Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0161
Xen Security Advisories
25 January 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1571 CVE-2016-1570
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-167.html
http://xenbits.xen.org/xsa/advisory-168.html
Comment: This bulletin contains two (2) Xen security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2016-1570 / XSA-167
version 4
PV superpage functionality missing sanity checks
UPDATES IN VERSION 4
====================
Public release.
ISSUE DESCRIPTION
=================
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT_MARK_SUPER and
MMUEXT_UNMARK_SUPER sub-ops of the HYPERVISOR_mmuext_op hypercall as
well as for various forms of page table updates.
IMPACT
======
Use of the feature, which is disabled by default, may have unknown
effects, ranging from information leaks through Denial of Service to
privilege escalation.
VULNERABLE SYSTEMS
==================
Only systems which enable the PV superpage feature are affected. That
is, only systems with an `allowsuperpage' setting on the hypervisor
command line. Note that in Xen 4.0.x and 3.4.x the option is named
`allowhugepage'.
Xen versions 3.4.0, 3.4.1, and from 4.1 onwards are affected.
Only x86 systems are affected.
Only PV guests can exploit the vulnerability.
MITIGATION
==========
Running only HVM guests will avoid this issue.
Not enabling PV superpage support (by omitting the `allowsuperpage' or
`allowhugepage' hypervisor command line options) will avoid exposing
the issue.
CREDITS
=======
This issue was discovered by Qinghao Tang of 360 Marvel Team.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa167.patch xen-unstable
xsa167-4.6.patch Xen 4.6.x, 4.5.x
xsa167-4.4.patch Xen 4.4.x, 4.3.x
$ sha256sum xsa167*
a71f709eef59425cb2113fa48d3b44048c6bf41063200fee1c847f6e0ed45a09 xsa167.patch
194c1ce89292f4cbb9980baa703095bcbeb5849abf46d193e07a98a0d8301f78 xsa167-4.4.patch
2bd786cccfd13c6732d6db8afc9e18058465efcb1bc93f894c359e3a820d5403 xsa167-4.6.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
However deployment of the SUPERPAGE DISABLEMENT MITIGATION is NOT
permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the
Xen Project Security Issues Predisclosure List). Specifically,
deployment on public cloud systems is NOT permitted.
This is because disabling PV superpage support is visible to guests, so
such deployment could lead to the rediscovery of the vulnerability.
Deployment of the mitigation is permitted only AFTER the embargo ends.
Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWn3jEAAoJEIP+FMlX6CvZTOsH/2ReFJ0Yhp5da69XKvFEJR/s
0yEFxjvqiSyBPsWjyiaAdOp/1A2sltEeDDnMy7xEoXHmon0p6IV0IR4L+fMCLjl2
1ZI4tKpkn3zUE+IOjfu/GJ53f87XWSq/u9Ri7yZQdxFpgd3AXcLegGm8i4L/58iY
vdwAAuczACztEN/NbWFedlGUEd5PKqKwb4wOg1uhLIMwzvjxgtejVAyZD83HgP6i
LeWMO7EfeU8ND38Otiw9lNlKD/Ia7vpRG+BXuADLx18hbR1TU9AJ0RO1zb9JnAAj
snYdgB6s1wzRD4/HOc+s1uaIttPPODs0IhZunylI7UVhdWKp5Qkszw/QUcmufnk=
=5acB
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2016-1571 / XSA-168
version 3
VMX: intercept issue with INVLPG on non-canonical address
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its "individual address" variant,
which is used to back the intercepted INVLPG in certain cases, fails in
such cases. Failure of INVVPID results in a hypervisor bug check.
IMPACT
======
A malicious guest can crash the host, leading to a Denial of Service.
VULNERABLE SYSTEMS
==================
Xen versions from 3.3 onwards are affected.
Only systems using Intel or Cyrix CPUs are affected. ARM and AMD
systems are unaffected.
Only HVM guests using shadow mode paging can expose this
vulnerability. PV guests, and HVM guests using Hardware Assisted
Paging (also known as EPT on affected hardware), are unaffected.
Note that while unsupported, guests with enabled nested virtualization
are vulnerable even when using EPT.
CHECKING FOR VULNERABLE CONFIGURATION
=====================================
To discover whether your HVM guests are using HAP, or shadow page
tables: request debug key `q' (from the Xen console, or with
`xl debug-keys q'). This will print (to the console, and visible in
`xl dmesg'), debug information for every domain, containing something
like this:
(XEN) General information for domain 2:
(XEN) refcnt=1 dying=2 pause_count=2
(XEN) nr_pages=2 xenheap_pages=0 shared_pages=0 paged_pages=0 dirty_cpus={} max_pages=262400
(XEN) handle=ef58ef1a-784d-4e59-8079-42bdee87f219 vm_assist=00000000
(XEN) paging assistance: hap refcounts translate external
^^^
The presence of `hap' here indicates that the host is not
vulnerable to this domain. For an HVM domain the presence of `shadow'
indicates that the domain can exploit the vulnerability.
Note that `General information' will also be printed for PV domains.
For most PV domains there will be no `paging assistance' reported.
But PV guests currently being migrated will report
(XEN) paging assistance: shadow log_dirty
Overall: a domain can exploit the vulnerability if this debug output
contains a `paging assistance' line which reports `translate' and
which does not report `hap'.
MITIGATION
==========
Running only PV guests will avoid this vulnerability.
Running HVM guests on only AMD hardware will also avoid this
vulnerability.
Running HVM guests with Hardware Assisted Paging (HAP) enabled will
also avoid this vulnerability. This is the default mode on hardware
supporting HAP, but can be overridden by hypervisor command line
option and guest configuration setting. Such overrides ("hap=0" in
either case, with variants like "no-hap" being possible in the
hypervisor command line case) would need to be removed to avoid this
vulnerability.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa168.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x
$ sha256sum xsa168*
c95198a66485d6e538d113ce2b84630d77c15f597113c38fadd6bf1e24e4c8ec xsa168.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJWn3dEAAoJEIP+FMlX6CvZLaAH/A1FzwQebCOF0MCEMcM9V/zK
At3L0XG5oBiVZVpbXAfYULeKaLtTGLBXqhBJjzej0FypCvEYX6BLBITLsw7kMqoW
JSYHNHlg4pLH2Wnf6i3fVC7EIHx5XNuDa8Zeyt73wEFJhVpp43PcMwMzBolTUBmP
+f5WDkLYflYXv+0XiHfbBLA2fl+K+A5OdDhKgjPZJouGvdfiZxX7EChR0asmmD1i
AbSZYTLGhdlSU+fvw+w2XUYSeINS1FEhsZxMbWMVuz7jmPBmOn6u8NLrBdZatYoE
Z2Fly81pWD7KDwusVscoLBdmBmI1Wr3u975j5EkQLbsCTsqo5ayP3BpfsieijIg=
=UJX5
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVqVmMX6ZAP0PgtI9AQIfeA//RuE2HaUIkTbcT/JtY7AkcLxxfOVNN2f8
QBl4lCXQxDVrAzUeUMnqtxACJZctVEgj654/9ni6MfJM9joEQst9FEbP7U+Egoyj
j+U0Rdg2F+UciGok+2xiSxg5R6xcok0tPVPOgIsSXl2ZvPrpBsKgGuX40wR8HyIq
oVTft0N8X92IeqUsXh23rX80e431YZ5vDNFAHO7uYmDWYCmYEVgm9UcahQkQaudI
yRH8bCxXwEfsF3fx/+FLtSXy5/KLNKO6UV42zWxMcGjeuKpo3RNSM9Lt36eYqhwE
+sKRohFr9UuYTbONvtR4pUhEp2Xz7nM29D1/oNTVh87TWf8PlCowm52CwTkjzpnz
6PwwjGBl55ivak48357kpb2H8+0UOSFUyfzYt0z3lg5k7adQLC8uWoTqWPw3F3Tw
7l9I1av3zMdAX7ynzYAdsvElBvSRUzsGvkoM2DzKPx49f4FvhAaIOCj5MZG2Rc2v
1C3OHYoPoOusqamYwccZxkcd3gjE8/s9EglrEEacNqKEnFxTKyg+Rkg9owYeNMnc
eKrig0EXPi6qQfS+kkOLL/kjH3HXQV4/vu5RPqeVaGswFcHIBRC344XbXDO99Pfx
SsZNqNGb4CPLsuegS8gFPvKVnfPE9kRyzKrwseuyh8PNQJsOjUObtjXG/yGLxewR
mYSUJ90hNf8=
=8tVB
-----END PGP SIGNATURE-----