841766 – (CVE-2013-4361) VUL-1: CVE-2013-4361: XSA-66: xen: Information leak through fbld instruction emulation

Bug 841766 (CVE-2013-4361) - VUL-1: CVE-2013-4361: XSA-66: xen: Information leak through fbld instruction emulation

Summary: VUL-1: CVE-2013-4361: XSA-66: xen: Information leak through fbld instruction ...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4361

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:54856:moderate maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-09-23 09:05 UTC by Matthias Weckbecker
Modified:	2015-02-19 01:32 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Marcus Meissner 2013-10-01 07:37:32 UTC

is public now

              Xen Security Advisory CVE-2013-4361 / XSA-66
                              version 3

           Information leak through fbld instruction emulation

UPDATES IN VERSION 3
====================

Public Release.

ISSUE DESCRIPTION
=================

The emulation of the fbld instruction (which is used during I/O
emulation) uses the wrong variable for the source effective address.
As a result, the actual address used is an uninitialised bit pattern
from the stack.

A malicious guest might be able to find out information about the
contents of the hypervisor stack, by observing which values are
actually being used by fbld and inferring what the address must have
been.  Depending on the actual values on the stack this attack might
be very difficult to carry out.

IMPACT
======

A malicious guest might conceivably gain access to sensitive data
relating to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.3.x and later are vulnerable.

Only HVM guests can take advantage of this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.  We believe this
vulnerability would require significant research to exploit.

CREDITS
=======

Jan Beulich discovered this issue.
RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa66.patch             Xen 4.2.x, Xen 4.3.x, xen-unstable


$ sha256sum xsa66.patch
3a9b6bf114eb19d708b68dd5973763ac83b57840bc0f6fbd1fe487797eaffed4  xsa66.patch
$

Comment 4 Swamp Workflow Management 2013-11-07 11:07:06 UTC

openSUSE-SU-2013:1636-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 828623,833251,833796,834751,839596,839600,840196,840592,841766,842511,845520
CVE References: CVE-2013-1442,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4416
Sources used:
openSUSE 12.2 (src):    xen-4.1.6_01-5.33.1

Comment 5 Swamp Workflow Management 2013-11-19 13:05:02 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 6 Marcus Meissner 2013-11-27 10:28:10 UTC

released

Comment 7 Swamp Workflow Management 2013-11-27 13:04:07 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 8 Swamp Workflow Management 2013-11-29 16:05:30 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 9 Swamp Workflow Management 2014-03-25 18:48:49 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)

Comment 10 Swamp Workflow Management 2014-03-25 22:10:24 UTC

SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available.

Category: security (important)
Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163
CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_16-0.5.1