12 September 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1554.2 Xen Security Advisory XSA-107 12 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-6268 Original Bulletin: http://xenbits.xen.org/xsa/advisory-107.html Revision History: September 12 2014: CVE assigned. September 10 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-6268 / XSA-107 version 2 Mishandling of uninitialised FIFO-based event channel control blocks UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode (e.g., by the toolstack before the domain is started). The guest may trigger a Xen crash in evtchn_fifo_set_pending() if: a) the event is bound to a VCPU without a control block; or b) VCPU 0 does not have a control block. In case (a), Xen will crash when looking up the current queue. In (b), Xen will crash when looking up the old queue (which defaults to a queue on VCPU 0). IMPACT ====== A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS ================== Xen 4.4 and onward are vulnerable. MITIGATION ========== None. CREDITS ======= This issue was originally reported by Vitaly Kuznetsov at Red Hat and diagnosed as a security issue by David Vrabel at Citrix. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa107-unstable.patch xen-unstable xsa107-4.4.patch Xen 4.4.x $ sha256sum xsa107*.patch b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUEXRHAAoJEIP+FMlX6CvZknQIAIzPCOwG07XrKR7yu00lhCin TSppBKJ3y7XkIdmBF/3QSnev61yJ4MYdpWl7qiK4xpDP3IyH0mrtIYBQVwxKCV/R l/E2ztiEMugq86eCwvX5p/fAoyfqf1pBoVplqwcarS4vcmnnkOpK278TD2dPdw69 G5VaFxOqVo4Z6xQyFIGHtinN00tbb/lVQTpldah7ZfqXknPAcSeZqEBuqmVSLGIo o9EgTAQm1wbh4tNn+O2KHeAbejjOTM7NYoidRqQY3qfN4m13MdAKliUbXIRdGggQ aMKU2n7eNga4Aly720cD6hkJAOKxG/dGUb8lm1qHsG01VjhP2zqGn41tkqsiSAs= =cld0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVBJevxLndAQH1ShLAQKUdw//WUDxGKDaAp9c1yGLLQhzXywEJvzKhggY BObUTSPtZav31UbF7qk5sHcCXgn4wEk0LbblzLbbDmx0p2HNT2DDh9Lf+e9RI55y yP0z2q1naA2aC9HFfHn/P4poy6SjU8223ja3m3y35XwHB1nXmy2xRtFufFWsJAB5 YPAoDCOM+eT3Xs+w0FK6TnbEX+Qa5dPmxvfc1higi5jZTL4VP3z23NPVjCkJ5wr7 Xi2MFOHV2QCKS7iECQHsDVHEiVAjhP9I4r5Rbd1BY7P7EKmTC+R1QhvPVgYxynEZ oeBR/+ODkSNiUCZhO3tlkLNT1G9VAdAe0LjBPoP/xGtP28tejEn4fng9YhxfE5/K dwv3/nyKPKNpU/xlA0WqC3n5hiFFvilcqJRK3eUu0kwJ02G7Pou8pNf9Ad8axXGY I2HZaPUcJT+jgHuuNEmQ38R8UO+og3FNOFNLw8GYiIlzw5l4rdy9DLTgYviZIOlb uhGjmq6NgB4n9F71Avjq3aiDr85gDMca2VDj+YR35vpQ6gm5DLfPGJ0J4BI1JGqX Yc44PpTkd3Ohn6avg2hXGpuE/gQJ07/pAR9lWEuekFJDThEdaPUA6mU4X6HI4dCr gPdBH2s+EqLeepI7BjSq6IsadnR6qR6lqBLjZXcxm5r5x27EYywllG+mJHqNE3iE 2N+S8E/BDHA= =Da96 -----END PGP SIGNATURE-----