Date: Tue, 08 May 2018 17:00:19 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 261 - x86 vHPET interrupt injection errors -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory XSA-261 version 2 x86 vHPET interrupt injection errors UPDATES IN VERSION 2 ==================== Versions 3.1 ... 3.3 don't appear to be vulnerable. Public release. Updated .meta file ISSUE DESCRIPTION ================= The High Precision Event Timer (HPET) can be configured to deliver interrupts in one of three different modes - through legacy interrupts; through the IO-APIC; or optionally via a method similar to PCI MSI. The last mode is optional and not implemented by Xen. However, of the first two modes, only the legacy variant was properly implemented. If a guest set up an HPET timer in IO-APIC mode, Xen would still handle this using the code for the legacy mode. Unfortunately, the available IO-APIC mode interrupt numbers are higher than legacy mode interrupts. The result was array overruns. IMPACT ====== A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation, or information leaks, cannot be excluded. VULNERABLE SYSTEMS ================== Xen versions 3.4 and later are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 HVM guests can exploit the vulnerability. x86 PV and PVH guests cannot exploit the vulnerability. Only x86 HVM guests provided with hypervisor-side HPET emulation can exploit the vulnerability. That is the default configuration. x86 HVM guests whose configuration explicitly disables this emulation (via "hpet=0") cannot exploit the vulnerability. MITIGATION ========== Running only PV or PVH guests avoids the vulnerability. Not exposing the hypervisor based HPET emulation to HVM guests, by adding "hpet=0" to the guest configuration, also avoids the vulnerability. CREDITS ======= This issue was discovered by Roger Pau Monné of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa261.patch xen-unstable, Xen 4.10.x xsa261-4.9.patch Xen 4.9.x xsa261-4.8.patch Xen 4.8.x xsa261-4.7.patch Xen 4.7.x, Xen 4.6.x $ sha256sum xsa261* 7b7bbf0fb497491911816e522902f72d3b41355ba71455ab82ebf980160d1a1f xsa261.meta 175501977204db84d08a6fd81d9fd4b69f97f70cbf6f65e6ce0abfeab03eae95 xsa261.patch 98fb28bac871aae7c2f897a5506a2b03f340bf122a3a7f65aa65f3b3c9a525b4 xsa261-4.7.patch 503f1476813e6572dc37b5a0df65b5390567230d9cc006752bf72bf57bbd754d xsa261-4.8.patch f1aac841327d3b5b1e2007b4ebe56223de488e1eb2fa636653725d7d7cd5f82a xsa261-4.9.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) and the PV/PVH guest mitigation are permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER deployment of the "hpet=0" guest config mitigation described above is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because in that case the configuration change is visible to the guest, which could lead to the rediscovery of the vulnerability. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJa8dQgAAoJEIP+FMlX6CvZZ54IAIlcZ6vu0mYvjwL8I23QbbtW 8uDzgozK9S8r2tPXxn6gbqSwFACuKeS61hnhw7v3gNEClpSQip+dHlGS6ME3AUVZ m0Vtn6eDQXHiwW+9jM4/j8gxLAqgfxUUpTuR74tZxh0kMmXKShirt+ob+9ptxfB7 nu8QiEVDH87P7JnDUXn1czNBRuD3KP0cmsAW/7VaOUm5R/+1RwYX6df9rEN6TU/+ LWMrBeepU8mh8oRgA5yJ78iiCB6KUfURsz1JuPmNd49rSTVK2WGFAH5vNz7EjRyU kbVAJgjWYGGFo0BTXSt8kCi0pdlGEHRh3+KIIuvAxm+JfQtrFC0K8lpzQcpTPYY= =jUil -----END PGP SIGNATURE----- Download attachment "xsa261.meta" of type "application/octet-stream" (1712 bytes) Download attachment "xsa261.patch" of type "application/octet-stream" (9249 bytes) Download attachment "xsa261-4.7.patch" of type "application/octet-stream" (9253 bytes) Download attachment "xsa261-4.8.patch" of type "application/octet-stream" (8223 bytes) Download attachment "xsa261-4.9.patch" of type "application/octet-stream" (9046 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ