Date: Wed, 09 Jan 2013 13:18:24 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 2 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ====== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE =============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee 8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog= =+i2W -----END PGP SIGNATURE----- Download attachment "xsa33-4.1.patch" of type "application/octet-stream" (850 bytes) Download attachment "xsa33-4.2-unstable.patch" of type "application/octet-stream" (855 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.