===================================================================== CERT-Renater Note d'Information No. 2013/VULN528 _____________________________________________________________________ DATE : 03/12/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen versions 3.0.3 and later. ====================================================================== http://xenbits.xen.org/xsa/advisory-78.html http://xenbits.xen.org/xsa/advisory-74.html http://xenbits.xen.org/xsa/advisory-76.html ______________________________________________________________________ Xen Security Advisory CVE-2013-6375 / XSA-78 version 2 Insufficient TLB flushing in VT-d (iommu) code UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2013-6375. ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3 xsa78.patch $ ____________________________________________________________________ Xen Security Advisory CVE-2013-4553 / XSA-74 version 3 Lock order reversal between page_alloc_lock and mm_rwlock UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The locks page_alloc_lock and mm_rwlock are not always taken in the same order. This raises the possibility of deadlock. The incorrect order occurs only in the implementation of the deprecated domctl hypercall XEN_DOMCTL_getmemlist. IMPACT ====== A malicious guest administrator may be able to deny service to the entire host. VULNERABLE SYSTEMS ================== Xen 3.4.x and later are vulnerable. Xen 3.3.x and earlier are not vulnerable. Only systems where a privileged domain frequently or predictably uses XEN_DOMCTL_getmemlist are vulnerable. (Its use by manually invoked debugging and stress testing tools is not a security problem.) We are not aware of any toolstack software which has relevant (and hence vulnerable) uses of this hypercall. xend, libxl, xapi and libvirt are known not to do so. We are therefore not aware of any deployed Xen-based systems which are vulnerable. We are issuing this advisory primarily for the benefit of any Xen-derived systems using unusual toolstack software. MITIGATION ========== If you are using a toolstack (or other software) which uses XEN_DOMCTL_getmemlist, disabling the relevant feature or functions may be possible, and would avoid the vulnerability. CREDITS ======= This issue was discovered by Coverity Scan and diagnosed by Andrew Cooper. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa74-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa74-4.1-4.2.patch Xen 4.1.x, Xen 4.2.x $ sha256sum xsa74*.patch 0f7d0bbfbd7f3f1b6f6005321fa45081524dad438587f691e6892cc393327f89 xsa74-4.1-4.2.patch b505cdba662b1b1cd91d5611fac998c6b4e89e366780c6b9864b6965075afb38 xsa74-4.3-unstable.patch $ ____________________________________________________________________ Xen Security Advisory CVE-2013-4554 / XSA-76 version 3 Hypercalls exposed to privilege rings 1 and 2 of HVM guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT ====== Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use. VULNERABLE SYSTEMS ================== Xen 3.0.3 and later are vulnerable. Xen 3.0.2 and earlier are not vulnerable. MITIGATION ========== Running only PV guests, or running HVM guests known to not make use of protection rings 1 and 2 will avoid this issue. As far as we are aware no mainstream OS (Linux, Windows, BSD) make use of these rings. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa76*.patch 8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1 xsa76.patch $ ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================