Date: Tue, 13 Nov 2012 12:56:16 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 23 (CVE-2012-4538) - Unhooking empty PAE entries DoS vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4538 / XSA-23 version 2 Unhooking empty PAE entries DoS vulnerability UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The HVMOP_pagetable_dying hypercall does not correctly check the caller's pagetable state, leading to a hypervisor crash. IMPACT ====== An HVM guest running on shadow pagetables (that is, not HAP) can cause the hypervisor to crash. VULNERABLE SYSTEMS ================== All Xen versions from 4.0 onwards are vulnerable, except that: - systems that run only PV guests are not vulnerable - systems that run all HVM guests using HAP (which is the default on hardware that supports it) are not vulnerable. MITIGATION ========== This issue can be avoided by running only PV guests or by running all HVM guests using hardware-assisited paging (HAP, also called NPT, RVI and EPT). Xen will run guests using HAP by default on hardware that supports it, unless it is disbled by putting 'hap=0' either on the xen hypervisor command-line or in the VM's configuration. You can check whether a particular machine supports HAP by looking at xen's boot messages. On Xen 4.1, 4.2 and unstable, Xen will print "HVM: Hardware Assisted Paging (HAP) detected" during boot; on xen 4.0 the message is "HVM: Hardware Assisted Paging detected". RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa23-4.0-4.1.patch Xen 4.0.x, 4.1.x xsa23-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa23*.patch f696d597481595b14ac9577d1dad05fc97da68568f52db74d62f2e3dcb2c7a6e xsa23-4.0-4.1.patch 70ffea07e58e4a747bf3ec103f656ba2cd0d8986722e6a72023c57d802c65964 xsa23-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQokGsAAoJEIP+FMlX6CvZTagH/iyB7+Y5Ug2+3o0minW/xYe5 sVoRIxYhOuKIoRZFVHn3WvXc2PkL/sVCg8PoQnxCs1v4etALl6TTwE9CuJYVgbR7 9OiN6l/NAg2Qbcg3W1j5Har0syOFL5ZkrvIZ3xvER1lsSINKFJ/HBYf9Oe3KUAaD ffzgRupB/AcETIClv9qwhmSVgjDyNWEae4TS5MzvdUM5dDcCObg/OpyvCGx2MbA8 SF/s9bSwmUcEboy1wOm4wkTWfEJUCsE/ftpQRsEZPESOOXG5u2QB+EI1pbZ1SObx yhbDGE1Ex3T9u88t+7bSiFn2CwNS7eWQwg7nKQ6P/8PlSwm8BFg7KBC+HUxHNW4= =stq6 -----END PGP SIGNATURE----- Download attachment "xsa23-4.0-4.1.patch" of type "application/octet-stream" (1148 bytes) Download attachment "xsa23-4.2-unstable.patch" of type "application/octet-stream" (1160 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.