Re: Xen Security Advisory 75 - Host crash due to guest VMX instruction execution

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/08/2013 09:21 AM, Xen.org security team wrote:
> Xen Security Advisory XSA-75
>
> Host crash due to guest VMX instruction execution
>
> ISSUE DESCRIPTION =================
>
> Permission checks on the emulation paths (intended for guests
> using nested virtualization) for VMLAUNCH and VMRESUME were
> deferred too much.  The hypervisor would try to use internal state
> which is not set up unless nested virtualization is actually
> enabled for a guest.
>
> IMPACT ======
>
> A malicious or misbehaved HVM guest, including malicious or
> misbehaved user mode code run in the guest, might be able to crash
> the host.
>
> VULNERABLE SYSTEMS ==================
>
> Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not
> vulnerable.
>
> Only HVM guests run on VMX capable (e.g. Intel) hardware can take 
> advantage of this vulnerability.
>
> MITIGATION ==========
>
> Running only PV guests, or running HVM guests on SVM capable (e.g.
> AMD) hardware will avoid this issue.
>
> Enabling nested virtualization for a HVM guest running on VMX
> capable hardware would also allow avoiding the issue.  However
> this functionality is still considered experimental, and is not
> covered by security support from the Xen Project security team.
> This approach is therefore not recommended for use in production.
>
> CREDITS =======
>
> This issue was discovered by Jeff Zimmerman.
>
> NOTE REGARDING LACK OF EMBARGO ==============================
>
> This issue was disclosed publicly on the xen-devel mailing list.
>
> RESOLUTION ==========
>
> Applying the appropriate attached patch resolves this issue.
>
> xsa75-4.3-unstable.patch    Xen 4.3.x, xen-unstable xsa75-4.2.patch
> Xen 4.2.x
>
> $ sha256sum xsa75*.patch 
> 0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b
> xsa75-4.2.patch 
> 91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2
> xsa75-4.3-unstable.patch $

Please use CVE-2013-4551 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSfTqzAAoJEBYNRVNeJnmT6PoP/3tI0kE5IydnZtpc3C6YQwFo
4VCCmwMNzMK4MfQ8A2bAl2sVGDNzMmwRN/DGzCvJlj4OuLppbBzwzbMCrSH7FCm9
o7AU68NjJ1Sx27OOxMNH9Zh4gRMKlRfRCtV+SEKX1YAfup/l11QlFw7v06bb6g1u
7eTNsA3pUGZbD1zMDOgfbLX2V+El+Ef3cXuH1IfsSJpJkbHq6tgGW//v9y8hoY8n
cZsm9xDi3P8veJTClAlq57Yw36JXQ06YauFQqmU4pr2qn7OttRJPGagXMdwTG187
OEw8lSoX1vEU7M7vOghX3tZSUeaoEN13bL2JV08NqPO6jFWRX/PcOe2FgRpcGPJw
UbuoYiYY5Q7ozrzGLxJ4cvt/fIeBtb9zChbP0jiCzz4Fsm3gKFm0M+5Gt4LlYzZi
nQKslGrbZPcQ9rlqPpNKrZfz1CRJNGpNzUWFgiSV3Hw7SO3rKs/wG7a0bdliIFjg
Kl62gffpoejTZR6Lbgjjs9BD681wzF094gVaxK2x0b7beWct764ee6T6EyjgOAPN
3+cNMe5bORgusyuwyTo782a1i7JIesnzQ5PZj6mlZufJzEOTQ1Lz1ahgzUQuR/oZ
5gTG2etl0vA2DxueTLFllwPjE64R6KwkpAMaEW9SPTygnV3RSHrqtR9D8I5phbml
zOWkbRoOEYT/lCeSMKQf
=I+wF
-----END PGP SIGNATURE-----