===================================================================== CERT-Renater Note d'Information No. 2014/VULN211 _____________________________________________________________________ DATE : 30/09/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen Versions 3.x, 4.x. ====================================================================== http://xenbits.xen.org/xsa/advisory-108.html http://xenbits.xen.org/xsa/advisory-106.html http://xenbits.xen.org/xsa/advisory-105.html http://xenbits.xen.org/xsa/advisory-104.html ______________________________________________________________________ Xen Security Advisory CVE-2014-7188 / XSA-108 version 4 Improper MSR range used for x2APIC emulation UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= The MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs. While the write emulation path is written such that accesses to the extra MSRs would not have any bad effect (they end up being no-ops), the read path would (attempt to) access memory beyond the single page set up for APIC emulation. IMPACT ====== A buggy or malicious HVM guest can crash the host or read data relating to other guests or the hypervisor itself. VULNERABLE SYSTEMS ================== Xen 4.1 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered Jan Beulich at SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa108.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa108*.patch cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e xsa108.patch $ ______________________________________________________________________ Xen Security Advisory CVE-2014-7156 / XSA-106 version 3 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7156. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ ______________________________________________________________________ Xen Security Advisory CVE-2014-7155 / XSA-105 version 3 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7155. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ ______________________________________________________________________ Xen Security Advisory CVE-2014-7154 / XSA-104 version 3 Race condition in HVMOP_track_dirty_vram UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7154. ISSUE DESCRIPTION ================= The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall providing access to the affected function is available to the domain controlling HVM guests. IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) VULNERABLE SYSTEMS ================== Xen versions from 4.0.0 onwards are vulnerable. This vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests. MITIGATION ========== There is no mitigation available for this issue. (The security of a Xen system using stub domains is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.) CREDITS ======= This issue was discovered by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa104.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa104*.patch fc02f6365ca79a6ef386c882b57fab8b56aa12b54fc9b05054552f0f25e32047 xsa104.patch $ ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================