oss-sec mailing list archives
Re: Xen Security Advisory 75 - Host crash due to guest VMX instruction execution
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 08 Nov 2013 12:25:40 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/08/2013 09:21 AM, Xen.org security team wrote:
Xen Security Advisory XSA-75 Host crash due to guest VMX instruction execution ISSUE DESCRIPTION ================= Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT ====== A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only HVM guests run on VMX capable (e.g. Intel) hardware can take advantage of this vulnerability. MITIGATION ========== Running only PV guests, or running HVM guests on SVM capable (e.g. AMD) hardware will avoid this issue. Enabling nested virtualization for a HVM guest running on VMX capable hardware would also allow avoiding the issue. However this functionality is still considered experimental, and is not covered by security support from the Xen Project security team. This approach is therefore not recommended for use in production. CREDITS ======= This issue was discovered by Jeff Zimmerman. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch Xen 4.2.x $ sha256sum xsa75*.patch 0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b xsa75-4.2.patch 91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2 xsa75-4.3-unstable.patch $
Please use CVE-2013-4551 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSfTqzAAoJEBYNRVNeJnmT6PoP/3tI0kE5IydnZtpc3C6YQwFo 4VCCmwMNzMK4MfQ8A2bAl2sVGDNzMmwRN/DGzCvJlj4OuLppbBzwzbMCrSH7FCm9 o7AU68NjJ1Sx27OOxMNH9Zh4gRMKlRfRCtV+SEKX1YAfup/l11QlFw7v06bb6g1u 7eTNsA3pUGZbD1zMDOgfbLX2V+El+Ef3cXuH1IfsSJpJkbHq6tgGW//v9y8hoY8n cZsm9xDi3P8veJTClAlq57Yw36JXQ06YauFQqmU4pr2qn7OttRJPGagXMdwTG187 OEw8lSoX1vEU7M7vOghX3tZSUeaoEN13bL2JV08NqPO6jFWRX/PcOe2FgRpcGPJw UbuoYiYY5Q7ozrzGLxJ4cvt/fIeBtb9zChbP0jiCzz4Fsm3gKFm0M+5Gt4LlYzZi nQKslGrbZPcQ9rlqPpNKrZfz1CRJNGpNzUWFgiSV3Hw7SO3rKs/wG7a0bdliIFjg Kl62gffpoejTZR6Lbgjjs9BD681wzF094gVaxK2x0b7beWct764ee6T6EyjgOAPN 3+cNMe5bORgusyuwyTo782a1i7JIesnzQ5PZj6mlZufJzEOTQ1Lz1ahgzUQuR/oZ 5gTG2etl0vA2DxueTLFllwPjE64R6KwkpAMaEW9SPTygnV3RSHrqtR9D8I5phbml zOWkbRoOEYT/lCeSMKQf =I+wF -----END PGP SIGNATURE-----
Current thread:
- Xen Security Advisory 75 - Host crash due to guest VMX instruction execution Xen . org security team (Nov 08)
- Re: Xen Security Advisory 75 - Host crash due to guest VMX instruction execution Kurt Seifried (Nov 08)