Date: Tue, 22 Jan 2013 12:02:23 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 34 (CVE-2013-0151) - nested virtualization on 32-bit exposes host crash -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0151 / XSA-34 version 2 nested virtualization on 32-bit exposes host crash UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting them leads to a host crash and therefore a Denial of Service attack. IMPACT ====== A malicious guest administrator can, by enabling nested virtualisation from within the guest, trigger the issue. Their ability to do this will depend on the number of VCPUs the domain is configured with. Domains with smaller numbers of VCPUs (e.g. less than 16) are not able to create sufficient mappings via this method to trigger the issue. VULNERABLE SYSTEMS ================== 32 bit hypervisors running HVM guests on either Intel or AMD are vulnerable. Only Xen version 4.2.x is vulnerable. Nested virtualisation was introduced as an experimental feature in Xen 4.2 and therefore versions of Xen prior to that are not vulnerable. The 32 bit hypervisor has been removed in Xen unstable and therefore is not vulnerable. MITIGATION ========== Running a 64 bit hypervisor or avoiding running HVM guests with untrusted administrators can avoid the issue. We strongly recommend running a 64 bit hypervisor on any processor which supports it. Note that this does not require running a 64 bit domain 0. Ensuring that HVM guests with untrusted administrators do not have more than 16 VCPUs will also avoid the issue. RESOLUTION ========== The attached patch avoids this issue by disabling nested HVM support when running a 32-bit hypervisor. xsa34-4.2.patch Xen 4.2.x $ sha256sum xsa34*.patch ef75cdcf934003aaced57698a2441c4ba058b968956925eec2d5a100a28db0ae xsa34-4.2.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ/ny6AAoJEIP+FMlX6CvZU20IAKVSD/ymPr/xXxVa+QHCPCeQ MceHY8JE7mRsy1+houbsmQyzq4ASgdrxN70E3QIxUDKXJjJsUEs/0Ju5hhbgZltp OazXgg+qICgjqjEklRZOCs9iymepjjDYXWhwUccUleTO/2E9/j8znLQGoUqitHrk APycEQ26+YbmWQAUTuvXcL5ST7oByPH8Ax0bjOnMWpQFY8G2ZBbgczmw3uMnHMRN NVE8akGv45ey5qEraL+Qe3S5cauVdVPxPodavlDIV0628em9+gFbG4+P5Sgn5TeY Kv3u8LjWDWRtZEVcHGRUkIYrlgeWD2TGFkqdGCTd7vf3lKMAopNjIGrH80kNmrc= =gW3M -----END PGP SIGNATURE----- Download attachment "xsa34-4.2.patch" of type "application/octet-stream" (984 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.