2363f150435348265d1ade25e21bf90 xsa102-unstable-03.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJT6hBqAAoJEIP+FMlX6CvZDi0H/jFJPRxBIglzATvMDaho19fw Ao1OHP99dZn3XkKf/qfw4v90KttCEp5+3uQo34hhXNTLkvbm5KCsZDjOdL812d3G JjvEBWnU7480Av0QkvsYVoH+yjks0PIu6xEI+kQqKAAG4vbVxTi5ORg7HMkeOKAY 5Uyj5xjWi5JRn+V8pYcUr9wZZlvhEAuDbVATeg9dH6+FyH/4V9viNWWHBePi3Ocn HWPt7U/Cv55wLIxfjmw27C5Te3b/xNjxy9hk+1XrGMafiO7FU1ntgHmqswqN+lBR beORG0dRNl0fU6QY8dakssYzjwA0jgV9HKoonbUGlp+fPxRl2pNuoe7Mvn/y1nU= =Iuvx - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-5148 / XSA-103 version 3 Flaw in handling unknown system register access from 64-bit userspace on ARM UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest which is running a 64-bit kernel who is able to spawn a 64-bit process can cause a trap to the kernel to be taken at an unexpected (but not user controlled) exception address. Known versions of Linux in the default configuration will Oops and kill the offending process, and therefore avoid this vulnerability. However local configuration may turn such an Oops into a kernel panic, and therefore a guest denial of service. IMPACT ====== Depending on the guest kernel implementation, kernel crash (guest DoS) or privilege elevation to that of the guest kernel cannot be ruled out. This issue does not enable an attack on the host. VULNERABLE SYSTEMS ================== 64-bit ARM systems may be vulnerable, depending on the guest kernel. All versions of Linux released by Linux upstream to date avoid this vulnerability. Systems based on modified versions of Linux may be vulnerable. 32-bit ARM systems, and X86 systems, are not vulnerable. MITIGATION ========== There is no known mitigation for this issue. CREDITS ======= This issue was reported as a bug by Riku Voipio, discovered via Linaro's LAVA testing and was diagnosed as a security issue by Ian Campbell. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. The patch for XSA-103 (specifically, xsa102-*-02.patch) must be applied first. xsa103-unstable.patch xen-unstable xsa103-4.4.patch Xen 4.4.x $ sha256sum xsa103*.patch fee2e0be91d08aa28ba44b616edd99a1bfcdec419966c3f9e843a842d649e4ea xsa103-4.4.patch 838d059618d31b272ec10ac8cbb6613a68b634c98418aff2a33cd514ed06b55a xsa103-unstable.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJT6hBtAAoJEIP+FMlX6CvZ6+sIAMiAJEzJl2pWk61kr3QT1llk lYYEEX94QxxJIzg62o4RnMzYZXsmOT6y2YP62nEziRbBaFcgmB0bNrx+Qc52+QWk iea2lYAJUGmEdwnY6x2raLF6Wd2alCjZxXF1UzSJJ6Vu8WiTNFXHI+mKlc9JY4bN aStmfgvN3j6Nmjav8k9ar/8QVfc4Oe0xOlzwFt5DlNHewExWN1y+HtPnrBTkGu5K ckgjvbxs4/SF4No59XqY0XxdpEDIEXo46keJ07DG6/nVzIl83ZtpBhxiNX8xfz91 ZYzu6feGbgtvy1+utxo/l3qBAn7TrDXn58mLTgKTM2dD3D4Crv9tKLuOXF1xVLM= =hjBc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU+1WtRLndAQH1ShLAQK09xAAk1LQAoYA+uXnRXsS85QTnts6sweeSatZ 2XAplYDXnWUk45Ugi3JfGUAdZisgzvQf5ryGQ15tZQsC07uvitkEYRCX10uRoMx4 cw1EXqtgGFkPbcvdBPUhcZV+n111jVMqwgXw8Ve/PX3YqE/Nm5KogHQ5fbFOkEW5 0kPirv43yc5Yih2f85Ly2ae+sSQu/VlHKUmZy7chc7x7Qg7K8yyIKcx3Lop/RCv6 SUvTvJ9nojdfUg6CamowzqirJyNFAmH0Zvt4PLyJBzn7vz1MvSWB+z36YBRhooX8 +PtxM7V2z9VmUq55OyEU43Kt+ae157MIafotHJSCbXLgpG3Qo/204rjY43r+IFVB 93wtV66+NclTHKnpOTD434n4DYYAYR0/ApkrwT+RVaS5Z/RbrY0WLa4rZmvouxnG +xHd6KcRwFkIqVHUy+MavmXnsszQITki8xqj5b+naJUe7ym/fcufXSFIZZC55HlL mAip/xpda7DXAEthKY7SAay8zBKMrVKmyBGpJVj2CI0D8vZ/hsPB/LWUTtkHci9f 1jxELxxIvgFExutFt2IEitHYxliJb/F4kQQd78xZGtE5lqF6AentGNy2JKHK0aAb gglUVbQSqGPBYjArogsJhOQlfeyL86FFrla1ZWXcRTqk6XjCIx7sCIuNyHgDD0vo chbKj16rG6Y= =wEjZ -----END PGP SIGNATURE-----