Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1554.2
Xen Security Advisory XSA-107
12 September 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: Xen
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-6268
Original Bulletin:
http://xenbits.xen.org/xsa/advisory-107.html
Revision History: September 12 2014: CVE assigned.
September 10 2014: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-6268 / XSA-107
version 2
Mishandling of uninitialised FIFO-based event channel control blocks
UPDATES IN VERSION 2
====================
CVE assigned.
ISSUE DESCRIPTION
=================
When using the FIFO-based event channels, there are no checks for the
existence of a control block when binding an event or moving it to a
different VCPU. This is because events may be bound when the ABI is
in 2-level mode (e.g., by the toolstack before the domain is started).
The guest may trigger a Xen crash in evtchn_fifo_set_pending() if:
a) the event is bound to a VCPU without a control block; or
b) VCPU 0 does not have a control block.
In case (a), Xen will crash when looking up the current queue. In
(b), Xen will crash when looking up the old queue (which defaults to a
queue on VCPU 0).
IMPACT
======
A buggy or malicious guest can crash the host.
VULNERABLE SYSTEMS
==================
Xen 4.4 and onward are vulnerable.
MITIGATION
==========
None.
CREDITS
=======
This issue was originally reported by Vitaly Kuznetsov at Red Hat and
diagnosed as a security issue by David Vrabel at Citrix.
NOTE REGARDING LACK OF EMBARGO
==============================
This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa107-unstable.patch xen-unstable
xsa107-4.4.patch Xen 4.4.x
$ sha256sum xsa107*.patch
b92ba8085b6684abbc8b012ae1a580b9e7ed7c8e67071a9e70381d4c1009638b xsa107-4.4.patch
cd954a5bd742c751f8db884a3f31bd636a8c5850acddf5f1160dd6be1f706a09 xsa107-unstable.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUEXRHAAoJEIP+FMlX6CvZknQIAIzPCOwG07XrKR7yu00lhCin
TSppBKJ3y7XkIdmBF/3QSnev61yJ4MYdpWl7qiK4xpDP3IyH0mrtIYBQVwxKCV/R
l/E2ztiEMugq86eCwvX5p/fAoyfqf1pBoVplqwcarS4vcmnnkOpK278TD2dPdw69
G5VaFxOqVo4Z6xQyFIGHtinN00tbb/lVQTpldah7ZfqXknPAcSeZqEBuqmVSLGIo
o9EgTAQm1wbh4tNn+O2KHeAbejjOTM7NYoidRqQY3qfN4m13MdAKliUbXIRdGggQ
aMKU2n7eNga4Aly720cD6hkJAOKxG/dGUb8lm1qHsG01VjhP2zqGn41tkqsiSAs=
=cld0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVBJevxLndAQH1ShLAQKUdw//WUDxGKDaAp9c1yGLLQhzXywEJvzKhggY
BObUTSPtZav31UbF7qk5sHcCXgn4wEk0LbblzLbbDmx0p2HNT2DDh9Lf+e9RI55y
yP0z2q1naA2aC9HFfHn/P4poy6SjU8223ja3m3y35XwHB1nXmy2xRtFufFWsJAB5
YPAoDCOM+eT3Xs+w0FK6TnbEX+Qa5dPmxvfc1higi5jZTL4VP3z23NPVjCkJ5wr7
Xi2MFOHV2QCKS7iECQHsDVHEiVAjhP9I4r5Rbd1BY7P7EKmTC+R1QhvPVgYxynEZ
oeBR/+ODkSNiUCZhO3tlkLNT1G9VAdAe0LjBPoP/xGtP28tejEn4fng9YhxfE5/K
dwv3/nyKPKNpU/xlA0WqC3n5hiFFvilcqJRK3eUu0kwJ02G7Pou8pNf9Ad8axXGY
I2HZaPUcJT+jgHuuNEmQ38R8UO+og3FNOFNLw8GYiIlzw5l4rdy9DLTgYviZIOlb
uhGjmq6NgB4n9F71Avjq3aiDr85gDMca2VDj+YR35vpQ6gm5DLfPGJ0J4BI1JGqX
Yc44PpTkd3Ohn6avg2hXGpuE/gQJ07/pAR9lWEuekFJDThEdaPUA6mU4X6HI4dCr
gPdBH2s+EqLeepI7BjSq6IsadnR6qR6lqBLjZXcxm5r5x27EYywllG+mJHqNE3iE
2N+S8E/BDHA=
=Da96
-----END PGP SIGNATURE-----