Date: Fri, 11 Jan 2013 17:11:48 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 3 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 3 ==================== The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build error. A corrected patch is attached. The fix is also now available in http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset 23441:2a91623a5807 ISSUE DESCRIPTION ================= When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ====== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE =============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch cb015155e63c1ccedfe2ef01b2f2679ac14b00fa20d423bb1570199c3dd66af6 xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ8EdlAAoJEIP+FMlX6CvZVs0IAJJBsSxzETJbHGE16+1UEYD5 Tk3STo7nuf/qZKQUc8ORpepRd9+b34jgtwi/kdkqxyo3fza/SXuNNcAhPew1+TtT +GGeXRoNjEQIcho5KjLLEMwogW+gi7I/Y3XM3FZUfKU659sqltqsVly3HC8nstlw iwiAIKcXnuJa/ARMdcV0/IgKBu3AjAd7me3XnKVb7Kl0ZoOo+7FFQRlKxWkSthpJ ALkNoqyPXzlHN9lMfdPJF5Gyxhqprp8Xg9jdEVZnKNQx0Jzl8SsahJWEUVlgeeLo fIGAXgc12yvsL4CRS1z3uSwpon1AgOV0XT9V6xWtoeXraKhmvTQN4LCEqF8ovzg= =qMzC -----END PGP SIGNATURE----- Download attachment "xsa33-4.1.patch" of type "application/octet-stream" (850 bytes) Download attachment "xsa33-4.2-unstable.patch" of type "application/octet-stream" (855 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.