Xen project Mailing List

Re: [Xen-devel] [oss-security] Xen Security Advisory 75 - Host crash due to guest VMX instruction execution

To: oss-security@xxxxxxxxxxxxxxxxxx, xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx

From: Kurt Seifried <kseifried@xxxxxxxxxx>

Date: Fri, 08 Nov 2013 12:25:40 -0700

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Fri, 08 Nov 2013 19:59:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/08/2013 09:21 AM, Xen.org security team wrote: > Xen Security Advisory XSA-75 > > Host crash due to guest VMX instruction execution > > ISSUE DESCRIPTION ================= > > Permission checks on the emulation paths (intended for guests > using nested virtualization) for VMLAUNCH and VMRESUME were > deferred too much. The hypervisor would try to use internal state > which is not set up unless nested virtualization is actually > enabled for a guest. > > IMPACT ====== > > A malicious or misbehaved HVM guest, including malicious or > misbehaved user mode code run in the guest, might be able to crash > the host. > > VULNERABLE SYSTEMS ================== > > Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not > vulnerable. > > Only HVM guests run on VMX capable (e.g. Intel) hardware can take > advantage of this vulnerability. > > MITIGATION ========== > > Running only PV guests, or running HVM guests on SVM capable (e.g. > AMD) hardware will avoid this issue. > > Enabling nested virtualization for a HVM guest running on VMX > capable hardware would also allow avoiding the issue. However > this functionality is still considered experimental, and is not > covered by security support from the Xen Project security team. > This approach is therefore not recommended for use in production. > > CREDITS ======= > > This issue was discovered by Jeff Zimmerman. > > NOTE REGARDING LACK OF EMBARGO ============================== > > This issue was disclosed publicly on the xen-devel mailing list. > > RESOLUTION ========== > > Applying the appropriate attached patch resolves this issue. > > xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch > Xen 4.2.x > > $ sha256sum xsa75*.patch > 0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b > xsa75-4.2.patch > 91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2 > xsa75-4.3-unstable.patch $ Please use CVE-2013-4551 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSfTqzAAoJEBYNRVNeJnmT6PoP/3tI0kE5IydnZtpc3C6YQwFo 4VCCmwMNzMK4MfQ8A2bAl2sVGDNzMmwRN/DGzCvJlj4OuLppbBzwzbMCrSH7FCm9 o7AU68NjJ1Sx27OOxMNH9Zh4gRMKlRfRCtV+SEKX1YAfup/l11QlFw7v06bb6g1u 7eTNsA3pUGZbD1zMDOgfbLX2V+El+Ef3cXuH1IfsSJpJkbHq6tgGW//v9y8hoY8n cZsm9xDi3P8veJTClAlq57Yw36JXQ06YauFQqmU4pr2qn7OttRJPGagXMdwTG187 OEw8lSoX1vEU7M7vOghX3tZSUeaoEN13bL2JV08NqPO6jFWRX/PcOe2FgRpcGPJw UbuoYiYY5Q7ozrzGLxJ4cvt/fIeBtb9zChbP0jiCzz4Fsm3gKFm0M+5Gt4LlYzZi nQKslGrbZPcQ9rlqPpNKrZfz1CRJNGpNzUWFgiSV3Hw7SO3rKs/wG7a0bdliIFjg Kl62gffpoejTZR6Lbgjjs9BD681wzF094gVaxK2x0b7beWct764ee6T6EyjgOAPN 3+cNMe5bORgusyuwyTo782a1i7JIesnzQ5PZj6mlZufJzEOTQ1Lz1ahgzUQuR/oZ 5gTG2etl0vA2DxueTLFllwPjE64R6KwkpAMaEW9SPTygnV3RSHrqtR9D8I5phbml zOWkbRoOEYT/lCeSMKQf =I+wF -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.