-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0839
          A number of vulnerabilities have been identified in Xen
                               2 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2756 CVE-2015-2752 CVE-2015-2751

Original Bulletin: 
   http://xenbits.xenproject.org/xsa/advisory-125.html
   http://xenbits.xenproject.org/xsa/advisory-126.html
   http://xenbits.xenproject.org/xsa/advisory-127.html

Comment: This bulletin contains three (3) Xen security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2752 / XSA-125
                              version 3

       Long latency MMIO mapping operations are not preemptible

UPDATES IN VERSION 3
====================

CVE assigned.

Public release.

ISSUE DESCRIPTION
=================

The XEN_DOMCTL_memory_mapping hypercall allows long running operations
without implementing preemption.

This hypercall is used by the device model as part of the emulation
associated with configuration of PCI devices passed through to HVM
guests and is therefore indirectly exposed to those guests.

This can cause a physical CPU to become busy for a significant period,
leading to a host denial of service in some cases.

If a host denial of service is not triggered then it may instead be
possible to deny service to the domain running the device model,
e.g. domain 0.

This hypercall is also exposed more generally to all
toolstacks. However the uses of it in libxl based toolstacks are not
believed to open up any avenue of attack from an untrusted
guest. Other toolstacks may be vulnerable however.

IMPACT
======

The vulnerability is exposed via HVM guests which have a PCI device
assigned to them. A malicious HVM guest in such a configuration can
mount a denial of service attack affecting the whole system via its
associated device model (qemu-dm).

A guest is able to trigger this hypercall via operations which it is
legitimately expected to perform, therefore running the device model
as a stub domain does not offer protection against the host denial of
service issue. However it does offer some protection against secondary
issues such as denial of service against dom0.

VULNERABLE SYSTEMS
==================

The issue is exposed via x86 HVM VMs which have been assigned a PCI
device.

x86 PV domains, x86 HVM domains without passthrough devices and ARM
domains do not expose this vulnerability.

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

Running only PV guests will avoid this issue.

This issue can be avoided by not assigning devices with large MMIO
regions to untrusted HVM guests.

CREDITS
=======

This issue was discovered by Konrad Rzeszutek Wilk of Oracle.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa125.patch                 Xen 4.5.x, xen-unstable
xsa125-4.4.patch             Xen 4.4.x
xsa125-4.3.patch             Xen 4.3.x
xsa125-4.2.patch             Xen 4.2.x

$ sha256sum xsa125*.patch
be0c7cceb1af4b7b1341f37c1e20cf804ea3ac7d3c2ca2e5599f936479d5e0de  xsa125.patch
5f081407c2955787c6e40daa847f3c4131694dff3bb0bc0ee55495f555c7bb52  xsa125-4.2.patch
3b0641ef2a23f12872267940c408097cb353e57a6e0396a64cdf13592a14f65b  xsa125-4.3.patch
2180e657b34d8628d4e0157adf2a36904bb6feaf55d53338e4457ef77d867a31  xsa125-4.4.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVGo5JAAoJEIP+FMlX6CvZlEAIAMdSMKpxum+J9IbUFCqcHFa4
F8zQDkz2hMCY3OjTAq9+n6KR2LLyKDn2hGDP0Mspbo67lRBEjSkp7KEXCoDrA294
YsVuJn8y0T3yPH9du3m0f2vi49MrhnxnUZLNyKCpkxTiClrC/7JX3OZxQTQIGpzf
EIsjYP+/w9ava5XYbGKorwlLvGpjRmnZpCDTrZlqKV2bK2O6pWzyvp5zD99FORcJ
YVRIGebKu8szbSHZs9ectt4xkZwYrzSjj0+PtryvwLSpSYi0zTWIu9rrgd/ZCXfL
tgD+i9zoc2E1ydPlvdKRXEdRHY9gGcaimfbTqYn1ttJ6qQcnbMoRQor4X+v92NU=
=m83F
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2756 / XSA-126
                              version 3

             Unmediated PCI command register access in qemu

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

HVM guests are currently permitted to modify the memory and I/O decode
bits in the PCI command register of devices passed through to them.
Unless the device is an SR-IOV virtual function, after disabling one or
both of these bits subsequent accesses to the MMIO or I/O port ranges
would - on PCI Express devices - lead to Unsupported Request responses.
The treatment of such errors is platform specific.

Furthermore (at least) devices under control of the Linux pciback
driver in the host are handed to guests with the aforementioned bits
turned off.  This means that such accesses can similarly lead to
Unsupported Request responses until these flags are set as needed by
the guest.

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted HVM guests.  This issue can
also be avoided by only using PV guests or HVM guests with their
device model run in a separate (stub) domain.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa126-qemuu.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa126-qemuu-4.3.patch       qemu-upstream-unstable, Xen 4.3.x
xsa126-qemut.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

For those already having the original patch in place, applying the
appropriate attached incremental patch addresses the regression.

xsa126-qemuu-incr.patch      qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa126-qemuu-4.3-incr.patch  qemu-upstream-unstable, Xen 4.3.x
xsa126-qemut-incr.patch      qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa126*.patch
bd69a0d18127793a9aa2097062ecaef76df6e6b8f729406d7d52cf66519e3b0d  xsa126-qemut-incr.patch
2a9b8f73b2a4f0cfb6b724c9a0a72dbf08cae87cd382f61f563218c32d1036a7  xsa126-qemut.patch
658bc483d1110e4e04de2d70fba1cdb20c5cecdc2f419db2d82bddc3ae1690b6  xsa126-qemuu-4.3-incr.patch
090d9262a9e9d24f0f4eca35cb0d56831d5cec6a6ba38b4c7e276d767de660c1  xsa126-qemuu-4.3.patch
3f7b6737c08ff7e119bec16c8c3b3cb832429f1410e687edf622fab57a22842e  xsa126-qemuu-incr.patch
eb5b93600267639b2cda1c5e2f937ddbecbf6c8cbd19dbb355224c39c2e40d3e  xsa126-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVGo5NAAoJEIP+FMlX6CvZvt4IAIeNbTd6EQJE4CnuU6fH9lA3
0fO7FrUEMn7cfiptLy86y01C0d7YqF1MCbO3TKfJ0NJSjvl5CQ/WDuPwjdbD28eW
Zi2NZFRRy0JnLM3bgHxYB5Ik7voO6QPm4+BSZxM9rdiOhKwOY1LLyDbRlC5GvsVr
5J87gm1tfcQVHNDkVZp6ZlzQh5Kl3iSFp6KvzwsIagoJucsPVEHsoBWF84I+3peu
miT3gQqPeZg3PxplKNBkFZOr4hfE1vkYEmopnPY+ClSqsIB0XWM8XSbr8IByXI/E
VBAAsssFYV3mwNSoVrip+CWumi32ocikfxly+GlZxNWiMO4T57La6CJcmjQqaEE=
=wvTM
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2751 / XSA-127
                              version 2

     Certain domctl operations may be abused to lock up the host

UPDATES IN VERSION 2
====================

CVE assigned.

Public release.

ISSUE DESCRIPTION
=================

XSA-77 put the majority of the domctl operations on a list excepting
them from having security advisories issued for them if any effects
their use might have could hamper security. Subsequently some of them
got declared disaggregation safe, but for a small subset this was not
really correct: Their (mis-)use may result in host lockups.

As a result, the potential security benefits of toolstack
disaggregation are not always fully realised.

IMPACT
======

Domains deliberately given partial management control may be able to
deny service to the entire host.

As a result, in a system designed to enhance security by radically
disaggregating the management, the security may be reduced.  But, the
security will be no worse than a non-disaggregated design.

VULNERABLE SYSTEMS
==================

Xen versions 4.3 onwards are vulnerable.
Xen versions 4.2 and earlier do not have the described disaggregation
functionality and hence are not vulnerable.

MITIGATION
==========

The issues discussed in this advisory are themselves bugs in features
used for a security risk mitigation.

There is no further mitigation available, beyond general measures to
try to avoid parts of the system management becoming controlled by
attackers.  Those are the kind of measures which we expect any users
of radical disaggregation to have already deployed.

Switching from disaggregated to a non-disaggregated operation does NOT
mitigate these vulnerabilities.  Rather, it simply recategorises the
vulnerability to hostile management code, regarding it "as designed";
thus it merely reclassifies these issues as "not a bug".

Users and vendors of disaggregated systems should not change their
configuration.  The robustness benefits of disaggregation are
unaffected, and (depending on system design) security benefits are
likely to remain despite the vulnerabilities.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa127-unstable.patch        xen-unstable
xsa127-4.x.patch             Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa127*.patch
5b98280738a205c40f56d0a7feb6ea6cd867da7ac1e0d9f4fc4620bae2c09171  xsa127.patch
e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd  xsa127-4.x.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVGo5PAAoJEIP+FMlX6CvZMhoH/0zH/JpvOk+dTQHVBN5uYjDB
hkW5+/K4NfqRpnxQmTNJ6F5j0gcjbPCusf1yjdwjsAkToX2Y3TmqQAulpzkpT1z2
vvnIl8nYvD92fL1C8U9EBAXj62QmxN/IoX8rSl+g8byhoSO4WmUkbqseOb6LlcV3
wq/H15ZFfE6FjDQQGaFasbYyDOgBQiWFEmrBo2Zx7Qkendv5lt0YV/6/j3m1R8Hm
D9fEchB07zKO49YkKnRrucDSf/9JTJI8W8M4Hmm9ykXncdUVI7xTSa66/XDOegcL
ArBl9aXvuN9jMETS/JJBkEwqvULTQMy+Ac4NxBJE2W0allkKZxCcHMq50oSq3t0=
=qqy0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVRynSRLndAQH1ShLAQL78g//e3UQQfE908vUbh5XU6+43yTWXPIjDVZI
8pIZYTiakKZbKHkzNu52ANV62AeWQht69ZOHM7Q5Ft1lptoel3Sf67rCCucS5dca
O1wE3KfJjf1nWIsgyZtUzg/0v0tth7KDADkXwmws2O4KV36Lx+xDWNxzIS/j6RbQ
fMzR0TyNxnTxyiK/ZiPKn0yjENvpshyHbSn7TcnekzA87iDbP6ZmTBtJ1GMN6I3t
slIR6G5Fbzo38SAdpeWqrCjbK+td0STLskj8xrX3DDiAL5giT6Y1E+UXspFEhvpV
B7YBVdoVLE5fJ/pPZb082pPIVj0YK/oH+QlbHxv0crYNFuLeci2E0hsOOSl+TR6P
XmR+CXjGQ3dh2FUV6EY1Z+i2rq/+AyGUX6KQ2izYbl2qeLpNc0zrf7edRaNu2ne6
TsD9a5xnJ2hHl8n41HJ5DrJZM24pLX72ZxS+coyvY6Oc08baFzeEk1W5yLAci3BO
fkPDsEUBo7ffPJ+XN0kMvFd3cFXXWA7dIgRzE7q7uEe6FXeV+Ak0mxpvx9vCsynX
X2hkyL6GstHacZz2rtk+rV6H6yKp5w8wJGFB8pevnxI/syfKrjJSTYtFeNUh7VRI
QaecUbS4cgQvx/em1SQT5/oZUH9hYDZQV9+lUWSxyLl6tXOeUrPXiLqp74XXZhwc
vG2RxS0r9d8=
=5OxD
-----END PGP SIGNATURE-----