Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.3218
Xen Security Advisories
23 December 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Existing Account
Increased Privileges -- Existing Account
Access Privileged Data -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-8555 CVE-2015-8554 CVE-2015-8553
CVE-2015-8552 CVE-2015-8551 CVE-2015-8550
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-155.html
http://xenbits.xen.org/xsa/advisory-157.html
http://xenbits.xen.org/xsa/advisory-164.html
http://xenbits.xen.org/xsa/advisory-165.html
http://xenbits.xen.org/xsa/advisory-166.html
Comment: This bulletin contains five (5) Xen security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-8550 / XSA-155
version 6
paravirtualized drivers incautious about shared memory contents
UPDATES IN VERSION 6
====================
Correct CREDITS section.
ISSUE DESCRIPTION
=================
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
IMPACT
======
Malicious guest administrators can cause denial of service. If driver
domains are not in use, the impact can be a host crash, or privilege escalation.
VULNERABLE SYSTEMS
==================
Systems running PV or HVM guests are vulnerable.
ARM and x86 systems are vulnerable.
All OSes providing PV backends are susceptible, this includes
Linux and NetBSD. By default the Linux distributions compile kernels
with optimizations.
MITIGATION
==========
There is no mitigation.
CREDITS
=======
This issue was discovered by Felix Wilhelm (ERNW Research, KIT /
Operating Systems Group).
RESOLUTION
==========
Applying the appropriate attached patches should fix the problem for
PV backends. Note only that PV backends are fixed; PV frontend
patches will be developed and released (publicly) after the embargo
date.
Please note that there is a bug in some versions of gcc,
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 which can cause the
construct used in RING_COPY_REQUEST() to be ineffective in some
circumstances. We have determined that this is only the case when the
structure being copied consists purely of bitfields. The Xen PV
protocols updated here do not use bitfields in this way and therefore
these patches are not subject to that bug. However authors of third
party PV protocols should take this into consideration.
Linux v4.4:
xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
Linux v4.[0,1,2,3]
All the above patches except #5 will apply, please use:
xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
Linux v3.19:
All the above patches except #5 and #6 will apply, please use:
xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
xsa155-linux319-0006-xen-scsiback-safely-copy-requests.patch
qemu-xen:
xsa155-qemu-qdisk-double-access.patch
xsa155-qemu-xenfb.patch
qemu-traditional:
xsa155-qemut-qdisk-double-access.patch
xsa155-qemut-xenfb.patch
NetBSD 7.0:
xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
xen:
xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
xen 4.4:
All patches except #3 will apply, please use:
xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
$ sha256sum xsa155*
d9fbc104ab2ae797971e351ee0e04e7b7e9c7c33385309bb406c7941dc9a33b4 xsa155-linux319-xsa155-0006-xen-scsiback-safely-copy-requests.patch
590656d83ad7b6052b54659eccb3469658b3942c0dc1366423a66f2f5ac643e1 xsa155-linux43-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
2bd18632178e09394c5cd06aded2c14bcc6b6e360ad6e81827d24860fe3e8ca4 xsa155-linux-xsa155-0001-xen-Add-RING_COPY_REQUEST.patch
cecdeccb8e2551252c81fc5f164a8298005df714a574a7ba18b84e8ed5f2bb70 xsa155-linux-xsa155-0002-xen-netback-don-t-use-last-request-to-determine-mini.patch
3916b847243047f0e1053233ade742c14a7f29243584e60bf5db4842a8068855 xsa155-linux-xsa155-0003-xen-netback-use-RING_COPY_REQUEST-throughout.patch
746c8eb0aeb200d76156c88dfbbd49db79f567b88b07eda70f7c7d095721f05a xsa155-linux-xsa155-0004-xen-blkback-only-read-request-operation-from-shared-.patch
18517a184a02f7441065b8d3423086320ec4c2345c00d551231f7976381767f5 xsa155-linux-xsa155-0005-xen-blkback-read-from-indirect-descriptors-only-once.patch
2e6d556d25b1cc16e71afde665ae3908f4fa8eab7e0d96283fc78400301baf92 xsa155-linux-xsa155-0006-xen-scsiback-safely-copy-requests.patch
5e130d8b61906015c6a94f8edd3cce97b172f96a265d97ecf370e7b45125b73d xsa155-linux-xsa155-0007-xen-pciback-Save-xen_pci_op-commands-before-processi.patch
08c2d0f95dcc215165afbce623b6972b81dd45b091b5f40017579b00c8612e03 xsa155-netbsd-xsa155-0001-netbsd-xen-Add-RING_COPY_REQUEST.patch
0a66010f736092f91f70bb0fd220685e4395efef1db6d23a3d1eace31d144f51 xsa155-netbsd-xsa155-0002-netbsd-netback-Use-RING_COPY_REQUEST-instead-of-RING.patch
5e913a8427cab6b4d384d1246e05116afc301eb117edd838101eb53a82c2f2ff xsa155-netbsd-xsa155-0003-netbsd-ring-Add-barrier-to-provide-an-compiler-barri.patch
3b8f14eafaed3a7bc66245753a37af4249acf8129fbedb70653192252dc47dc9 xsa155-netbsd-xsa155-0004-netbsd-block-only-read-request-operation-from-shared.patch
81ae5fa998243a78dad749fc561be647dc1dc1be799e8f18484fdf0989469705 xsa155-netbsd-xsa155-0005-netbsd-pciback-Operate-on-local-version-of-xen_pci_o.patch
044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3 xsa155-qemu-qdisk-double-access.patch
1150504589eb7bfa108c80ce63395e57d0e627b12d9201219d968fdd026919a6 xsa155-qemut-qdisk-double-access.patch
63186246ab6913b54bfef5f09f33e815935ac40ff821c27a3efda62339bbbd5f xsa155-qemut-xenfb.patch
e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6 xsa155-qemu-xenfb.patch
e52467fcec73bcc86d3e96d06f8ca8085ae56a83d2c42a30c16bc3dc630d8f8a xsa155-xen-0001-xen-Add-RING_COPY_REQUEST.patch
eae34c8ccc096ad93a74190506b3d55020a88afb0cc504a3a514590e9fd746fd xsa155-xen-0002-blktap2-Use-RING_COPY_REQUEST.patch
42780265014085a4221ad32b026214693d751789eb5219e2e83862c0006c66f4 xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
dfcaddb8a908a4fc1b048a43187e885117e67dc566f5c841037ee366dcd437d1 xsa155-xen44-0003-libvchan-Read-prod-cons-only-once.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWcrpdAAoJEIP+FMlX6CvZ9soIALqQ/GHP6bZn2LqJTD9DIzsm
zVB4yCPiVfDqHSOq9QNCzBzqpvOX+RhKTzRH1jsZczr8CSnkePxaCrmZgH8SAygB
hFcF9xJGlJDjs647sgpQmYs++3mgD/57uml7IW/8NX46tXUelVByW7muNgUN2xlm
kjeD8auJEs+jK1iwpt/hOmYe4moRx3+3ujfgqMCNAWtqZz9D9wM5tao+p6yKYlhM
u8hSi1V3b7sAbf92mwzpzfpbwdgg25xeHtZ/oJxp/ZY0FhqDEsTxV+h8HjD/Eink
GwqPS19O77tMmz9fUUTyJDSsU7ayFRI0HyYmXju4eJktJkhXagjAdCSyGky9z5g=
=FlX2
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-8551,CVE-2015-8552 / XSA-157
version 3
Linux pciback missing sanity checks leading to crash
UPDATES IN VERSION 3
====================
Removed CVE-2015-8553 from the title of this advisory. We will issue
an update to XSA-120 which documents the assignment of CVE-2015-8553
to the XSA-120 v5+ addendum patch.
Public release.
ISSUE DESCRIPTION
=================
Xen PCI backend driver does not perform proper sanity checks on the
device's state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to be
called incorrectly leading to hitting BUG conditions or causing NULL pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of XEN_PCI_OP_*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN_PCI_OP_enable_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
Lastly there is also missing check to verify whether the device has
memory decoding enabled set at the start of the day leading the initial
domain "accesses to the respective MMIO or I/O port ranges would - - on PCI
Express devices - [which can] lead to Unsupported Request responses.
The treatment of such errors is platform specific." (from XSA-120).
Note that if XSA-120 'addendum' patch (re CVE-2015-8553) has been
applied this particular sub-issue is not exploitable.
IMPACT
======
Malicious guest administrators can cause denial of service. If driver
domains are not in use, the impact is a host crash.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
VULNERABLE SYSTEMS
==================
This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.
Linux versions v3.1 and onwards are vulnerable due to supporting PCI
pass-through backend driver.
PV and HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.
Furthermore, the vulnerability is only applicable when the
passed-through PCI devices are MSI-capable or MSI-X. (Most modern devices
are).
MITIGATION
==========
Not using PCI passthrough for PV and HVM guests. Note that for HVM guests
QEMU is used for PCI passthrough - however the toolstack sets up also
the 'PV' PCI which the guest can utilize if it chooses to do so.
CREDITS
=======
This issue was discovered by Konrad Rzeszutek Wilk of Oracle.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
Linux 4.3:
xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
xsa157-0002-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msix-w.patch
xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
xsa157-0005-xen-pciback-Don-t-allow-MSI-X-ops-if-PCI_COMMAND_MEM.patch
$ sha256sum xsa157*
0cb2d1729f17e640e33f11945f2e12eba85071238fab2dcc42f81b5d942c159b xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch
9bcb240a49a5cd48428cc9c01ee480297999b93f6977fdddd79ec715648aa244 xsa157-0002-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msix-w.patch
7c39b33d0e2d751970bbe56f463661c50aa5e4addc8eee35b80e9e1378e97b02 xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch
1acfd6f4ea13db6a146d547640f50d0ad40480b914b021760a518ac82e8e4c71 xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch
b864620709e4b55a908dd6955a090ca03a9a07cfb31b66e2e5211ab8f0c77e68 xsa157-0005-xen-pciback-Don-t-allow-MSI-X-ops-if-PCI_COMMAND_MEM.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWcqy7AAoJEIP+FMlX6CvZr/gH+gKO6HcnCeZGPthmt7tKiHxn
oa/VjgDMxIGVHerP0HRXTbletj7XOWhdDNrHNa7JQQXkjXiE+zmLRTVum/ghIxKO
OMSiRtLFm6pkWmOXJI5kvOLDxt1aEECLG0lU9okbk7YmhZE65L4ysIsOGydfzAIn
niKsCnMCxv2MDz5WtFy4okwE+dYJA/MrPfJ1kdJK2y26elxNv895HmwUG8vG042e
NKsqBXWqF8Li2GgrtuXCmUAjHeEFXkouCCh7XVSZo70Zr1kVtFpifeNyz2V72qqh
XRDmYkY5TJy+CD8tSIb82CcPU1JA7X5hFm1AuzYHeYT3+hxG0glcELGde+655Ig=
=i8jn
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-8554 / XSA-164
version 3
qemu-dm buffer overrun in MSI-X handling
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
"qemu-xen-traditional" (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
There may be space on the final page not covered by any MSI-X table
entry, but memory for state tracking is allocated only for existing
table entries. Therefore bounds checks are required to avoid
accessing/corrupting unrelated heap memory. Such a check is present
for the read path, but was missing for the write path.
IMPACT
======
A malicious administrator of a guest which has access to a passed
through PCI device which is MSI-X capable can exploit this
vulnerability to take over the qemu process, elevating its privilege
to that of the qemu process.
In a system not using a device model stub domain (or other techniques
for deprivileging qemu), the malicious guest administrator can thus
elevate their privilege to that of the host.
VULNERABLE SYSTEMS
==================
Xen systems running x86 HVM guests with "qemu-xen-traditional", but
without stubdomains, which have been passed through an MSI-X capable
physical PCI device are vulnerable.
The default configuration is NOT vulnerable from Xen 4.3 onwards
(because it uses a newer upstream qemu version).
Systems running only PV guests are NOT vulnerable.
Only systems using PCI passthrough are vulnerable.
Systems using "qemu-xen-traditional" stubdomain device models (for
example, by specifying "device_model_stubdomain_override=1" in xl's
domain configuration files) are NOT vulnerable.
Only the traditional "qemu-xen-traditional" device model is vulnerable.
Upstream qemu device models ("qemu-xen") are NOT vulnerable.
ARM systems are NOT vulnerable.
MITIGATION
==========
Not passing through MSI-X capable devices to HVM guests will avoid this
vulnerability.
Running HVM guests with the default upstream device model will also
avoid this vulnerability.
Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.
In a usual configuration, a service domain has only the privilege of
the guest, so this eliminates the vulnerability.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa164.patch qemu-xen-traditional: Xen unstable, 4.6.x, 4.5.x, 4.4.x, 4.3.x
$ sha256sum xsa164*
40f7327aa414c77a0e18a305a144e4a720ba8fe1b618d2f3ad9d5f605667c340 xsa164.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.
However deployment of the mitigations described above is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List). Specifically, deployment on
public cloud systems is NOT permitted.
This is because in all cases the configuration change may be visible
to the guest which could lead to the rediscovery of the vulnerability.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWcqy+AAoJEIP+FMlX6CvZldwH/RpMzmRhI6lFR02GKXXC+87V
Yb2d8au5C/yxYED23WhIW+zPajaNjcpu73xgRqc+mNYSyGOOcmCWEF7nSp4tSHC7
XpF8EXPXFtOYSWuxnn38tL+bqs+sa+Ju5koqxkMzKsYM+TgKvUdtoCqEi7uElJ5y
wX3HCyBH0zTX+YMbN32DYihwTRTdDBNXqEhDZcULSkvrKWlYlfJGUJus50JBMZFF
THIf6mFZp2VZoHtc14xz4aMzDX8MmK+Xq+jMrMLM56oj9OmAShw4a3Glxbzzla7r
H7YFCH2OwrBPCDXWL2DF2LY/pQicIQfVZ1QWHOAMIbKL3icmMwlbINx15Dc0YHE=
=KYw9
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2015-8555 / XSA-165
version 3
information leak in legacy x86 FPU/XMM initialization
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
IMPACT
======
A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.
VULNERABLE SYSTEMS
==================
All Xen versions are vulnerable.
Only x86 systems without XSAVE support or with XSAVE support disabled
are vulnerable.
ARM systems are not vulnerable.
MITIGATION
==========
On XSAVE capable systems, not turning off XSAVE support via the
"no-xsave" hypervisor command line option (or - when defaulting to
off - turning it on via the "xsave" hypervisor command line option)
will avoid the vulnerability. To find out whether XSAVE is in use,
consult the hypervisor log (obtainable e.g. via "xl dmesg") and look
for a message of the form
"xstate_init: using cntxt_size: <number> and states: <number>"
If such a message is present then XSAVE is in use. But note that due
to log buffer size restrictions this boot time message may have
scrolled off.
There is no known mitigation on XSAVE-incapable systems.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa165.patch xen-unstable
xsa165-4.6.patch Xen 4.6.x
xsa165-4.5.patch Xen 4.5.x, Xen 4.4.x
xsa165-4.3.patch Xen 4.3.x
$ sha256sum xsa165*
6422db857dd469f5978b80be95e93d1db4bab965668430e07005b7b6369742be xsa165.patch
bced245fb1111b7fa2db642971cceb0523e691367ba8bfbc6ff0da421f198c97 xsa165-4.3.patch
dd15e301f2757e0c7975bdccfe49ddf41c730bc124dd90166e0844d332eeedad xsa165-4.5.patch
4bb18f2e44f49f140932c2d1e956e2e28017439cbb0e76eb16a8af617c4112ac xsa165-4.6.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the PATCH (or others which are substantially similar) is
permitted during the embargo, even on public-facing systems with
untrusted guest users and administrators.
However deployment of the XSAVE ENABLEMENT MITIGATION is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List). Specifically, deployment on
public cloud systems is NOT permitted.
This is because enabling xsave is visible to guests, so such
deployment could lead to the rediscovery of the vulnerability.
Deployment of the mitigation is permitted only AFTER the embargo ends.
Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWcqzAAAoJEIP+FMlX6CvZAYYH/1KqrQG0r23AiTYXqS4IBYMd
RU5edyJkNKRCkJMU3m20LPyZ4/NCMg8rgejLHQDiHav0CNUEX6gUSqIUm8d3vrNg
IYtGNhLZUcjRqRK1f/oqgFw3TEXlC59EQdSKdNLaZ+Fj/HN4TQtaQWpUW0r5OYXi
tSbZYJ+NT4wHLzmai2tdFekVEBFzL+e6RxngrAl+X17mX3O0jdHFpOPqjwGCXXhh
N46sZTi/o3QSHBG7yzcxlA5HKJArxVAQNSKJJrSaj3m8O44V5d6+IkMmCpexvq/R
rFA1iiMXu481UQq6kLNIC2kpgSNUaNTHDElVQdeUUGu95INAgsrlMdUqNKL2V8o=
=QBGV
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-166
version 2
ioreq handling possibly susceptible to multiple read issue
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
Single memory accesses in source code can be translated to multiple
ones in machine code by the compiler, requiring special caution when
accessing shared memory. Such precaution was missing from the
hypervisor code inspecting the state of I/O requests sent to the device
model for assistance.
Due to the offending field being a bitfield, it is however believed
that there is no issue in practice, since compilers, at least when
optimizing (which is always the case for non-debug builds), should find
it more expensive to extract the bit field value twice than to keep the
calculated value in a register.
IMPACT
======
This vulnerability is exposed to malicious device models. In
conventional Xen systems this means the qemu which service an HVM
domain. On such systems this vulnerability can only be exploited if
the attacker has gained control of the device model qemu via another
vulnerability.
Privilege escalation, host crash (Denial of Service), and leaked
information all cannot be excluded.
VULNERABLE SYSTEMS
==================
All Xen versions are affected.
Only x86 variants of Xen are susceptible. ARM variants are not
affected.
Only HVM guests expose this vulnerability.
MITIGATION
==========
Running only PV guests will avoid this issue.
CREDITS
=======
This issue was discovered by Konrad Rzeszutek Wilk of Oracle and Jan
Beulich of SUSE while investigating the issues arising from XSA-155.
XSA-155 was discovered by Felix Wilhelm of ERNW.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa166.patch xen-unstable, Xen 4.6.x
xsa166-4.5.patch Xen 4.5.x
xsa166-4.4.patch Xen 4.4.x
xsa166-4.3.patch Xen 4.3.x
$ sha256sum xsa166*
740a28a69524e966ab77f9f5e45067aa7ba2d32ea69b1d3c4b9bf0c86212ad0a xsa166.patch
109a9eb132d712a56a7ca81214fff3952868a39206eb34f66f5b2265e680b9fc xsa166-4.3.patch
d63261ca2d40e2723a4f3c94665cc120e0ea488200eebb08c7aa07e1c1a35d42 xsa166-4.4.patch
d5dddce37c644d35ef52ff7230f83bf0969b6b4db9b586241f5f5bd0dc631096 xsa166-4.5.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
NOTE REGARDING SHORT EMBARGO
============================
This issue was encountered by the Security Team during investigations
of the scope and impact of XSA-155. Accordingly XSA-166 is embargoed
and the embargo will end at the same time as that of XSA-155.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWcqzCAAoJEIP+FMlX6CvZPRIIAIkXhtZYi1ro+T74PMote55o
npXKgR9tvXOokj3O1IsYfzHQnOiX3kQmmGmSXg5Hh/sYxAQIgqn2f9Zf/K+6gx8j
Rd+0QrbhekG7+uA3TrGNtNdBDPevAcKE2xkzGZ7OZknE7Ch9WKua3VtjlY0pG9jr
8PUPE/NZ//MSd9Ds2uPB6G2zaoqFG6oGMgqdYs3zwLM52FR1/VlTzKLZ7sh3mPeK
rPO1f1Agn7mFVnSbO0EkAYx++Mr3rv/w2M1qnK0cQk6T9l6Cg6qKzdV+iTV95CNo
QxWLsm26c4YsRPIU1gBgHoPxi8hGwZThInSY8j8MH0Ed1xV3bPm1HqirrafpHHA=
=Fovo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVnn/2n6ZAP0PgtI9AQIdXxAAjJlkKqvyr21tYK5+WP8FVgcFkAsH6BXL
J9wLAbsEiPXUpoOdg9xigxlcVH6CGWaPaLjQCnyHWEsEhgPc4pwSUeqoAct+lxkt
U+KneyLTYT3JyDetZcZ6pTxBDgP5dNYpVCBNLlr+KCBba/jRZEG06oeh+/mXgqK1
1WPtrBzPR8uP3OpmRNcJKXm+UAzGbaG/9vstGd1n2kbG2Fztgjj88koXgdO9pxdN
v+KUaSZVGWxTzQ2nQYIgwSuPyMYnZ83TRMEHsiVbHZQjzS6PvqVQYwVqYY8n+jMw
867/vohHRVvdpmWjcaoWX5KzjZeHpzxeNI0YVf2jzA/Yum4YfpWjcGoPf187Oukq
tH6Y8lpF085Z6YDIic6O19wpLBrJexUkFLIcCMML5+YDEX0xarL5qcnMNxaUx6Le
bWZn2K4NLo6yQSyZF0CK0UJAIKiB3rC4y5AE3/upaK1pcXtiE0T6GLmBTnU6fu6V
UWYP3dxZukJsLziN/2vFlkUn2pOO3p6zGKFmsTakvbbU43Y+HTIpUFGVW+nC9JI0
yDI90j/APwyYcBSRbo9bE+g1AnymIeVeBzvef98Peddaq21HbZbOONCTXIwTa/SZ
U9q8/L4fom2wUu0L/gT22aYagyo8DAUiIFw9ZrbqRP/FzpdFnSbtpwYRc7X0D5Ip
hnXXGugCUUM=
=XRUh
-----END PGP SIGNATURE-----