AusCERT - ESB-2013.0630 - [UNIX/Linux][Virtual] Xen: Denial of service

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2013.0630 - [UNIX/Linux][Virtual] Xen: Denial of service - Existing account
Date: 06 May 2013

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0630
          Xen Security Advisory CVE-2013-1918 / XSA-45 version 2
                                6 May 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Xen
Publisher:        Xen.org security team
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Xen
Impact/Access:    Denial of Service -- Existing Account
Resolution:       Patch/Upgrade
CVE Names:        CVE-2013-1918  

Comment: This bulletin contains two (2) Xen.org security team security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1918 / XSA-45
                              version 2

          Several long latency operations are not preemptible

UPDATES IN VERSION 2
====================

Patches for xen-unstable refreshed to apply on top of xen.git#staging
commit 9626d1c1.

Public release.

ISSUE DESCRIPTION
=================

Page table manipulation operations for PV guests can take significant
amounts of time, as they require all present branches to have their
type (and thus contents) verified. While the most frequently used
operations had been made preemptible in the past, some code paths
involving potentially deep page table traversal were still trying to
do their entire work in a single step.

IMPACT
======

Malicious or buggy PV guest kernels can mount a denial of service attack
affecting the whole system.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

The vulnerability is only exposed by PV guests.

MITIGATION
==========

Running only HVM guests, or PV guests with trusted kernels, will avoid
this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch series resolves this issue.

xsa45-4.1-*.patch             Xen 4.1.x
xsa45-4.2-*.patch             Xen 4.2.x
xsa45-unstable-*.patch        xen-unstable

$ sha256sum xsa45*.patch
9a77ffcf6af68bb578ce99aa86778767b9df89409b4ce398d9cf6ae603b60f99  xsa45-4.1-01-vcpu-destroy-pagetables-preemptible.patch
ad534cd15f83c81bc37d15f08f85cb902796494f788dc9d424ade75bd6f62114  xsa45-4.1-02-new-guest-cr3-preemptible.patch
13626e949abf555971e6696c6ddaccbab33a479e88b6ed6206e9f90a4b720090  xsa45-4.1-03-new-user-base-preemptible.patch
52ee804acae32c7b8233a0fae19ac563ae9f89ba0fd83451fe907d907f8f78eb  xsa45-4.1-04-vcpu-reset-preemptible.patch
aa5b1d56a72dcd44d6523d272328418ed1eb03f818a8c6d359d0b371e75884e5  xsa45-4.1-05-set-info-guest-preemptible.patch
b218608e388eacf4af4707ec2e395b8147e650217dfc0070a69221327b1a802b  xsa45-4.1-06-unpin-preemptible.patch
a16ff16c6bd627588606141c94c74694d9f15a65a234dfec366796778d61b77f  xsa45-4.1-07-mm-error-paths-preemptible.patch
760d8502747f2c03fb3bf6b683994860ae99b66a2fb6bbedebcc5b440404c404  xsa45-4.2-01-vcpu-destroy-pagetables-preemptible.patch
e8e20bc35017bbfa350c29cef848e294acc782c3eae8082e629b020563b3a2c1  xsa45-4.2-02-new-guest-cr3-preemptible.patch
8f2efcd018179ff8abdd54164980fdb0d25968017aaf91947ff0a326a132cd90  xsa45-4.2-03-new-user-base-preemptible.patch
6eaefb1987f1ccf891cd68c03e9966bc7ccc6fd894ed2c366aa4a0d1f3a15459  xsa45-4.2-04-vcpu-reset-preemptible.patch
406e3bd7147fea805bdf6f201bc17322cd2cd662ede094b1a039ba71b095bb3e  xsa45-4.2-05-set-info-guest-preemptible.patch
6e4344e3dcb544537bbef869a34cff38a4611cddc34d18469633d3b3d35db78b  xsa45-4.2-06-unpin-preemptible.patch
7fca1b6025d6ac1a444333b2fe1381af093ca601ac8045f68a29c2a83d520e48  xsa45-4.2-07-mm-error-paths-preemptible.patch
530671cc49c2c932ddf63f02500a918a96e4b771d2faf34ef08ca7370cda5b0e  xsa45-unstable-01-vcpu-destroy-pagetables-preemptible.patch
5938d69fbf4c69d598c073e942da5738790609d1b44fe2cb659fcc51d38b7b3d  xsa45-unstable-02-new-guest-cr3-preemptible.patch
42c218484f38655d7b2fae0ecaac8178c0b1599a6b816512137d1ba50226b142  xsa45-unstable-03-new-user-base-preemptible.patch
5b3bf55c9f8137f20c192c9961031064d960599526c8617eb348394ee4af2f66  xsa45-unstable-04-vcpu-reset-preemptible.patch
95616fb041f79a0f9e792e613d8fd8c1d254d0875e32f78b9a98cebd2a28a870  xsa45-unstable-05-set-info-guest-preemptible.patch
1bcf73a162605efca8ba1422dd40e431cc5f667d97418c735eb5f9230fadef95  xsa45-unstable-06-unpin-preemptible.patch
ce3c0f2b767553103d5afa70148b527dbe8f2320b19733f4474da2835813b16f  xsa45-unstable-07-mm-error-paths-preemptible.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRgmx5AAoJEIP+FMlX6CvZZAYH+wWjoD7gudFJI3NgOZSRwfQW
ptXqA+s/hYzjkQHLCYkRqMx7oonAo40XYfARzsQWZy8eQvxc/EaIQezz+WFJrIx+
1D0wPppD2bBhDOOuhUVkftaE3jPdv4BbC1WwZZa96j9jfcRZzdgBtigeUEGmZ+pw
M/Vx2e179dy/EzSBHWnaHLK4X1lf1NF7i+OMFKj6XctUrs6ZvXcu+KA8VyVl8kAj
a+dcZNDHRkQGMNuFhtIW3NSxpcencB1i0SbkcbeWhMHRdu48G1a+Cyds2UXZKHyy
B5Voc3VQtyCwwCKZ7N9zy7cvf+8cAJ8C45h26TscuRqRO5pu9tim0IAoxh9d/zM=
=PK/a
- -----END PGP SIGNATURE-----

- -------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1952 / XSA-49
                              version 2

        VT-d interrupt remapping source validation flaw for bridges

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Interrupt remapping table entries for MSI interrupts set up by bridge
devices did not get any source validation set up on them, allowing
misbehaving or malicious guests to inject interrupts into the domain
owning the bridges.

In a typical Xen system bridge devices are owned by domain 0, leaving
it vulnerable to such an attack. Such a DoS is likely to have an impact
on other guests running in the system.

IMPACT
======

A malicious domain, given access to a device which bus mastering
capable, can mount a denial of service attack affecting the whole
system.

VULNERABLE SYSTEMS
==================

Xen version 4.0 onwards is vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

Any domain which is given access to a PCI device that is bus mastering
capable can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted
guests.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa49-unstable.patch          Xen xen-unstable
xsa49-4.2.patch               Xen 4.2.x
xsa49-4.1.patch               Xen 4.1.x

$ sha256sum xsa49-*.patch
666aec709795163e7c19e99f71ff88cb9a4d66f3f0599ef66446310323fd8d9e  xsa49-4.1.patch
37055cbc74111cbc507af3f09d6ac2e472f24efd54cd3e08583dc635e66a539f  xsa49-4.2.patch
ba07b4ff0393084282edc24db7f03eb95b0a4bbc8d40d6ede601d0182a0fc852  xsa49-unstable.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRgnfXAAoJEIP+FMlX6CvZoHsH/jNpyc3Y1ga9GPQSxZ+GaXme
z/TzcW1gZsP8TVlsoXJbGSVMbDLNLkTA7LpPkep/tSNOfQ3Umg/70sLtvXmpm2PR
zvpLgjpKut5ziqLLhFX1kTRZIrg9X8p9k9DHiq3JKK7WUZ1S21i8zQH8w6k9R2Q5
JO6WTP5VidDVByn23HcIwUI1/z4mbPIe5MI2/I81dbw3BnMLHeX8RGlIHz1Cj729
W7UqRDkivdH0CjF4D/hBskcI+3bZOS2I+JrQf78YP5kq2zr1tSJ6wH9VhxgI0ku1
LgmmEPfqoeCXK8/s0QcLFj+nAMx6OZWeTPJ31RT41106ZWku+gazddFsZJ+PeuY=
=no/g
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUYcQfO4yVqjM2NGpAQJXWw/+KT/s1UkjaOm/Pyf3l2kxfq5PPn93mAAV
3JzmT8rOXAMye8z7C2HYAT1hvcjqDey2MgULXwyJQJ1PK+bIsk0ktRmVrB0NxJCp
OF+Xavo+VH8RXtJrLxYDY+rap1IUzNcD9NpTqbnZjbGUgXGlIm4RKGxtphojkkLY
6+h3bClrm4B3cHiLcBoCzOuwEY/UPbATuHyE4ELRBBsewlQ8Bg8XY95PFhVbjTug
iDtYkqj+8lHizXXToMfuoFDGVBkLRo/CCvC2KKqqJD9EX1jCGrIowV9aGprZUs6f
2u0LM7dVB2oNCv7z9CwSYISGehcHEOtcmxa7u8shbHK6f0ZLp1urpEOHdlUnCsbZ
mNpXQsx95/RoUoCn83/00kY3zkCmomA0LT8K7+OgCNBuubrI697fj70pKqXSQ3V6
a0QJbEyc4lpliGa4yVToTnENENl5QBSatc+Qr+J2MCg3D5apQITGbosMKlR1gf8V
Q6wc3SO6IR0bgknQQVTN9mjZtBwxdQab1pgiLltJJ4s9Jh0Vg7eYcYsGm2V96UZs
D+maHFevnYdXB2oW4DyE9bc3Qze1Sx782dM/oPzSaiYo8GqSd96piu/l9YKfKjat
ymbUeW3hInqGA61A/Z78DuN97wazPNuI4y9WopIeS++JEZ741PNj1V/r8w/dd50X
srSBpYF5l6Y=
=Njh8
-----END PGP SIGNATURE-----