===================================================================== CERT-Renater Note d'Information No. 2013/VULN434 _____________________________________________________________________ DATE : 01/10/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen versions 3.3.x up to and including Xen 4.3.x, xen-unstable. ====================================================================== http://xenbits.xen.org/xsa/advisory-62.html http://xenbits.xen.org/xsa/advisory-64.html http://xenbits.xen.org/xsa/advisory-66.html ______________________________________________________________________ Xen Security Advisory CVE-2013-1442 / XSA-62 version 2 Information leak on AVX and/or LWP capable CPUs UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When a guest increases the set of extended state components for a vCPU saved/ restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM registers, or AMD's LWP state) after already having touched other extended registers restored via XRSTOR (e.g. floating point or XMM ones) during its current scheduled CPU quantum, the hypervisor would make those registers accessible without discarding the values an earlier scheduled vCPU may have left in them. IMPACT ====== A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain. VULNERABLE SYSTEMS ================== Xen 4.0 and onwards are vulnerable when run on systems with processors supporting AVX and/or LWP. Any kind of guest can exploit the vulnerability. In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the "xsave" hypervisor command line option. Systems using processors supporting neither AVX nor LWP are not vulnerable. Xen 3.x and earlier are not vulnerable. MITIGATION ========== Turning off XSAVE support via the "no-xsave" hypervisor command line option will avoid the vulnerability. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa62.patch Xen 4.2.x, 4.3.x, and unstable xsa62-4.1.patch Xen 4.1.x $ sha256sum xsa62*.patch 3cec8ec26552f2142c044422f1bc0f77892e681d789d1f360ecc06e1d714b6bb xsa62-4.1.patch 364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856 xsa62.patch $ _________________________________________________________________ Xen Security Advisory CVE-2013-4356 / XSA-64 version 3 Memory accessible by 64-bit PV guests under live migration UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to cause Xen to read and write the parts of memory pointed to by the stray mappings. IMPACT ====== A malicious 64-bit PV guest, on a vulnerable host system, that can arrange for itself to be live-migrated, could read or write memory at high physical addresses on the host. Note that once such a guest begins live migration the host is likely to eventually crash, either when the live migration completes or on an earlier page fault. This crash could be avoided if the malicious guest uses its improperly escalated privilege to prevent it. VULNERABLE SYSTEMS ================== Xen 4.3.x and xen-unstable are vulnerable. Xen 4.2.x and earlier releases are not vulnerable. In addition, only hosts with RAM extending past 5TB are affected. On any host that is affected (and has not yet been successfully attacked), live migration of a 64-bit PV guest will deterministically crash the host. If you can migrate a 64-bit PV guest from from host A to host B, without crashing host A, then host A is not affected by this bug. MITIGATION ========== Running only HVM and 32-bit PV guests or preventing live migration of 64-bit PV guests will avoid this issue. CREDITS ======= Andrew Cooper found the issue as a bug, which on examination by the Xenproject.org Security Team turned out to be a security problem. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa64.patch xen-unstable, xen-4.3 $ sha256sum xsa64.patch 061396916de992c43b8637909d315581589e5fc28f238aca6822947b45445a47 xsa64.patch $ ________________________________________________________________ Xen Security Advisory CVE-2013-4361 / XSA-66 version 3 Information leak through fbld instruction emulation UPDATES IN VERSION 3 ==================== Public Release. ISSUE DESCRIPTION ================= The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out. IMPACT ====== A malicious guest might conceivably gain access to sensitive data relating to other guests. VULNERABLE SYSTEMS ================== Xen 3.3.x and later are vulnerable. Only HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. We believe this vulnerability would require significant research to exploit. CREDITS ======= Jan Beulich discovered this issue. RESOLUTION ========== Applying the attached patch resolves this issue. xsa66.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa66.patch 3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4 xsa66.patch $ ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================