Date: 20 June 2014
References: ESB-2014.1187 ESB-2014.1219
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Xen Security Advisory CVE-2014-4021 / XSA-100 version 3
20 June 2014
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Confidential Data -- Existing Account
CVE Names: CVE-2014-4021
Revision History: June 20 2014: Fixed Access Vector
June 19 2014: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-4021 / XSA-100
Hypervisor heap contents leaked to guests
UPDATES IN VERSION 3
Public Release. CVE assigned.
While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned. Such exposure of information would happen through
memory pages freshly allocated to or by the guest.
Normally the leaked data is administrative information of limited
value to an attacker. However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.
A malicious guest might be able to read data relating to other guests
or the hypervisor itself.
Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
No comprehensive mitigation is available.
An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest. This includes a situation where
the attacker can cause the victim guest to crash.
Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.
This issue was discovered by Jan Beulich.
Applying the attached patch resolves this issue.
xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x
Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later
additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely")
will be required if not already in place in the respective tree.
$ sha256sum xsa100*.patch
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----