Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 09 Jan 2013 13:18:24 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt
 remapping source validation flaw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5634 / XSA-33
                             version 2

	   VT-d interrupt remapping source validation flaw

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
passthrough devices.

In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.

IMPACT
======

A malicious domain, given access to a device which is behind a legacy
PCI bridge, can mount a denial of service attack affecting the whole
system.

VULNERABLE SYSTEMS
==================

Xen version 4.0 onwards is vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

Any domain which is given access to a PCI device that is behind a
legacy PCI bridge can take advantage of this vulnerability.

Domains which are given access to PCIe devices only are not able to
take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices which are
behind a legacy PCI bridge to untrusted guests.

NOTE REGARDING EMBARGO TIMELINE
===============================

After discussion with the discloser we have decided to set a longer
than usual embargo in order to avoid public disclosure during the
holiday period.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa33-4.2-unstable.patch          Xen 4.2.x, xen-unstable
xsa33-4.1.patch                   Xen 4.1.x

$ sha256sum xsa33*.patch
b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d  xsa33-4.1.patch
ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c  xsa33-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk
lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm
NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee
8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW
YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk
guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog=
=+i2W
-----END PGP SIGNATURE-----

Download attachment "xsa33-4.1.patch" of type "application/octet-stream" (850 bytes)

Download attachment "xsa33-4.2-unstable.patch" of type "application/octet-stream" (855 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.