===================================================================== CERT-Renater Note d'Information No. 2014/VULN278 _____________________________________________________________________ DATE : 01/12/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen versions 3.2.x up to and including xen-unstable, Xen 4.4.x. ====================================================================== http://xenbits.xen.org/xsa/advisory-111.html http://xenbits.xen.org/xsa/advisory-112.html http://xenbits.xen.org/xsa/advisory-113.html ______________________________________________________________________ Xen Security Advisory CVE-2014-8866 / XSA-111 version 3 Excessive checking in compatibility mode hypercall argument translation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed, since the code was originally intended for use only by PV guests. While this is not a problem for PV guests (as they can't enter 64-bit mode and hence can't alter the high halves of any of the registers), the subsequent reuse of the same functionality for HVM guests exposed those checks to values (specifically, unexpected values for the high halves of registers not holding hypercall arguments) controlled by guest software. IMPACT ====== A buggy or malicious HVM guest can crash the host. VULNERABLE SYSTEMS ================== Xen 3.3 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests on any version of Xen so far released by xenproject.org. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa111-unstable.patch xen-unstable, Xen 4.4.x xsa111-4.3.patch Xen 4.3.x xsa111-4.2.patch Xen 4.2.x $ sha256sum xsa111*.patch f6e1bf166ebed6235802e4e42853430d2f5b456c1837908a4f7ed6d4d150e4b4 xsa111-4.2.patch e9b03a4443a40142cc5c21848dc9589770620dde8924344c4a00028c4dace9f2 xsa111-4.3.patch 3c418f065cd452c225af34c3cccf9bdbc37efb6c6a5fc5940fd83ad8620510d3 xsa111.patch $ ____________________________________________________________________ Xen Security Advisory CVE-2014-8867 / XSA-112 version 5 Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor UPDATES IN VERSION 5 ==================== Public release. ISSUE DESCRIPTION ================= Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT ====== A buggy or malicious HVM guest can crash the host. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa112-unstable.patch xen-unstable, Xen 4.4.x, Xen 4.3.x xsa112-4.2.patch Xen 4.2.x $ sha256sum xsa112*.patch cf01a1acd258e7cbb3586e543ba3668c1ee7fb05cba19b8b5369a3e101a2288f xsa112-4.2.patch cc39a4cdcb52929ed36ab696807d2405aa552177a6f029d8a1a52041ca1ed519 xsa112.patch $ We have been told that this patch is not sufficient on Xen 3.3.x and earlier without also backporting b1b6362f (git commit id). Note that while we are happy to share information we receive about earlier Xen versions, the earliest Xen branch for which the Xen Project offers security support is 4.2.x. ______________________________________________________________________ Xen Security Advisory CVE-2014-9030 / XSA-113 version 2 Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling UPDATES IN VERSION 2 ==================== CVE assigned. ISSUE DESCRIPTION ================= An error handling path in the processing of MMU_MACHPHYS_UPDATE failed to drop a page reference which was acquired in an earlier processing step. IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only domains controlling HVM guests can exploit this vulnerability. (This includes domains providing hardware emulation services to HVM guests.) VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable on x86 systems. Older versions have not been inspected. ARM systems are not vulnerable. This vulnerability is only applicable to Xen systems using stub domains or other forms of disaggregation of control domains for HVM guests. MITIGATION ========== Running only PV guests will avoid this issue. (The security of a Xen system using stub domains is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm.) NOTE REGARDING LACK OF EMBARGO ============================== A draft of this advisory was mistakenly sent to xen-devel. The Xen Project Security Team apologises for this error. We are working to share best working practices amongst the team to reduce the risks of recurrance. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa113.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa113*.patch a0f2b792a6b4648151f85fe13961b0bf309a568ed03e1b1d4ea01e4eabf1b18e xsa113.patch $ ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================