Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2042 inappropriate x86 IOMMU timeout detection / handling 9 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: x86 systems with IOMMU hardware Publisher: Xen Operating System: Xen Impact/Access: Increased Privileges -- Console/Physical Denial of Service -- Console/Physical Access Confidential Data -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2021-28692 Original Bulletin: http://xenbits.xen.org/xsa/advisory-373.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2021-28692 / XSA-373 version 2 inappropriate x86 IOMMU timeout detection / handling UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actually being detected is inappropriate: - on Intel hardware guests which did not originally cause the timeout may be marked as crashed, - on AMD hardware higher layer callers would not be notified of the issue, making them continue as if the IOMMU operation succeeded. IMPACT ====== A malicious guest may be able to elevate its privileges to that of the host, cause host or guest Denial of Service (DoS), or cause information leaks. VULNERABLE SYSTEMS ================== All Xen versions from at least 3.2 onwards are vulnerable. Earlier versions have not been inspected. Only x86 systems with in-use IOMMU hardware are vulnerable. x86 systems without any IOMMUs in use are not vulnerable. On Arm systems IOMMU / SMMU use is not security supported. Only x86 guests which have physical devices passed through to them can leverage the vulnerability. MITIGATION ========== Not passing through physical devices to untrusted guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Igor Druzhinin and Andrew Cooper of Citrix, and further issues were uncovered by by Jan Beulich of SUSE while trying to fix the first issue. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa373/xsa373-.patch xen-unstable xsa373/xsa373-4.15-.patch Xen 4.15.x xsa373/xsa373-4.14-.patch Xen 4.14.x xsa373/xsa373-4.13-.patch Xen 4.13.x xsa373/xsa373-4.12-.patch Xen 4.12.x xsa373/xsa373-4.11-.patch Xen 4.11.x $ sha256sum xsa373* xsa373*/* 2ded01092088735e0d8a0e378a41b772ec0f17ceb7afabc78228670c43407fc2 xsa373.meta f62df56cd176237521aa2ed4a22b0e893318b85bb0ce3c17bd7fca5282b6105b xsa373/xsa373-1.patch 9eed9566508e116c4da6c201b36fe7e53e98f2daf96cce8ed0a9ca192d783edc xsa373/xsa373-2.patch ffee9d17e40798c053a67707dd13d7a944e4a53de7bcfe3e146eac7871ca2608 xsa373/xsa373-3.patch c51bea462222c090ae671f14471ece00724348e6c04e5850f9b91d0b1eceaad8 xsa373/xsa373-4.11-1.patch 9a3b331e404a38c72ec154cefd78f1f67db6f25dcc1bd554b37ff50899ea42ff xsa373/xsa373-4.11-2.patch dba77bce4e6c88ec43df61e88bd5c8bee6e32c0ff681cbeddc4bceb0ee6c73dd xsa373/xsa373-4.11-3.patch b1f14e8885e3004de79c5012a1d9278d7a0c39633c5b73cbfda28679f1722c38 xsa373/xsa373-4.11-4.patch 791bccec1e7ba4429a0bafef5fd5a35a68562cee333d0962c70477172493ef3b xsa373/xsa373-4.11-5.patch cc4e1bcef148dbfc94ada92bef4408c5516cff2cf249e43c5595b1dbffbbc1e4 xsa373/xsa373-4.12-1.patch 12ffdac1526d96c4f1b572360a7f1a0371e8a177cf15228b126c1032de4e8930 xsa373/xsa373-4.12-2.patch 619425ba44f449bf7b0f519040ee579adff0d0293a95e9b0f70c943c02ae22fb xsa373/xsa373-4.12-3.patch b1f14e8885e3004de79c5012a1d9278d7a0c39633c5b73cbfda28679f1722c38 xsa373/xsa373-4.12-4.patch 96b3dd11d38ca8ca0b2dfe2dfb571045fcda78dbfe416580c9b04c5a8ce5fcef xsa373/xsa373-4.12-5.patch 4add1d05ad2780904ebc89b4d1a93a8f2757b6e9f45b075afce46392ae406b58 xsa373/xsa373-4.13-1.patch b064324db709078b8ef479df0c31ff3391a506755bfb0186d7d165592d025357 xsa373/xsa373-4.13-2.patch 6fe47fbba0c9d86f48643182d8a7c64ff70a7c8b290b0e93afe1d43d04bed480 xsa373/xsa373-4.13-3.patch b1f14e8885e3004de79c5012a1d9278d7a0c39633c5b73cbfda28679f1722c38 xsa373/xsa373-4.13-4.patch 96b3dd11d38ca8ca0b2dfe2dfb571045fcda78dbfe416580c9b04c5a8ce5fcef xsa373/xsa373-4.13-5.patch 4add1d05ad2780904ebc89b4d1a93a8f2757b6e9f45b075afce46392ae406b58 xsa373/xsa373-4.14-1.patch 8e61b7dda9ea21a830454e629fd23e3379b73fb230bd04107618e45975e117d1 xsa373/xsa373-4.14-2.patch a5aa80d8e893c268f171a5e429bfef0c553522f860e3e5132b4bd87d3a73c6b7 xsa373/xsa373-4.14-3.patch 25bfd2b821ae2cc867b8e2d480528ebd435da76cfab766e8106573cf8dc6f36c xsa373/xsa373-4.14-4.patch 162b3f14d15fe5ca2cb659efad6635f3803dde6fa97a6f0f1f7f202d3ea72d94 xsa373/xsa373-4.14-5.patch 4add1d05ad2780904ebc89b4d1a93a8f2757b6e9f45b075afce46392ae406b58 xsa373/xsa373-4.15-1.patch 9eed9566508e116c4da6c201b36fe7e53e98f2daf96cce8ed0a9ca192d783edc xsa373/xsa373-4.15-2.patch 13642541b056ed47129d8143a919bcc81a73797baedc3bd90afeb33f021e6d31 xsa373/xsa373-4.15-3.patch b2517a7e92c26a818e94ed5133d5aef6ef1d3a7a98f2f5355f1ad6f30baa3ab9 xsa373/xsa373-4.15-4.patch 3ca056796b93cb07ddb7e1dfda98410162382fc56135eb08bc5ff19137d8c427 xsa373/xsa373-4.15-5.patch b2517a7e92c26a818e94ed5133d5aef6ef1d3a7a98f2f5355f1ad6f30baa3ab9 xsa373/xsa373-4.patch 0b7bb146330f7fdc7c8c331a618307819073654a13d9fe1d0a8b83ab037ae802 xsa373/xsa373-5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmC/oxIMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ7oQH/39iA05B0xCxHjYxZJmwplLhtr/RwNt+3zOgsesg jaG8KMWRobWsfLWpbQdEuWKLQ5kPcK47KBGdFkadbSgNW6ZKeG6iR+HWC04/9uA6 3jjlhyqcdetfGnRUh/EO+4gLEaWxdWegWLWMBqYYp+f9b9lKDp8vyWj5yfzU1FFF +YOu4bSRnqbY21hapsy2iupbBJugJF1vCLVfMLxQjba8KOjl4bk6cIxx/WgX3FPI XIH6T+0MtLioCbv7MFaSlfeWoMNjpcimMA8/dmePS6XBtjGX02ahEYSO66lHKk7T BsrN4QLibAsb8vMb5KjcjGE8ukhrg3AH5EOE950duWF5heQ= =fAD/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYMBbZeNLKJtyKPYoAQhIQRAAg9vD7ggepTLyo6Oc7eMShuvO7qv9Pf3l aZghmAqIp7ZJ2ZHinS1FSdmet2Iuvh6sS6SveoSW/SCewMYmESuOOBZrCIvRmSRR 2GKFgy9syteixIthQtv0aMKUGVMETXi86/Hs3QOO7wXP2ZZ/cKmsp+5Pq93IhKyR LIR2t1O6c2kl8MsiJ1zycNsidh9KRiYTz+2NPQW5C49e9NIiYweLbrJn+2kyq6H3 8li3vkQx9wOLHztbRO6FLLBV5ZiZBn7FYgZ3e2nfmMe8IiY0EICbpADpeE8ga5k6 G6LuFMo2VauafNEw0C0NFYn392ixhM4CMHb7D7HTIV155TLpJCDjX6NEooPkdGuQ IBCI/132BoyCJM2hLrpYgFa4ywGFPQmOhR4qNnrncsIJaXECbM6IWQAr5SglBK37 SP85rWbN5pXlXdxJVOefZXD6AxKfWJmWNssE9qmuSaNBgW1XxwXZ+fuASzLF85TB HuiZ/CNxlqjojK1FoxypCdJYEohXCHVu3Da6E3Ibs1rvdRAV/gB/QrdRbSS9J/9q +9fuiMjiFWdpTzDjB7WSEiLXu+PPdTdnuOOAToEx0/D5FgtnNWbPtv2YyUw6IT52 ePE7CfpOIou86vaK5CEhjI3irv1N5Fb7xwkxrVhsLXwwXnopq9dur0WQoZAOmfto jNMs3jpGA08= =tUou -----END PGP SIGNATURE-----