842511 – (CVE-2013-4368) VUL-0: CVE-2013-4368: XSA-67: xen: Information leak through outs instruction emulation

Bug 842511 (CVE-2013-4368) - VUL-0: CVE-2013-4368: XSA-67: xen: Information leak through outs instruction emulation

Summary: VUL-0: CVE-2013-4368: XSA-67: xen: Information leak through outs instruction ...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4368

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:54856:moderate maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-09-26 11:28 UTC by Alexander Bergmann
Modified:	2015-02-19 01:32 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Swamp Workflow Management 2013-09-26 22:00:09 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2013-10-10 13:08:25 UTC

public now

             Xen Security Advisory CVE-2013-4368 / XSA-67
                              version 2

         Information leak through outs instruction emulation

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The emulation of the outs instruction for 64-bit PV guests uses an
uninitialized variable as the segment base for the source data if an FS: or
GS: segment override is used, and if the segment descriptor the respective
non-null selector in the corresponding selector register points to cannot be
read by the emulation code (this is possible if the segment register was
loaded before a more recent GDT or LDT update, i.e. the segment register
contains stale data).

A malicious guest might be able to get hold of contents of the hypervisor
stack, through the fault address passed to the page fault handler if the outs
raises such a fault (which is mostly under guest control).  Other methods for
indirectly deducing information also exist.

IMPACT
======

A malicious 64-bit PV guest might conceivably gain access to sensitive data
relating to other guests.

VULNERABLE SYSTEMS
==================

Xen 3.1.x and later are vulnerable.

Only 64-bit PV guests can take advantage of this vulnerability.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Coverity Scan and Matthew Daley.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa67.patch             Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa67*.patch
7de3ac9baa6cd9fead46e68912dfa0189e900095317645d0e33d85346fc8a028  xsa67.patch

Comment 5 Swamp Workflow Management 2013-11-07 11:07:17 UTC

openSUSE-SU-2013:1636-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 828623,833251,833796,834751,839596,839600,840196,840592,841766,842511,845520
CVE References: CVE-2013-1442,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4416
Sources used:
openSUSE 12.2 (src):    xen-4.1.6_01-5.33.1

Comment 6 Swamp Workflow Management 2013-11-19 13:05:15 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 7 Marcus Meissner 2013-11-27 10:28:18 UTC

released

Comment 8 Swamp Workflow Management 2013-11-27 13:03:46 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)

Comment 9 Swamp Workflow Management 2013-11-29 15:04:36 UTC

Update released for: xen, xen-debuginfo, xen-devel, xen-doc-html, xen-doc-pdf, xen-doc-ps, xen-kmp-debug, xen-kmp-default, xen-kmp-kdump, xen-kmp-pae, xen-kmp-smp, xen-kmp-trace, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU, xen-tools-ioemu
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 10 Swamp Workflow Management 2013-11-29 16:05:33 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 11 Swamp Workflow Management 2013-12-25 17:07:37 UTC

openSUSE-SU-2013:1953-1: An update that solves 9 vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 828623,833251,833483,833796,834751,835896,836239,839596,839600,840196,840592,841766,842511,842512,842513,842514,842515,845520
CVE References: CVE-2013-1442,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4369,CVE-2013-4370,CVE-2013-4371,CVE-2013-4375,CVE-2013-4416
Sources used:
openSUSE 12.3 (src):    xen-4.2.3_01-1.22.4

Comment 12 Swamp Workflow Management 2014-03-20 08:47:55 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-doc-ps, xen-kmp-bigsmp, xen-kmp-debug, xen-kmp-default, xen-kmp-kdump, xen-kmp-kdumppae, xen-kmp-pae, xen-kmp-smp, xen-kmp-trace, xen-kmp-vmi, xen-kmp-vmipae, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU, xen-tools-ioemu
Products:
SLE-DEBUGINFO 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4-LTSS (i386, x86_64)

Comment 13 Swamp Workflow Management 2014-03-20 12:05:18 UTC

SUSE-SU-2014:0411-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 787163,813673,813677,823011,840592,842511,848657,849668,853049
CVE References: CVE-2012-4544,CVE-2013-1917,CVE-2013-1920,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-4355,CVE-2013-4368,CVE-2013-4494,CVE-2013-4554,CVE-2013-6885
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.7.1

Comment 14 Swamp Workflow Management 2014-03-25 18:49:04 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)

Comment 15 Swamp Workflow Management 2014-03-25 22:10:34 UTC

SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available.

Category: security (important)
Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163
CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_16-0.5.1

Comment 16 Swamp Workflow Management 2014-04-01 14:55:29 UTC

Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-doc-ps, xen-kmp-bigsmp, xen-kmp-debug, xen-kmp-default, xen-kmp-kdump, xen-kmp-kdumppae, xen-kmp-pae, xen-kmp-smp, xen-kmp-trace, xen-kmp-vmi, xen-kmp-vmipae, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU, xen-tools-ioemu
Products:
SLE-DEBUGINFO 10-SP3 (i386, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, x86_64)

Comment 17 Swamp Workflow Management 2014-04-01 18:06:12 UTC

SUSE-SU-2014:0470-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 786516,786517,787163,789950,789951,813673,813677,823011,840592,842511,848657,849668,853049
CVE References: CVE-2012-4535,CVE-2012-4537,CVE-2012-4544,CVE-2012-5513,CVE-2012-5515,CVE-2013-1917,CVE-2013-1920,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-4355,CVE-2013-4368,CVE-2013-4494,CVE-2013-4554,CVE-2013-6885
Sources used:
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    xen-3.2.3_17040_28-0.6.21.3