Date: Mon, 03 Jun 2013 16:38:32 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 53 (CVE-2013-2077) - Hypervisor crash due to missing exception recovery on XRSTOR -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2077 / XSA-53 version 3 Hypervisor crash due to missing exception recovery on XRSTOR UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Processors do certain validity checks on the data passed to XRSTOR. While the hypervisor controls the placement of that memory block, it doesn't restrict the contents in any way. Thus the hypervisor exposes itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which behaves similarly, there was no exception recovery code attached to XRSTOR. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== Xen 4.0 and onwards are vulnerable when run on systems with processors supporting XSAVE. Only PV guests can exploit the vulnerability; for HVM guests only the control tools have access to the respective hypervisor functions. In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default; therefore systems running these versions are not vulnerable unless support is explicitly enabled using the "xsave" hypervisor command line option. Systems using processors not supporting XSAVE are not vulnerable. Xen 3.x and earlier are not vulnerable. MITIGATION ========== Turning off XSAVE support via the "no-xsave" hypervisor command line option will avoid the vulnerability. RESOLUTION ========== Applying the attached patch resolves this issue. xsa53-4.1.patch Xen 4.1.x xsa53-4.2.patch Xen 4.2.x xsa53-unstable.patch xen-unstable $ sha256sum xsa53-*.patch 2deedb983ef6ffb24375e5ae33fd271e4fb94f938be143919310daf1163de182 xsa53-4.1.patch 785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d xsa53-4.2.patch b9804e081afbc5e7308176841d0249e1f934f75e7fcc8f937bad6b95eb6944a5 xsa53-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRrMHGAAoJEIP+FMlX6CvZFiwH/3LXdHi2TC8c5HP1CCmn9jw2 G44ZmfFYsEi8/SuEYnr7O4EE6lR/bU6FPu9u1Qal9KjfjkbmnGSmrJS2YTOnF42F UNKb1AlB/FbEay+5JZguqFKNkNKi2/u1GmyCLGrd01edf0c2emMvSLovR1yGo8RY u0KFpyRAMFt/OALIswQPblCYNkfEgOlAjTYAd4l06m47xRNEVeVbOQ93p0bbwnsT wkHbv+TIx6iwip0T0wWwms/tgZFvhpDa9VCgJ0I5QAQcyVYewwXjbC0UAvgQ5I/H p4CRyI3JP8FoblEk9sxtzscxLTw+cz14omNPal16wk7C6qZ7oYs8XKAoIuWMN5A= =mnra -----END PGP SIGNATURE----- Download attachment "xsa53-4.1.patch" of type "application/octet-stream" (2179 bytes) Download attachment "xsa53-4.2.patch" of type "application/octet-stream" (2273 bytes) Download attachment "xsa53-unstable.patch" of type "application/octet-stream" (2328 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.