ESB-2018.2534 - [SUSE] xen: Multiple vulnerabilities 2018-08-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2534
                          Security update for xen
                              28 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Access Privileged Data          -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12893 CVE-2018-12891 CVE-2018-12617
                   CVE-2018-11806 CVE-2018-10982 CVE-2018-10981
                   CVE-2018-3665 CVE-2018-3646 CVE-2018-3639
                   CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Reference:         ASB-2018.0204
                   ASB-2018.0192
                   ASB-2018.0116
                   ASB-2018.0033
                   ESB-2018.2429
                   ASB-2018.0002.4

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182528-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2528-1
Rating:             important
References:         #1027519 #1074562 #1079730 #1090822 #1090823
                    #1091107 #1092631 #1095242 #1096224 #1097206
                    #1097521 #1097522 #1098744
Cross-References:   CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
                    CVE-2018-10981 CVE-2018-10982 CVE-2018-11806
                    CVE-2018-12617 CVE-2018-12891 CVE-2018-12893
                    CVE-2018-3639 CVE-2018-3646 CVE-2018-3665

Affected Products:
                    SUSE Linux Enterprise Server 11-SP3-LTSS
                    SUSE Linux Enterprise Point of Sale 11-SP3
                    SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

   An update that solves 12 vulnerabilities and has one errata
   is now available.

Description:


   This update for xen fixes the following issues:

   These security issue were fixed:

   - CVE-2018-3646: Systems with microprocessors utilizing speculative
     execution and address translations may have allowed unauthorized
     disclosure of information residing in the L1 data cache to an attacker
     with local user access with guest OS privilege via a terminal page fault
     and a side-channel analysis (bsc#1091107, bsc#1027519).
   - CVE-2018-12617: An integer overflow that could cause a segmentation
     fault in qmp_guest_file_read() with g_malloc() in qemu-guest-agent was
     fixed (bsc#1098744)
   - CVE-2018-3665: System software utilizing Lazy FP state restore technique
     on systems using Intel Core-based microprocessors may potentially allow
      a local process to infer data from another process through a
      speculative execution side channel. (bsc#1095242)
   - CVE-2018-3639: Systems with microprocessors utilizing speculative
     execution and speculative execution of memory reads before the addresses
     of all prior memory writes are known may allow unauthorized disclosure
     of information to an attacker with local user access via a side-channel
      analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1092631)
   - CVE-2017-5715: Systems with microprocessors utilizing speculative
     execution and indirect branch prediction may allow unauthorized
     disclosure
     of information to an attacker with local user access via a side-channel
      analysis. (bsc#1074562)
   - CVE-2017-5753: Systems with microprocessors utilizing speculative
     execution and branch prediction may allow unauthorized disclosure of
     information to an attacker with local user access via a side-channel
     analysis. (bsc#1074562)
   - CVE-2017-5754: Systems with microprocessors utilizing speculative
     execution and indirect branch prediction may allow unauthorized
     disclosure
     of information to an attacker with local user access via a side-channel
      analysis of the data cache. (bsc#1074562)
   - CVE-2018-12891: Certain PV MMU operations may take a long time to
     process. For that reason Xen explicitly checks for the need to preempt
     the current vCPU at certain points. A few rarely taken code paths did
     bypass such checks. By suitably enforcing the conditions through its own
     page table contents, a malicious guest may cause such bypasses to be
     used for an unbounded number of iterations. A malicious or buggy PV
     guest may cause a Denial of Service (DoS) affecting the entire host.
     Specifically, it may prevent use of a physical CPU for an indeterminate
     period of time. (bsc#1097521)
   - CVE-2018-12893:  One of the fixes in XSA-260 added some safety checks to
     help prevent Xen livelocking with debug exceptions. Unfortunately, due
     to an oversight, at least one of these safety checks can be triggered by
     a guest. A malicious PV guest can crash Xen, leading to a Denial of
     Service. Only x86 PV guests can exploit the vulnerability. x86 HVM and
     PVH guests cannot exploit the vulnerability. An attacker needs to be
     able to control hardware debugging facilities to exploit the
     vulnerability, but such permissions are typically available to
     unprivileged users. (bsc#1097522)
   - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer
     overflow via incoming fragmented datagrams. (bsc#1096224)
   - CVE-2018-10982: An issue was discovered in Xen allowed x86 HVM guest OS
     users to cause a denial of service (unexpectedly high interrupt number,
     array overrun, and hypervisor crash) or possibly gain hypervisor
     privileges by setting up an HPET timer to deliver interrupts in IO-APIC
     mode, aka vHPET interrupt injection. (bsc#1090822)
   - CVE-2018-10981: An issue was discovered in Xen that allowed x86 HVM
     guest OS users to cause a denial of service (host OS infinite loop) in
     situations where a QEMU device model attempts to make invalid
     transitions between states of a request. (bsc#1090823)

   Following bugs were fixed:

   - After updating to kernel 3.0.101-0.47.106.32-xen system crashes in
     check_bugs() (bsc#1097206)
   - bsc#1079730 - in xen-kmp, unplug emulated devices after migration This
     is required since xen-4.10 and/or qemu-2.10 because the state
     of unplug is not propagated from one dom0 to another. Without this
      unplug qemu's block-backend will be unable to open qcow2 disks on the
      receiving dom0


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP3-LTSS:

      zypper in -t patch slessp3-xen-13752=1

   - SUSE Linux Enterprise Point of Sale 11-SP3:

      zypper in -t patch sleposp3-xen-13752=1

   - SUSE Linux Enterprise Debuginfo 11-SP3:

      zypper in -t patch dbgsp3-xen-13752=1



Package List:

   - SUSE Linux Enterprise Server 11-SP3-LTSS (i586 x86_64):

      xen-kmp-default-4.2.5_21_3.0.101_0.47.106.43-45.25.1
      xen-libs-4.2.5_21-45.25.1
      xen-tools-domU-4.2.5_21-45.25.1

   - SUSE Linux Enterprise Server 11-SP3-LTSS (x86_64):

      xen-4.2.5_21-45.25.1
      xen-doc-html-4.2.5_21-45.25.1
      xen-doc-pdf-4.2.5_21-45.25.1
      xen-libs-32bit-4.2.5_21-45.25.1
      xen-tools-4.2.5_21-45.25.1

   - SUSE Linux Enterprise Server 11-SP3-LTSS (i586):

      xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.43-45.25.1

   - SUSE Linux Enterprise Point of Sale 11-SP3 (i586):

      xen-kmp-default-4.2.5_21_3.0.101_0.47.106.43-45.25.1
      xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.43-45.25.1
      xen-libs-4.2.5_21-45.25.1
      xen-tools-domU-4.2.5_21-45.25.1

   - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64):

      xen-debuginfo-4.2.5_21-45.25.1
      xen-debugsource-4.2.5_21-45.25.1


References:

   https://www.suse.com/security/cve/CVE-2017-5715.html
   https://www.suse.com/security/cve/CVE-2017-5753.html
   https://www.suse.com/security/cve/CVE-2017-5754.html
   https://www.suse.com/security/cve/CVE-2018-10981.html
   https://www.suse.com/security/cve/CVE-2018-10982.html
   https://www.suse.com/security/cve/CVE-2018-11806.html
   https://www.suse.com/security/cve/CVE-2018-12617.html
   https://www.suse.com/security/cve/CVE-2018-12891.html
   https://www.suse.com/security/cve/CVE-2018-12893.html
   https://www.suse.com/security/cve/CVE-2018-3639.html
   https://www.suse.com/security/cve/CVE-2018-3646.html
   https://www.suse.com/security/cve/CVE-2018-3665.html
   https://bugzilla.suse.com/1027519
   https://bugzilla.suse.com/1074562
   https://bugzilla.suse.com/1079730
   https://bugzilla.suse.com/1090822
   https://bugzilla.suse.com/1090823
   https://bugzilla.suse.com/1091107
   https://bugzilla.suse.com/1092631
   https://bugzilla.suse.com/1095242
   https://bugzilla.suse.com/1096224
   https://bugzilla.suse.com/1097206
   https://bugzilla.suse.com/1097521
   https://bugzilla.suse.com/1097522
   https://bugzilla.suse.com/1098744

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW4TJpWaOgq3Tt24GAQhR4w//S3xR9SKbI3JLZLNiQWjIySwzdQufFBeQ
iHS5BYSB0y0k/HjiVmThlDHFV0d39TWZUE3htU1xk/0Kf7tnBpXr+1Z/ocTB6jJe
VHr/QvLlqozkZeMIJHoda09P6ou2sQU3HbDNmd/txGRi6R15EF2veER6UUGse/PW
byVeds0AWGcQIHZKs2q2w1dKGxbIlhiJXQQjx45i41kfm11CgRH8WoqRItX8E9yW
c6e+72N6RZYHFEWLr7DFBVMfldFTFQY7k8yluoGSKitQEVsPs5PhVqnfljYzjEHy
sfxFS/CugSVJnX99r3rdMBZe8LINmOgBkt4P0GK2yprnCfLxPq68M0u5Efa8boo/
TqLNyc6dU7klaYziMJVFnxNzPYW1OP3I5P5JhQP1i5ItCg3238U5+iDLkBfTt9Tb
n/fdfHauvVv1xeNyBF4pMK6Ym3ykbiA3kqKCCirmMrU7S+xn0x7Ubv7Kpz0EhGQF
Ld8lljm9IDPua0stH8jkaSQvXLIaEYyi/xv82VaD6OyrBkzmtqOf9vzyaE8zJCE8
WiRU6NEyNZG2XLbIrbmGFFFKIxkKAFrJlhHA0XtwGOLHn1KDt9Ifyoy0pShEWWaL
b2au0eBNEzn3JH7XaqWevo39q7GZOPWongtbkZqRlOVL8a6suPXp5s5Veh5loeVM
V8ig9y9ngus=
=dCjL
-----END PGP SIGNATURE-----

« Back to bulletins