Date: Tue, 18 Nov 2014 12:24:02 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 109 (CVE-2014-8594) - Insufficient restrictions on certain MMU update hypercalls -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-8594 / XSA-109 version 3 Insufficient restrictions on certain MMU update hypercalls UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging (HAP). IMPACT ====== Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack which, if successful, can affect the whole system. Only PV domains with privilege over other guests can exploit this vulnerability; and only when those other guests are HVM using HAP, or PVH. The vulnerability is therefore exposed to PV domains providing hardware emulation services to HVM guests. VULNERABLE SYSTEMS ================== Xen 4.0 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. The vulnerability is only exposed to PV service domains for HVM or PVH guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM or PVH service domain software (probably, the device model domain image in the HVM case) is not always supplied by the host administrator, a malicious service domain administrator can exercise this vulnerability. MITIGATION ========== Running only PV guests or HVM guests with shadow paging enabled will avoid this issue. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. CREDITS ======= This issue was discovered by Roger Pau Monné of Citrix and Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa109.patch xen-unstable, Xen 4.4.x, Xen 4.3.x xsa109-4.2.patch Xen 4.2.x $ sha256sum xsa109*.patch 759d1b8cb8c17e53d17ad045ab89c5aaf52cb85fd93eef07e7acbe230365c56d xsa109-4.2.patch 729b87c2b9979fbda47c96e934db6fcfaeb10e07b4cfd66bb1e9f746a908576b xsa109.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUazogAAoJEIP+FMlX6CvZ5NQH/25lTqtBGu5Xt0JwHnLenfv0 z0gVJ5o8YB6aqzV+GHWei0QV/PtCLteykm/K8LJK4my9OtDqI/WPzusyrGB6aNhD xCQUhRF5/j2c++u4UCBitibttSwKK/CCrswBMWZYqEI/1fJazVw3huyyFv56Wt+K 32geEcIUnWs6lJD+z97W8LPPNLoaF/m6uSh4I2LrT3uBnvEFq5oGgzdWNtEKkSGC fAuga2m1NhfbCsMD6JSv9/EDSKHTiByZ5Z/zicWrButHfRp4fmGO/pPMwPFkERs1 T/FX/UAfnvisS1SjgMwqufWlzIka5JDzi/Nc5Utgcvo9+9EsI1PCJDzYTJpOSa8= =yb1z -----END PGP SIGNATURE----- Download attachment "xsa109-4.2.patch" of type "application/octet-stream" (786 bytes) Download attachment "xsa109.patch" of type "application/octet-stream" (790 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.