Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2258
Multiple vulnerabilities have been identified in Xen
1 December 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: UNIX variants (UNIX, Linux, OSX)
Xen
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-9030 CVE-2014-8867 CVE-2014-8866
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-111.html
http://xenbits.xen.org/xsa/advisory-112.html
http://xenbits.xen.org/xsa/advisory-113.html
Comment: This bulletin contains three (3) Xen security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-8866 / XSA-111
version 3
Excessive checking in compatibility mode hypercall argument translation
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
The hypercall argument translation needed for 32-bit guests running on
64-bit hypervisors performs checks on the final register state. These
checks cover all registers potentially holding hypercall arguments,
not just the ones actually doing so for the hypercall being processed,
since the code was originally intended for use only by PV guests.
While this is not a problem for PV guests (as they can't enter 64-bit
mode and hence can't alter the high halves of any of the registers),
the subsequent reuse of the same functionality for HVM guests exposed
those checks to values (specifically, unexpected values for the high
halves of registers not holding hypercall arguments) controlled by
guest software.
IMPACT
======
A buggy or malicious HVM guest can crash the host.
VULNERABLE SYSTEMS
==================
Xen 3.3 and onward are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
MITIGATION
==========
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests on any version of Xen
so far released by xenproject.org.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa111-unstable.patch xen-unstable, Xen 4.4.x
xsa111-4.3.patch Xen 4.3.x
xsa111-4.2.patch Xen 4.2.x
$ sha256sum xsa111*.patch
f6e1bf166ebed6235802e4e42853430d2f5b456c1837908a4f7ed6d4d150e4b4 xsa111-4.2.patch
e9b03a4443a40142cc5c21848dc9589770620dde8924344c4a00028c4dace9f2 xsa111-4.3.patch
3c418f065cd452c225af34c3cccf9bdbc37efb6c6a5fc5940fd83ad8620510d3 xsa111.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUdwoTAAoJEIP+FMlX6CvZ/jIH/01d45vOe9bUokjixu+sv93n
FPxm2XC9IZEAuDU4h4RXAkzI0L4vuCAnJq0Rr3quizukQ/oqtPPdbYGC/VgQ15LU
0XE3J2U8BbwsweEDIADinJZ76UvvIWtT4/llQT2WCI/g7nRiW7lZAUkhR9nXL2gg
pw48QIdBkgEGZO7JlWEmrA60OwFcAAdG66/IWNjWbUPrscr/DLG0gimrqqAtG9lY
jTpDrOgC+xARbES9iRBt0IU4duMUiCjwy+y8jeq/Ka5d6QIrcaeTO9Y3d6jf2CCE
Z7TC22OGO4XMg6j+abceao3geS29ezsDQttSh7rGjwqMaNqJbIiitKIq4svAtS4=
=Gtqx
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-8867 / XSA-112
version 5
Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
UPDATES IN VERSION 5
====================
Public release.
ISSUE DESCRIPTION
=================
Acceleration support for the "REP MOVS" instruction, when the first
iteration accesses memory mapped I/O emulated internally in the
hypervisor, incorrectly assumes that the whole range accessed is
handled by the same hypervisor sub-component.
IMPACT
======
A buggy or malicious HVM guest can crash the host.
VULNERABLE SYSTEMS
==================
Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected. ARM systems are not vulnerable.
MITIGATION
==========
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa112-unstable.patch xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa112-4.2.patch Xen 4.2.x
$ sha256sum xsa112*.patch
cf01a1acd258e7cbb3586e543ba3668c1ee7fb05cba19b8b5369a3e101a2288f xsa112-4.2.patch
cc39a4cdcb52929ed36ab696807d2405aa552177a6f029d8a1a52041ca1ed519 xsa112.patch
$
We have been told that this patch is not sufficient on Xen 3.3.x and
earlier without also backporting b1b6362f (git commit id).
Note that while we are happy to share information we receive about
earlier Xen versions, the earliest Xen branch for which the Xen
Project offers security support is 4.2.x.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUdwoNAAoJEIP+FMlX6CvZfekIAMBq3ynRyuyqvukMhSBaFj2O
SBX747HJPKRmoODGZGe9EJ0pAJhckQ00RaKFulxSLzFeu4Oi6M3GrvNCvST0sR54
bLTmeNeBOhLef4ylDqAWOSY4C7AJW/jC1ngtSy3wd6zuwFD0bzPYb7nk94PD32ie
9LYTt+FSkoo/3j3IviCqNVXTlMmhmdjP0U3+xXgxQZ9y47zTT8gsX4KoplC/i1Wq
uhla/ZYI+Ro/ejYVHsKDDhfA1mgAGDoOLhmNEBLHPzTyGs4VOSaXzX7wce8JWpBi
oXdnN5HW80mmkZ6qI42/bnvpSHTqm+QVFD0v1Uz0cSrBYJGq6LULBAmaJHGldDA=
=8eF1
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-9030 / XSA-113
version 2
Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
UPDATES IN VERSION 2
====================
CVE assigned.
ISSUE DESCRIPTION
=================
An error handling path in the processing of MMU_MACHPHYS_UPDATE failed
to drop a page reference which was acquired in an earlier processing
step.
IMPACT
======
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
Only domains controlling HVM guests can exploit this vulnerability.
(This includes domains providing hardware emulation services to HVM
guests.)
VULNERABLE SYSTEMS
==================
Xen versions from at least 3.2.x onwards are vulnerable on x86 systems.
Older versions have not been inspected. ARM systems are not vulnerable.
This vulnerability is only applicable to Xen systems using stub domains
or other forms of disaggregation of control domains for HVM guests.
MITIGATION
==========
Running only PV guests will avoid this issue.
(The security of a Xen system using stub domains is still better than
with a qemu-dm running as an unrestricted dom0 process. Therefore
users with these configurations should not switch to an unrestricted
dom0 qemu-dm.)
NOTE REGARDING LACK OF EMBARGO
==============================
A draft of this advisory was mistakenly sent to xen-devel. The Xen
Project Security Team apologises for this error. We are working to
share best working practices amongst the team to reduce the risks of
recurrance.
CREDITS
=======
This issue was discovered by Andrew Cooper of Citrix.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa113.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa113*.patch
a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e xsa113.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUby8sAAoJEIP+FMlX6CvZgTMH+gJVBouqw0FL2njjs3SCvAeh
ntGmK31VE5a0dt98UCI6oPXpHJAN40M4Ib2dsubpGpyeA/bpakfu2RUnZhzvVuah
7d5pXt08HiZHOeDfBdrcnZ8rFS77w50ZBY9R6jpF6h/ABBKtVobT6jTxmh2xoGFw
YqzsDxaA2bgytyDCNcAcYGWQYFy06tmzuaMX9h1Ozxt/YTxxhkNTPTJNVoUQppMc
zD/BixwfYLe7o0jo+/3k12e1/tXEvtyW/r9uyvhhE+HgRT68JA3tluqlsd1IbYhP
C2u7C9z/Mlf2fe2ONyEqEBXofikV5oahmMKWxkKNQ2Y6i9LJaLuoz1SBX1m8OKg=
=BwdT
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVHuu8RLndAQH1ShLAQIg3A//eykbH1ubYetG4SCkh56IGJlHyCbRDuKE
GCsQlSMwOP2S/Sd8AEeBiqkxcrEqaWGxrTPJ2dEq68oFkA4e1c0M6t+lQKSfXsVJ
mSzR9kYqq3s7+TaAWYDsDAVC65RQq5aH2RYkfe1uFG2hCjAWDlyfZGyx9ujaQpeG
I5nIiugAs+HE77ahhKCUwy+ewUv6VP/WWARbIWC+4y0HsZd9d0tpqfJ2nOQp7ZWK
kL7ATfzgEd9R9upsgVlUYqdKqo+lpCBw/BdAgVg6hLo2cnpvEIiMX5l862XX4yPF
QDSaLFOcAkCuzDtO1/JJcBdjv054sXt35UNZMd7/ZDrDGrX3WWsk6ANEPJmfmFmW
YMXiO60w1zbR+rOzdsCUk6MS11DDXwCIjq6UHarUH3OUxUGoA5c/jIC9Zs+HYH2F
87AvENBAPm0U6eEtA1DzYUjSwHKgRGR0bzaubrW4+V6XpKlKIHeWmxYo5vOL/qWZ
4e/4t9zb/HdXldV8eIofqkwyhNmKWKW4RHDjV033yNqW874Fg4V4JdpT2IrC/ZVh
Ii26U7aSjFNSrf5Yl5FR2vr0t5RzKtGL8igUvtp/N5alTjRJeTbfKkWSMFjev53d
hyUfUHkTn6P502SWJHSTH+b8HuREFMZjFkVmh8jxmfoAsHKH7/OiznZv4aYXrgh5
M+1mFmmnMS4=
=0vTJ
-----END PGP SIGNATURE-----