Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0538
Multiple vulnerabilities have been identified in Xen
9 March 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: UNIX variants (UNIX, Linux, OSX)
Xen
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2045 CVE-2015-2044
Original Bulletin:
http://xenbits.xenproject.org/xsa/advisory-121.html
http://xenbits.xenproject.org/xsa/advisory-122.html
Comment: This bulletin contains two (2) Xen security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-2044 / XSA-121
version 3
Information leak via internal x86 system device emulation
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
Emulation routines in the hypervisor dealing with certain system
devices check whether the access size by the guest is a supported one.
When the access size is unsupported these routines failed to set the
data to be returned to the guest for read accesses, so that hypervisor
stack contents are copied into the destination of the operation, thus
becoming visible to the guest.
IMPACT
======
A malicious HVM guest might be able to read sensitive data relating
to other guests.
VULNERABLE SYSTEMS
==================
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
Only HVM guests can take advantage of this vulnerability.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
MITIGATION
==========
Running only PV guests will avoid this issue.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa121.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa121*.patch
e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJU+EmOAAoJEIP+FMlX6CvZnU0IAJZE8lD0dqlM9RyIMopSOZwp
CYEVhmk03UsTIpJci1zVg+QUs7owe/p6tamuy4B/XFG6tGs4vsqVeUk8lvs8/Gzs
6RsEkHvOdy1Np9r8vCp2SShKsom0dE13t3JwAY+mftJNHFN2QTPmHbfi8XpnVotm
1nsLXl+8FAWa+d3ZULQTZXKJw6f2dNuXu9NHIvaNzP+IffJ6zKLPr9b8Va71yztA
0MPuUziRxVoJ5xWtoceN4qEdsnIZo5N9JN90fZSGSdiR976Qh1lhMu1ak4aVcNJa
qljKSQQPOmfyHjyKsULvLlCYUldonkIfBVaJ+5QmZEVPMCDxig36m49QMOCNwOg=
=BATt
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-2045 / XSA-122
version 3
Information leak through version information hypercall
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
The code handling certain sub-operations of the HYPERVISOR_xen_version
hypercall fails to fully initialize all fields of structures
subsequently copied back to guest memory. Due to this hypervisor stack
contents are copied into the destination of the operation, thus
becoming visible to the guest.
IMPACT
======
A malicious guest might be able to read sensitive data relating to
other guests.
VULNERABLE SYSTEMS
==================
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
MITIGATION
==========
There is no mitigation available for this issue.
CREDITS
=======
This issue was discovered by Aaron Adams of NCC Group.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa122.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa122*.patch
13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJU+EmQAAoJEIP+FMlX6CvZZxIIAJVuGIRZ1dEiX1VPY71dZ52t
CSIBfHMpynwxT7oUwbw/Akk3d1M/uAV/8QvM1DoG9//U6hQgZfY5UVn3Ihp1k7Fy
BitDKdDn3T10ys/URtotX+8+Alm1diM/6sIrAF5kG3IBf0VCkEaV5jVI0ZIuee5u
AOHhj9HJN9bPRGSTlNlkRx0Tjlw8Worrluex2romagALxLEXYejOM8syuQl5qSFj
VdqhNvmZV23664ZTrgSZxU17O+AajMNi+M9sYUFSPfAA8VHu42G7Ox4CqY7pxyg7
b9g2BgVVWRkZIhZPYeEr3RcxNP7wITAeFYP18c48VBd6gmHYK9sSwwSoXgYGuwE=
=ddMG
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVP0HMRLndAQH1ShLAQJicg/+JVmEqaslXIPjCGWMgtGaLFNo11QXIfBu
X1AJ4n6mXM7e3OCfGybzM88qH1p9sfbX2J6oYpwD44QRiitRcjrommgAryH96yci
wreyXHUujn3sBkwgBGsqTJd0iCW1JNu4L6T/aQ6WqMJjqPgiM43UPdCzuMVXnmNI
Pv4ss/pG2JVSiFo3zqYBgKgNnLJFW2N3M3mcvpJSrVFEwsJDkTB0IhRbJu7RrLVu
QZwcMOHd6tlQX1yfzMwMpFqA+3S6On1cDAEwTSMHAprUcdlcv3fKELXPXNdZOy/V
ZLfvmcr8h7vYRYRsFAarK78bDdiNjSdskwTtVR+OuTAuJjiD4Zqk+KlFvQ4XtpXV
JWUblbHl2FMwRhkS8CPNloqvY4Xg1DN6/xjJvrH0FBZudm1mD64T27L3CeiUjPN3
7gbMqKUmKzIF0Ysv3u7t++JJ92VjjTv6fl8/vPLsCw7sqAq02Uc3OB0g+2APujhi
oYiRXK+J5MPf98z31tdN/xa8vFv90HirqhLItGxOkL3f2f5DGvtvXvDRVsseBoUV
v5uUMbSq7/vJajxws1banrjF5T+kK7qlkBwWCHWsQF0u1aEanY/cvgAfFORnh0zM
y4DA+Lbzdd18vxBdPobUur50RzQkcH9QlzcFJwfYKOWC3hehVHagW1sG4TdnA1AI
Ov38SJSq2W0=
=i+dC
-----END PGP SIGNATURE-----