Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0161 Xen Security Advisories 25 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-1571 CVE-2016-1570 Original Bulletin: http://xenbits.xen.org/xsa/advisory-167.html http://xenbits.xen.org/xsa/advisory-168.html Comment: This bulletin contains two (2) Xen security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1570 / XSA-167 version 4 PV superpage functionality missing sanity checks UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier (MFN) passed to MMUEXT_MARK_SUPER and MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as well as for various forms of page table updates. IMPACT ====== Use of the feature, which is disabled by default, may have unknown effects, ranging from information leaks through Denial of Service to privilege escalation. VULNERABLE SYSTEMS ================== Only systems which enable the PV superpage feature are affected. That is, only systems with an `allowsuperpage' setting on the hypervisor command line. Note that in Xen 4.0.x and 3.4.x the option is named `allowhugepage'. Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected. Only x86 systems are affected. Only PV guests can exploit the vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. Not enabling PV superpage support (by omitting the `allowsuperpage' or `allowhugepage' hypervisor command line options) will avoid exposing the issue. CREDITS ======= This issue was discovered by Qinghao Tang of 360 Marvel Team. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa167.patch xen-unstable xsa167-4.6.patch Xen 4.6.x, 4.5.x xsa167-4.4.patch Xen 4.4.x, 4.3.x $ sha256sum xsa167* a71f709eef59425cb2113fa48d3b44048c6bf41063200fee1c847f6e0ed45a09 xsa167.patch 194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78 xsa167-4.4.patch 2bd786cccfd13c6732d6db8afc9e18058465efcb1bc93f894c359e3a820d5403 xsa167-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because disabling PV superpage support is visible to guests, so such deployment could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3jEAAoJEIP+FMlX6CvZTOsH/2ReFJ0Yhp5da69XKvFEJR/s 0yEFxjvqiSyBPsWjyiaAdOp/1A2sltEeDDnMy7xEoXHmon0p6IV0IR4L+fMCLjl2 1ZI4tKpkn3zUE+IOjfu/GJ53f87XWSq/u9Ri7yZQdxFpgd3AXcLegGm8i4L/58iY vdwAAuczACztEN/NbWFedlGUEd5PKqKwb4wOg1uhLIMwzvjxgtejVAyZD83HgP6i LeWMO7EfeU8ND38Otiw9lNlKD/Ia7vpRG+BXuADLx18hbR1TU9AJ0RO1zb9JnAAj snYdgB6s1wzRD4/HOc+s1uaIttPPODs0IhZunylI7UVhdWKp5Qkszw/QUcmufnk= =5acB - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-1571 / XSA-168 version 3 VMX: intercept issue with INVLPG on non-canonical address UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check. IMPACT ====== A malicious guest can crash the host, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are affected. Only systems using Intel or Cyrix CPUs are affected. ARM and AMD systems are unaffected. Only HVM guests using shadow mode paging can expose this vulnerability. PV guests, and HVM guests using Hardware Assisted Paging (also known as EPT on affected hardware), are unaffected. Note that while unsupported, guests with enabled nested virtualization are vulnerable even when using EPT. CHECKING FOR VULNERABLE CONFIGURATION ===================================== To discover whether your HVM guests are using HAP, or shadow page tables: request debug key `q' (from the Xen console, or with `xl debug-keys q'). This will print (to the console, and visible in `xl dmesg'), debug information for every domain, containing something like this: (XEN) General information for domain 2: (XEN) refcnt=1 dying=2 pause_count=2 (XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400 (XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000 (XEN) paging assistance: hap refcounts translate external ^^^ The presence of `hap' here indicates that the host is not vulnerable to this domain. For an HVM domain the presence of `shadow' indicates that the domain can exploit the vulnerability. Note that `General information' will also be printed for PV domains. For most PV domains there will be no `paging assistance' reported. But PV guests currently being migrated will report (XEN) paging assistance: shadow log_dirty Overall: a domain can exploit the vulnerability if this debug output contains a `paging assistance' line which reports `translate' and which does not report `hap'. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only AMD hardware will also avoid this vulnerability. Running HVM guests with Hardware Assisted Paging (HAP) enabled will also avoid this vulnerability. This is the default mode on hardware supporting HAP, but can be overridden by hypervisor command line option and guest configuration setting. Such overrides ("hap=0" in either case, with variants like "no-hap" being possible in the hypervisor command line case) would need to be removed to avoid this vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa168.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa168* c95198a66485d6e538d113ce2b84630d77c15f597113c38fadd6bf1e24e4c8ec xsa168.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWn3dEAAoJEIP+FMlX6CvZLaAH/A1FzwQebCOF0MCEMcM9V/zK At3L0XG5oBiVZVpbXAfYULeKaLtTGLBXqhBJjzej0FypCvEYX6BLBITLsw7kMqoW JSYHNHlg4pLH2Wnf6i3fVC7EIHx5XNuDa8Zeyt73wEFJhVpp43PcMwMzBolTUBmP +f5WDkLYflYXv+0XiHfbBLA2fl+K+A5OdDhKgjPZJouGvdfiZxX7EChR0asmmD1i AbSZYTLGhdlSU+fvw+w2XUYSeINS1FEhsZxMbWMVuz7jmPBmOn6u8NLrBdZatYoE Z2Fly81pWD7KDwusVscoLBdmBmI1Wr3u975j5EkQLbsCTsqo5ayP3BpfsieijIg= =UJX5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVqVmMX6ZAP0PgtI9AQIfeA//RuE2HaUIkTbcT/JtY7AkcLxxfOVNN2f8 QBl4lCXQxDVrAzUeUMnqtxACJZctVEgj654/9ni6MfJM9joEQst9FEbP7U+Egoyj j+U0Rdg2F+UciGok+2xiSxg5R6xcok0tPVPOgIsSXl2ZvPrpBsKgGuX40wR8HyIq oVTft0N8X92IeqUsXh23rX80e431YZ5vDNFAHO7uYmDWYCmYEVgm9UcahQkQaudI yRH8bCxXwEfsF3fx/+FLtSXy5/KLNKO6UV42zWxMcGjeuKpo3RNSM9Lt36eYqhwE +sKRohFr9UuYTbONvtR4pUhEp2Xz7nM29D1/oNTVh87TWf8PlCowm52CwTkjzpnz 6PwwjGBl55ivak48357kpb2H8+0UOSFUyfzYt0z3lg5k7adQLC8uWoTqWPw3F3Tw 7l9I1av3zMdAX7ynzYAdsvElBvSRUzsGvkoM2DzKPx49f4FvhAaIOCj5MZG2Rc2v 1C3OHYoPoOusqamYwccZxkcd3gjE8/s9EglrEEacNqKEnFxTKyg+Rkg9owYeNMnc eKrig0EXPi6qQfS+kkOLL/kjH3HXQV4/vu5RPqeVaGswFcHIBRC344XbXDO99Pfx SsZNqNGb4CPLsuegS8gFPvKVnfPE9kRyzKrwseuyh8PNQJsOjUObtjXG/yGLxewR mYSUJ90hNf8= =8tVB -----END PGP SIGNATURE-----