=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN458
_____________________________________________________________________

DATE                : 10/10/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Xen versions 3.1.x, 4.2.x, 4.3.x,
                                                xen-unstable.

======================================================================
http://xenbits.xen.org/xsa/advisory-67.html
http://xenbits.xen.org/xsa/advisory-68.html
http://xenbits.xen.org/xsa/advisory-69.html
http://xenbits.xen.org/xsa/advisory-70.html
http://xenbits.xen.org/xsa/advisory-71.html
______________________________________________________________________

             Xen Security Advisory CVE-2013-4368 / XSA-67
                              version 2

         Information leak through outs instruction emulation

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The emulation of the outs instruction for 64-bit PV guests uses an
uninitialized variable as the segment base for the source data if an
FS: or GS: segment override is used, and if the segment descriptor the
respective non-null selector in the corresponding selector register
points to cannot be read by the emulation code (this is possible if the
segment register was loaded before a more recent GDT or LDT update,
i.e. the segment register contains stale data).

A malicious guest might be able to get hold of contents of the
hypervisor stack, through the fault address passed to the page fault
handler if the outs raises such a fault (which is mostly under guest
control).  Other methods for indirectly deducing information also exist.

IMPACT
======

A malicious 64-bit PV guest might conceivably gain access to sensitive
data relating to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.1.x and later are vulnerable.

Only 64-bit PV guests can take advantage of this vulnerability.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa67.patch             Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa67*.patch
7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028
xsa67.patch
$
___________________________________________________________________

             Xen Security Advisory CVE-2013-4369 / XSA-68
                               version 2

     possible null dereference when parsing vif ratelimiting info

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The libxlu library function xlu_vif_parse_rate does not properly
handle inputs which consist solely of the '@' character, leading to a
NULL pointer dereference.

IMPACT
======

A toolstack which allows untrusted users to specify an arbitrary
configuration for the VIF rate can be subjected to a DOS.

The only known user of this library is the xl toolstack which does not
have a central long running daemon and therefore the impact is limited
to crashing the process which is creating the domain, which exists
only to service a single domain.

VULNERABLE SYSTEMS
==================

The vulnerable code is present from Xen 4.2 onwards.

MITIGATION
==========

Disallowing untrusted users from specifying arbitrary VIF rate limits
will avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue in all branches

xsa68.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa68*.patch
64716cb49696298e0bbd9556fe9d6f559a4e2785081e28d50607317b6e27ba32
xsa68.patch
$
___________________________________________________________________

             Xen Security Advisory CVE-2013-4370 / XSA-69
                               version 2

           misplaced free in ocaml xc_vcpu_getaffinity stub

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The ocaml binding for the xc_vcpu_getaffinity function incorrectly
frees a pointer before using it and subsequently freeing it again
afterwards. The code therefore contains a use-after-free and
double-free flaws.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack written in
ocaml and using this function to race against itself leading to heap
corruption and a potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.2 onwards.

Systems using an ocaml based toolstack (e.g. xapi) are vulnerable.

MITIGATION
==========

Not calling the vcpu_getaffinity function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa69.patch             Xen 4.3.x, Xen 4.2.x, xen-unstable


$ sha256sum xsa69*.patch
d3beb662aacf628b6a25ff6cfcd9526ab689aa43a56cf25e792a001f89b4edbc
xsa69.patch
$
___________________________________________________________________

             Xen Security Advisory CVE-2013-4371 / XSA-70
                               version 2

      use-after-free in libxl_list_cpupool under memory pressure

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

If realloc(3) fails then libxl_list_cpupool will incorrectly return
the now-free original pointer.

IMPACT
======

An attacker may be able to cause a multithreaded toolstack using this
function to race against itself leading to heap corruption and a
potential DoS.

Depending on the malloc implementation code execution cannot be ruled
out.

VULNERABLE SYSTEMS
==================

The flaw is present in Xen 4.2 onwards.

Systems using the libxl toolstack library are vulnerable.

MITIGATION
==========

Not calling the libxl_list_cpupool function will avoid this issue.

Not allowing untrusted users access to toolstack functionality will
avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa70.patch             Xen 4.3.x, Xen 4.2.x, xen-unstable


$ sha256sum xsa70*.patch
2582d3d545903af475436145f7e459414ad9d9c61d5720992eeeec42de8dde56
xsa70.patch
$
___________________________________________________________________

             Xen Security Advisory CVE-2013-4375 / XSA-71
                              version 2

               qemu disk backend (qdisk) resource leak

UPDATES IN VERSION 2
====================

Public release

Fix patch header corruption in xsa71-qemu-xen-unstable.patch.

ISSUE DESCRIPTION
=================

The qdisk PV disk backend in the qemu-xen flavour of qemu ("upstream
qemu") can be influenced by a malicious frontend to leak mapped grant
references.

IMPACT
======

A malicious HVM guest can cause the backend domain to run out of grant
references, leading to a DoS for any other domain which shares that
driver domain.

VULNERABLE SYSTEMS
==================

Any system which is using the qemu-xen qdisk backend for HVM guests is
vulnerable.

qemu-xen and qdisk are exposed by systems using libxl from Xen 4.2.0
onwards. In Xen 4.2.0 qemu-xen was a non-default option, from Xen
4.3.0 onwards qemu-xen is the default.

Xen 4.1.0 exposes qdisk via libxl but does not support qemu-xen and
therefore is not vulnerable.

The xend toolstack has never supported qdisk as a disk backend and
therefore such systems are not vulnerable.

Upstream qemu is vulnerable from version 1.1 onwards.

MITIGATION
==========

This vulnerability can be avoided by using a different block backend
(e.g. blkback or blktap2) or by using the qemu-xen-traditional version
of qemu.

Users of the xl toolstack, see docs/misc/xl-disk-configuration.txt for
information on forcing the use of a particular disk backend and
xl.cfg(5) for information on forcing the use of qemu-xen-traditional.

Systems which only run PV guests and/or run HVM guests without PV
drivers are not vulnerable.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa71-qemu-xen-unstable.patch        xen-unstable, Xen 4.3.x
xsa71-qemu-xen-4.2.patch             Xen 4.2.x


$ sha256sum xsa71*.patch
a3f667e251a32fa5eff4a78eae49acd020b2f340fb203dc08a033d43841b0a2a
xsa71-qemu-xen-4.2.patch
f5ec607babb01dc8f8065dfe121882af4c3d93c035bafbfed48825dea684d6d9
xsa71-qemu-xen-unstable.patch
$

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================