Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0538 Multiple vulnerabilities have been identified in Xen 9 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: UNIX variants (UNIX, Linux, OSX) Xen Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-2045 CVE-2015-2044 Original Bulletin: http://xenbits.xenproject.org/xsa/advisory-121.html http://xenbits.xenproject.org/xsa/advisory-122.html Comment: This bulletin contains two (2) Xen security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2044 / XSA-121 version 3 Information leak via internal x86 system device emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious HVM guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only HVM guests can take advantage of this vulnerability. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa121.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa121*.patch e74afb34e8059e8ee25b803019c192aa47c29208af2c19fb81aa84b0d7c0d268 xsa121.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU+EmOAAoJEIP+FMlX6CvZnU0IAJZE8lD0dqlM9RyIMopSOZwp CYEVhmk03UsTIpJci1zVg+QUs7owe/p6tamuy4B/XFG6tGs4vsqVeUk8lvs8/Gzs 6RsEkHvOdy1Np9r8vCp2SShKsom0dE13t3JwAY+mftJNHFN2QTPmHbfi8XpnVotm 1nsLXl+8FAWa+d3ZULQTZXKJw6f2dNuXu9NHIvaNzP+IffJ6zKLPr9b8Va71yztA 0MPuUziRxVoJ5xWtoceN4qEdsnIZo5N9JN90fZSGSdiR976Qh1lhMu1ak4aVcNJa qljKSQQPOmfyHjyKsULvLlCYUldonkIfBVaJ+5QmZEVPMCDxig36m49QMOCNwOg= =BATt - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2045 / XSA-122 version 3 Information leak through version information hypercall UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becoming visible to the guest. IMPACT ====== A malicious guest might be able to read sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. MITIGATION ========== There is no mitigation available for this issue. CREDITS ======= This issue was discovered by Aaron Adams of NCC Group. RESOLUTION ========== Applying the attached patch resolves this issue. xsa122.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa122*.patch 13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47 xsa122.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU+EmQAAoJEIP+FMlX6CvZZxIIAJVuGIRZ1dEiX1VPY71dZ52t CSIBfHMpynwxT7oUwbw/Akk3d1M/uAV/8QvM1DoG9//U6hQgZfY5UVn3Ihp1k7Fy BitDKdDn3T10ys/URtotX+8+Alm1diM/6sIrAF5kG3IBf0VCkEaV5jVI0ZIuee5u AOHhj9HJN9bPRGSTlNlkRx0Tjlw8Worrluex2romagALxLEXYejOM8syuQl5qSFj VdqhNvmZV23664ZTrgSZxU17O+AajMNi+M9sYUFSPfAA8VHu42G7Ox4CqY7pxyg7 b9g2BgVVWRkZIhZPYeEr3RcxNP7wITAeFYP18c48VBd6gmHYK9sSwwSoXgYGuwE= =ddMG - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVP0HMRLndAQH1ShLAQJicg/+JVmEqaslXIPjCGWMgtGaLFNo11QXIfBu X1AJ4n6mXM7e3OCfGybzM88qH1p9sfbX2J6oYpwD44QRiitRcjrommgAryH96yci wreyXHUujn3sBkwgBGsqTJd0iCW1JNu4L6T/aQ6WqMJjqPgiM43UPdCzuMVXnmNI Pv4ss/pG2JVSiFo3zqYBgKgNnLJFW2N3M3mcvpJSrVFEwsJDkTB0IhRbJu7RrLVu QZwcMOHd6tlQX1yfzMwMpFqA+3S6On1cDAEwTSMHAprUcdlcv3fKELXPXNdZOy/V ZLfvmcr8h7vYRYRsFAarK78bDdiNjSdskwTtVR+OuTAuJjiD4Zqk+KlFvQ4XtpXV JWUblbHl2FMwRhkS8CPNloqvY4Xg1DN6/xjJvrH0FBZudm1mD64T27L3CeiUjPN3 7gbMqKUmKzIF0Ysv3u7t++JJ92VjjTv6fl8/vPLsCw7sqAq02Uc3OB0g+2APujhi oYiRXK+J5MPf98z31tdN/xa8vFv90HirqhLItGxOkL3f2f5DGvtvXvDRVsseBoUV v5uUMbSq7/vJajxws1banrjF5T+kK7qlkBwWCHWsQF0u1aEanY/cvgAfFORnh0zM y4DA+Lbzdd18vxBdPobUur50RzQkcH9QlzcFJwfYKOWC3hehVHagW1sG4TdnA1AI Ov38SJSq2W0= =i+dC -----END PGP SIGNATURE-----