Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN410 _____________________________________________________________________ DATE : 03/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Xen. ===================================================================== https://xenbits.xen.org/xsa/advisory-470.html _____________________________________________________________________ Xen Security Advisory CVE-2025-27465 / XSA-470 version 2 x86: Incorrect stubs exception handling for flags recovery UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead. IMPACT ====== An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host. VULNERABLE SYSTEMS ================== Xen 4.9 and onwards are vulnerable. Xen 4.8 and older are not vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM or PVH guests can leverage the vulnerability. PV guests cannot leverage the vulnerability. MITIGATION ========== There are no mitigations. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa470.patch xen-unstable - Xen 4.18.x xsa470-4.17.patch Xen 4.17.x $ sha256sum xsa470* 99d7fbe6acb27aa13c586acbc8d15d00b04bb040bb0cb5f8feca495f0f414a10 xsa470.patch 2c6490978bd1ba1578a4c1102a521cf4d01d99792a363708bb1e6a1b879b1f5c xsa470-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================