copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2367 - [UNIX/Linux][Virtual] Xen: Denial of service - Existing account

Date: 11 December 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2367
   Xen Security Advisory CVE-2014-9065,CVE-2014-9066 / XSA-114 version 3
                             11 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Xen
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-9066 CVE-2014-9065 

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-114.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Xen Security Advisory CVE-2014-9065,CVE-2014-9066 / XSA-114
                              version 3

                       p2m lock starvation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The current read/write lock implementation is read-biased, which allows
a consistent stream of readers to starve writers indefinitely.  There
are certain rwlocks where guests are capable of applying arbitrary read
pressure.

IMPACT
======

A malicious guest administrator can deny service to other tasks.  If
the NMI watchdog is active, a timeout might be triggered, resulting in
a host crash.

VULNERABLE SYSTEMS
==================

Xen 4.2 and later systems are vulnerable.

Xen 4.1 and earlier are not vulnerable in normal configurations.  4.1
and earlier are vulnerable only insofar as features are used which
have already been explicitly discounted for security support purposes
(TMEM, see XSA-15; XSM-based radical disaggregation, see XSA-77).

Only x86 systems offer avenues for attacking this vulnerability.
ARM systems do not and are therefore not vulnerable.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue in
practice for most systems.  (CVE-2014-9065 refers to these fixed
cases.)

In some deployments, large guests (more than around 30-40 VCPUs) may
still be able to trigger intermittent problems; a complete fix to this
issue requires substantial structural changes and is planned for Xen
4.6.  (CVE-2014-9066 refers to these yet-to-be-fixed cases.)

xsa114.patch                 xen-unstable
xsa114-4.4.patch             Xen 4.4.x
xsa114-4.3.patch             Xen 4.3.x
xsa114-4.2.patch             Xen 4.2.x

$ sha256sum xsa114*.patch
d1c1a2d5d55bfe13ba99a9cb99b367a29389aa30f13ffacc02b465a006115b45  xsa114.patch
a7a57c49d65de7e3cd480476b0a935ddac9e9d941aa6ca65e87170411a7c1176  xsa114-4.2.patch
ae787074b857c40ab0059802846cb0152e24c937486968c769a9bfe8cbe3d10f  xsa114-4.3.patch
b35ed8710693163cc33772c36e4c17dc76e25a0b2025fff4a5aa3b46c459938a  xsa114-4.4.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUhZTQAAoJEIP+FMlX6CvZYUkH/A/SYzqnOXvSa0tF7penNFb9
NFwRBjTvddaTnB72UiIL6ca/3tV1la2cNpn+p4M+cGSuCwHV9QaEoRMtc6l77Yol
I1ApyZWHS3Qwv2zKDp5dozDcO5yiVuVj+Az1O9f3NCv6PsQvJxYugB/3JKUnhS60
ItmlwnxAEzRd0pvoG8zb7vdLKPyfJ9gYTW3OU50F13TbJEtIJ1ifzvCTC7zPv7da
phYy7NClS9a1QeXOnwRNyoL8hBZ6OWJYxG66+8P/s0SUtvTOuOoVJ510cAwfv4Fw
y96Ss+vfTu9u34GBaO/rTP5FkH1x9vptFGTIgjtDPZmwf30kCo4qyq3jnjyWKmM=
=V6/o
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIkaohLndAQH1ShLAQJtThAAg1jF1ExW90J1UG8WXZrEU9AGyz53vG+M
nNYRc14756o54ZtSL66CzHWXrU0kvQcz1Rd1Jhvn0Pn4pbR1SSYx+8oTxGxUyqYx
hPrY47WSpDcU3wSIktytS/4gAU2fRB7Og3u0ivccwlq9/zYA7b+QEZT3zNk1S2ED
ylvlVQ9kvNepwcjdG8N9DYv9l6lfNZFw8sUDgXGwF1i95lEbmO0/hoiJUOd69I53
rcDFDzqgfxOjr7tn7XsnZDmwfDgsuvpiqDMdEmyDhj4IHW5S70yTKmOUvzv7gGwc
hqnoE4zsp42FdAMvBNvM39lB8K4LQloR82ol00XYBV2Ht3AHVqZLy2Mvmn3PB4pN
OO0SZGGBOKaZpJD0eXSBBUV7AfthiEkDdjqiVWbreEPidDyu5fL499g9LLqWqaSw
0KauZ5rdu0Os4peJbKiJll7lDIBJNkdHwS89Qu3AefSgP2Nv7Kb0+sMetjLBx7zt
zUbr4zIW8H34eWcZXCXR4lYj+Y0FVbmwg3kwhTUf81thMW0ESbgE/EOceWFcbf89
yGdSus3q5FeMiAe7sDEcVpQpslMODeMaDdeGE75z0YsBjTOJWdqvtwFCHYQyRaoH
ygEKJzqOwcORjjVJaa4VLpS5y3k3vcxPpiHSgv7LbiHdzOzeAYQSkbPExQ16Zj1W
gYUO175fRs0=
=Ev68
-----END PGP SIGNATURE-----