Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2958 virtual PMU is unsupported 27 November 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: UNIX variants (UNIX, Linux, OSX) Xen Impact/Access: Reduced Security -- Existing Account Resolution: Mitigation Original Bulletin: http://xenbits.xen.org/xsa/advisory-163.html Comment: This advisory references vulnerabilities in products which run on platforms other than Xen. It is recommended that administrators running Xen check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-163 virtual PMU is unsupported ISSUE DESCRIPTION ================= The Virtual Performance Measurement Unit feature has been documented as unsupported, so far only on Intel CPUs. Further issues have been found or are suspected which would also (or exclusively) affect AMD CPUs. We believe that the functionality is mostly intended for non-production use anyway. Therefore this functionality is hereby documented as generally unsupported security-wise. IMPACT ====== Use of the feature may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. VULNERABLE SYSTEMS ================== Only systems which enable the VPMU feature are affected. That is, only systems with a `vpmu' setting on the hypervisor command line. Xen versions from 3.3 onwards are affected. Only x86 systems are affected. ARM systems do not currently implement vPMU and are therefore currently unaffected; should this functionality be added to ARM in the future it would be covered by this exclusion. In Xen versions prior to 4.6 only HVM guests can take advantage of this unsupported functionality. In Xen versions from 4.6 onwards all guest kinds can use this unsupported functionality. MITIGATION ========== Not enabling vPMU support (by omitting the "vpmu" hypervisor command line option) will avoid using and exposing the unsupported functionality. RESOLUTION ========== Applying the attached patch documents the situation. The patch does not fix any security issues. xsa163.patch xen-unstable $ sha256sum xsa163* b9185a45a41f31e7c2f85b79a669b8b1dbf00c6b40a79b00c779b344ccab45b7 xsa163.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWVJqRAAoJEIP+FMlX6CvZba8H/23BreIs2Gxkh+9Jty8EEMdp nk3hSpEgxIb101XsbZ4JNwMO8QqBoTi1Bt0+k4bnjdRsU1G/vImacaN9LlefmLJc jn3n4Ce9ODGQvCEp1LPwWQusduFhMUIaUK6cwB2LclYxUnxCgUpLBFReOp9QIbgZ Bv+rrw9gcNb8zUKT53FZ7bOApRoU28rSFX1XE72ELPDdGbpTVXxlvQZtKsQY7N7O Se1COml0MDhufWRf3SNxO2MmqZsg43fsjvJaJgGoXE+4gslcLBMjiwgoUDX2k9CG Pi4M5uLNLxXJZkgbo1qi8ueQB9yck6tMg+o6f3wDFz28SFfu8/D2szXGOblpE5w= =2Wqz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVlesqn6ZAP0PgtI9AQK28BAAxlShEnhMMB94DLvB45FD0hAlL4BowNlG b8qE0N0UPVp020F7sVlUFVn9PzTgF0qGPddmGwRKRfWBrwph+/XlM1ZUPuqRUJnj ANE4GSfCTTthFFslef/Y+QR10drOF/yoegayPsi3/jKbxhT5eDXFKND21iOzp2qi ZjNw4brO5vvJbmAV/GfG9TRqTQAGhGmqks8F3secYMShZBNsOu1IO9XF/kPZY6Ik 0TL7QZxgFmKIk98lLMl2rr5dwhEvLw8nrK8LsjMwK61ZICsmT0LUVzja7ul/vQQI OlZJZTjrKNWo5SmV9BbWv3cHQQakUV2yY3hGO/oH5vZsjduG7b3wJ0Ims/tlccHm r+qWMXSrNfxo/ZeL32zPJ8hTvCErNnAUi1AVNMWfjNDgTVbLSgiPElKGb0uKpwWt T78uppZqmgfDGdVXGzobjsw1OxNGrRO8qmh+IjAPnkzlmTtw+6vpZNO5mTC+oVtw x+IMIUdI/Xvk6UGTNZOS0uua+l8VvdTss5hrxYmmVAz2cmfrs8xS7Oh8Z0O6Uy2s f37GaqlBPwkFI9YA3bpPS6Om7gtOHsk4lpJfhrV8gSZqt+sBkxVLedfkO1w1dBCv 15nWs/w8nwN4Y4ubfaHoWQjvluiHeLQHdD/c2Bv2Oe/VM3YyzRFkTAu3GIHlJwB1 pi1vY7cTc1I= =AVtq -----END PGP SIGNATURE-----