Date: Thu, 18 Apr 2013 13:50:55 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 3 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 3 ==================== Backported patch for 4.0 now available. ISSUE DESCRIPTION ================= The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn't permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected since AMD CPUs don't allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa44-4.0.patch Xen 4.0.x xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5 xsa44-4.0.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9 lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk= =qSef -----END PGP SIGNATURE----- Download attachment "xsa44-4.0.patch" of type "application/octet-stream" (3220 bytes) Download attachment "xsa44-4.1.patch" of type "application/octet-stream" (2844 bytes) Download attachment "xsa44-4.2.patch" of type "application/octet-stream" (2843 bytes) Download attachment "xsa44-unstable.patch" of type "application/octet-stream" (1670 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ