copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1392 - [UNIX/Linux][Virtual] Xen: Denial of service - Existing account

Date: 14 August 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1392
  Xen Security Advisory CVE-2014-5147 / XSA-102 version 3 & Xen Security
                Advisory CVE-2014-5148 / XSA-103 version 3
                              14 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Xen
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-5148 CVE-2014-5147 

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-102.html
   http://xenbits.xen.org/xsa/advisory-103.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-5147 / XSA-102
                              version 3

       Flaws in handling traps from 32-bit userspace on 64-bit ARM

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When handling a trap from guest mode on ARM, Xen asserts that the
current guest mode must match the domain address width.  This
assertion is false when a guest takes a trap from a 32-bit userspace
running on a 64-bit kernel in a 64-bit domain.

IMPACT
======

Any user in a guest which is running a 64-bit kernel who is able to
spawn a 32-bit process can crash the host.  I.e. an unprivileged guest
user can cause host-wide denial of service.

VULNERABLE SYSTEMS
==================

32-bit ARM systems and and X86 systems are not vulnerable.

64-bit ARM systems which support 32-bit userspace are vulnerable.

Not all 64-bit ARM CPUs support 32-bit userspace in the actual CPU
hardware.  Systems without that hardware support are not vulnerable.

Also, not all 64-bit ARM guest kernels have support for 32-bit
userspace.  Systems without that kernel support are vulnerable to a
malicious guest administrator, but not to an unprivileged guest user.

MITIGATION
==========

On systems where the guest kernel is controlled by the host rather than
guest administrator, running only 32-bit kernels.

On systems where the guest kernel is controlled by the host rather than
guest administrator, running 64-bit kernels with support for 32-bit
userspace disabled (e.g CONFIG_COMPAT=n under Linux) will prevent untrusted
guest users from exploting this issue. However untrusted guest
administrators can still trigger it unless further steps are taken to
prevent them from loading code into the kernel (e.g. by disabling loadable
modules etc) or from using other mechanisms which allow them to run code at
kernel privilege.

CREDITS
=======

This issue was reported as a bug by Riku Voipio, discovered via
Linaro's LAVA testing and was diagnosed as a security issue by Ian
Campbell.

RESOLUTION
==========

Applying the appropriate attached patches resolves these security
issues.

xsa102-unstable-*.patch        xen-unstable
xsa102-4.4-*.patch             Xen 4.4.x

$ sha256sum xsa102*.patch
a5beb5c552e5bffe3e115905c478d6699c35df1d8721f8d6681099c38a974091  xsa102-4.4-01.patch
9f04ecda4dd9e31360daa27d87588d6017d866a97b84566241097def0af86a63  xsa102-4.4-02.patch
a9860803ed5ed57bdc3ac94cdc924618b19e805b7f6a87bf9c1a9ea4b627281a  xsa102-4.4-03.patch
7d0b5e05e5915c6c2d83590ba9acab0acfd1eba986a65a20ba69cf2c3394e062  xsa102-unstable-01.patch
7d5cf339a3f8c98b3e06852f845a2305df3f8ce195d243ee22d6783bb6904d60  xsa102-unstable-02.patch
3ca7b0632af36cc72ba59ed1822bcaebf2363f150435348265d1ade25e21bf90  xsa102-unstable-03.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJT6hBqAAoJEIP+FMlX6CvZDi0H/jFJPRxBIglzATvMDaho19fw
Ao1OHP99dZn3XkKf/qfw4v90KttCEp5+3uQo34hhXNTLkvbm5KCsZDjOdL812d3G
JjvEBWnU7480Av0QkvsYVoH+yjks0PIu6xEI+kQqKAAG4vbVxTi5ORg7HMkeOKAY
5Uyj5xjWi5JRn+V8pYcUr9wZZlvhEAuDbVATeg9dH6+FyH/4V9viNWWHBePi3Ocn
HWPt7U/Cv55wLIxfjmw27C5Te3b/xNjxy9hk+1XrGMafiO7FU1ntgHmqswqN+lBR
beORG0dRNl0fU6QY8dakssYzjwA0jgV9HKoonbUGlp+fPxRl2pNuoe7Mvn/y1nU=
=Iuvx
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-5148 / XSA-103
                                version 3

 Flaw in handling unknown system register access from 64-bit userspace on ARM

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When handling an unknown system register access from 64-bit userspace
Xen would incorrectly return to the second instruction of the trap
handler for faults in kernel space rather than the first instruction
of the trap handler for faults in 64-bit userspace.

Any user in a guest which is running a 64-bit kernel who is able to
spawn a 64-bit process can cause a trap to the kernel to be taken at
an unexpected (but not user controlled) exception address.

Known versions of Linux in the default configuration will Oops and kill the
offending process, and therefore avoid this vulnerability. However local
configuration may turn such an Oops into a kernel panic, and therefore a
guest denial of service.

IMPACT
======

Depending on the guest kernel implementation, kernel crash (guest DoS)
or privilege elevation to that of the guest kernel cannot be ruled
out.

This issue does not enable an attack on the host.

VULNERABLE SYSTEMS
==================

64-bit ARM systems may be vulnerable, depending on the guest kernel.

All versions of Linux released by Linux upstream to date avoid this
vulnerability.  Systems based on modified versions of Linux may be
vulnerable.

32-bit ARM systems, and X86 systems, are not vulnerable.

MITIGATION
==========

There is no known mitigation for this issue.

CREDITS
=======

This issue was reported as a bug by Riku Voipio, discovered via
Linaro's LAVA testing and was diagnosed as a security issue by Ian
Campbell.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

The patch for XSA-103 (specifically, xsa102-*-02.patch) must be
applied first.

xsa103-unstable.patch        xen-unstable
xsa103-4.4.patch             Xen 4.4.x

$ sha256sum xsa103*.patch
fee2e0be91d08aa28ba44b616edd99a1bfcdec419966c3f9e843a842d649e4ea  xsa103-4.4.patch
838d059618d31b272ec10ac8cbb6613a68b634c98418aff2a33cd514ed06b55a  xsa103-unstable.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJT6hBtAAoJEIP+FMlX6CvZ6+sIAMiAJEzJl2pWk61kr3QT1llk
lYYEEX94QxxJIzg62o4RnMzYZXsmOT6y2YP62nEziRbBaFcgmB0bNrx+Qc52+QWk
iea2lYAJUGmEdwnY6x2raLF6Wd2alCjZxXF1UzSJJ6Vu8WiTNFXHI+mKlc9JY4bN
aStmfgvN3j6Nmjav8k9ar/8QVfc4Oe0xOlzwFt5DlNHewExWN1y+HtPnrBTkGu5K
ckgjvbxs4/SF4No59XqY0XxdpEDIEXo46keJ07DG6/nVzIl83ZtpBhxiNX8xfz91
ZYzu6feGbgtvy1+utxo/l3qBAn7TrDXn58mLTgKTM2dD3D4Crv9tKLuOXF1xVLM=
=hjBc
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU+1WtRLndAQH1ShLAQK09xAAk1LQAoYA+uXnRXsS85QTnts6sweeSatZ
2XAplYDXnWUk45Ugi3JfGUAdZisgzvQf5ryGQ15tZQsC07uvitkEYRCX10uRoMx4
cw1EXqtgGFkPbcvdBPUhcZV+n111jVMqwgXw8Ve/PX3YqE/Nm5KogHQ5fbFOkEW5
0kPirv43yc5Yih2f85Ly2ae+sSQu/VlHKUmZy7chc7x7Qg7K8yyIKcx3Lop/RCv6
SUvTvJ9nojdfUg6CamowzqirJyNFAmH0Zvt4PLyJBzn7vz1MvSWB+z36YBRhooX8
+PtxM7V2z9VmUq55OyEU43Kt+ae157MIafotHJSCbXLgpG3Qo/204rjY43r+IFVB
93wtV66+NclTHKnpOTD434n4DYYAYR0/ApkrwT+RVaS5Z/RbrY0WLa4rZmvouxnG
+xHd6KcRwFkIqVHUy+MavmXnsszQITki8xqj5b+naJUe7ym/fcufXSFIZZC55HlL
mAip/xpda7DXAEthKY7SAay8zBKMrVKmyBGpJVj2CI0D8vZ/hsPB/LWUTtkHci9f
1jxELxxIvgFExutFt2IEitHYxliJb/F4kQQd78xZGtE5lqF6AentGNy2JKHK0aAb
gglUVbQSqGPBYjArogsJhOQlfeyL86FFrla1ZWXcRTqk6XjCIx7sCIuNyHgDD0vo
chbKj16rG6Y=
=wEjZ
-----END PGP SIGNATURE-----