copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1002.2 - UPDATE [UNIX/Linux][Virtual] Xen: Access confidential data - Existing account

Date: 20 June 2014
References: ESB-2014.1187  ESB-2014.1219  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.1002.2
          Xen Security Advisory CVE-2014-4021 / XSA-100 version 3
                               20 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Xen
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4021  

Original Bulletin: 
   http://xenbits.xenproject.org/xsa/advisory-100.html

Revision History:  June 20 2014: Fixed Access Vector
                   June 19 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-4021 / XSA-100
                             version 3

              Hypervisor heap contents leaked to guests

UPDATES IN VERSION 3
====================

Public Release.  CVE assigned.

ISSUE DESCRIPTION
=================

While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned.  Such exposure of information would happen through
memory pages freshly allocated to or by the guest.

Normally the leaked data is administrative information of limited
value to an attacker.  However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.

IMPACT
======

A malicious guest might be able to read data relating to other guests
or the hypervisor itself.

Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
cryptographic keys.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

No comprehensive mitigation is available.

An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest.  This includes a situation where
the attacker can cause the victim guest to crash.

Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa100.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later
additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely")
found at
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b
will be required if not already in place in the respective tree.

$ sha256sum xsa100*.patch
2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0  xsa100.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr
/QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q
NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3
0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1
OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu
J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0=
=WnYZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU6OqkRLndAQH1ShLAQJwVA//fF6a8VVXaoRVMxbtJRSWmO2qU9CMblJp
FzHd1lSfVlQWdCN/ctAYzjJqkvDxyRPhDgOkcMkOTygUFSngD0lqhIro/86hdg8D
MiVMHoj731X7yiJX00tq+KL6T/GH+z762CYJhbR5EZcU9KOTsm2qEn5x8u0JW3jl
9JYaIgwd+dNV2YXdsoksZ0QF7M9K4x+zNt8U2nq0bvVN5GEqxBUnQXpKlweYl3z0
ir0DIAGqn9axqcQnnu4W81G0e5RVFcQXY/6N3C9oAl+k+qQlQfoaW7UvCYMyAj3r
C7WZyuxybNyEEQcN/L75hAdiJsCxNFUfNj2yJ6cuVKcuaIylmcp986zSyPcGoPuV
zNdf+HIYXDX483r2ylkh8h7zFtHy/hCbv3CNKM9jBY2rZZKCDrKLSXEfXnqgFkG7
Fu3ShalAMVFAVuziuBJxiYth8TXpPMRpSuVPKIA+CyD6Z63/pegU9Pjtti5BJYXT
Le4Tmo4bl+h2EHlz+1qZBNFzRlI54Dkk8Xa2lcyZ7OITXYcV9jhhICCrrF8mQQ3H
SnRoerP7Y5AiFXyjDL4pMSCctxryJOi/IxT5VJhKIZwjUCsj8I9qnbwa8XF6y70s
1c62hXDHTW4FFHJwZhiOkz6Q+Zc3k+cYg257J+jcW35pamw21lUcD1wxjBcDJmDg
RdtVGcz+lAw=
=yyqR
-----END PGP SIGNATURE-----