Bugzilla – Bug 849668
VUL-0: CVE-2013-4554: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests
Last modified: 2015-02-19 01:34:16 UTC
embargoed, via security@ Xen Security Advisory XSA-76 Hypercalls exposed to privilege rings 1 and 2 of HVM guests *** EMBARGOED UNTIL 2013-11-26 1200 UTC *** ISSUE DESCRIPTION ================= The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT ====== Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use. VULNERABLE SYSTEMS ================== Xen 3.0.3 and later are vulnerable. Xen 3.0.2 and earlier are not vulnerable. MITIGATION ========== Running only PV guests, or running HVM guests known to not make use of protection rings 1 and 2 will avoid this issue. As far as we are aware no mainstream OS (Linux, Windows, BSD) make use of these rings. RESOLUTION ========== Applying the attached patch resolves this issue. xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa76*.patch d54e893aaa2925615c3261634d82d3c84022ac82b4c6b199224e1951478eff1e xsa76.patch $
Created attachment 566736 [details] xsa76.patch xsa 76 patch attached
bugbot adjusting priority
Xen Security Advisory CVE-2013-4554 / XSA-76 version 3 Hypercalls exposed to privilege rings 1 and 2 of HVM guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT ====== Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use. VULNERABLE SYSTEMS ================== Xen 3.0.3 and later are vulnerable. Xen 3.0.2 and earlier are not vulnerable. MITIGATION ========== Running only PV guests, or running HVM guests known to not make use of protection rings 1 and 2 will avoid this issue. As far as we are aware no mainstream OS (Linux, Windows, BSD) make use of these rings. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa76*.patch 8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1 xsa76.patch $
openSUSE-SU-2013:1876-1: An update that solves 5 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 845520,848657,849665,849667,849668,851386,851749 CVE References: CVE-2013-4416,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554 Sources used: openSUSE 13.1 (src): xen-4.3.1_02-4.4
done
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP3 (i386, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, x86_64)
SUSE-SU-2013:1923-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 833483,840997,842417,846849,848014,848657,849665,849667,849668,851386 CVE References: CVE-2013-1922,CVE-2013-2007,CVE-2013-4375,CVE-2013-4416,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.3_08-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.3_08-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.3_08-0.7.1
potentially missing in xen sles11 sp2
Here is a list of the fixed bugs since the last SLE11 SP2 maintenance released in November. - bnc#853049 - VUL-0: CVE-2013-6885: xen: XSA-82: Guest triggerable AMD CPU erratum may cause host hang - bnc#849668 - VUL-0: CVE-2013-4554: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests - bnc#849667 - VUL-0: CVE-2013-4553: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock - bnc#848014 - [HP HPS] Xen hypervisor panics on 8-blades nPar with 46-bit memory addressing - bnc#833483 - Boot Failure with xen kernel in UEFI mode with error "No memory for trampoline" - bnc#842417 - In HPās UEFI x86_64 platform and sles11sp3 with xen environment, dom0 will soft lockup on multiple blades nPar. - bnc#846849 - Soft lockup with PCI passthrough and many VCPUs I'm not sure these are urgent enough to push out now but I'm ready to if needed.
Xen package submitted for this bug with the following requests: SUSE:SLE-11-SP2:Update:Test: SR#33409 SUSE:SLE-11-SP1:Update:Teradata:Test: SR#33410 SUSE:SLE-10-SP4:Update:Test: SR#33423 SUSE:SLE-10-SP3:Update:Teradata:Test: SR#33412 openSUSE:12.3:Update: MR#223847
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2-LTSS (i386, x86_64)
SUSE-SU-2014:0372-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833483,842417,846849,848014,849667,849668,853049,860163,860302,861256 CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1950 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_06-0.5.1
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-doc-ps, xen-kmp-bigsmp, xen-kmp-debug, xen-kmp-default, xen-kmp-kdump, xen-kmp-kdumppae, xen-kmp-pae, xen-kmp-smp, xen-kmp-trace, xen-kmp-vmi, xen-kmp-vmipae, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU, xen-tools-ioemu Products: SLE-DEBUGINFO 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4-LTSS (i386, x86_64)
SUSE-SU-2014:0411-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 787163,813673,813677,823011,840592,842511,848657,849668,853049 CVE References: CVE-2012-4544,CVE-2013-1917,CVE-2013-1920,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-4355,CVE-2013-4368,CVE-2013-4494,CVE-2013-4554,CVE-2013-6885 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.7.1
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1-LTSS (i386, x86_64)
SUSE-SU-2014:0446-1: An update that fixes 47 vulnerabilities is now available. Category: security (important) Bug References: 777628,777890,779212,786516,786517,786519,786520,787163,789944,789945,789948,789950,789951,794316,797031,797523,800275,805094,813673,813675,813677,816156,816159,816163,819416,820917,820919,823011,823608,826882,831120,839596,839618,840592,841766,842511,848657,849667,849668,853049,860163 CVE References: CVE-2006-1056,CVE-2007-0998,CVE-2012-3497,CVE-2012-4411,CVE-2012-4535,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544,CVE-2012-5510,CVE-2012-5511,CVE-2012-5513,CVE-2012-5514,CVE-2012-5515,CVE-2012-5634,CVE-2012-6075,CVE-2012-6333,CVE-2013-0153,CVE-2013-0154,CVE-2013-1432,CVE-2013-1442,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-2211,CVE-2013-2212,CVE-2013-4329,CVE-2013-4355,CVE-2013-4361,CVE-2013-4368,CVE-2013-4494,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_16-0.5.1
Fixed and released. Closing Bug.
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-doc-ps, xen-kmp-debug, xen-kmp-default, xen-kmp-kdump, xen-kmp-pae, xen-kmp-smp, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU, xen-tools-ioemu Products: SLE-DEBUGINFO 10-SP3-TERADATA (x86_64) SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-doc-ps, xen-kmp-bigsmp, xen-kmp-debug, xen-kmp-default, xen-kmp-kdump, xen-kmp-kdumppae, xen-kmp-pae, xen-kmp-smp, xen-kmp-trace, xen-kmp-vmi, xen-kmp-vmipae, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU, xen-tools-ioemu Products: SLE-DEBUGINFO 10-SP3 (i386, x86_64) SLE-SERVER 10-SP3-LTSS (i386, x86_64)
SUSE-SU-2014:0470-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 786516,786517,787163,789950,789951,813673,813677,823011,840592,842511,848657,849668,853049 CVE References: CVE-2012-4535,CVE-2012-4537,CVE-2012-4544,CVE-2012-5513,CVE-2012-5515,CVE-2013-1917,CVE-2013-1920,CVE-2013-2194,CVE-2013-2195,CVE-2013-2196,CVE-2013-4355,CVE-2013-4368,CVE-2013-4494,CVE-2013-4554,CVE-2013-6885 Sources used: SUSE Linux Enterprise Server 10 SP3 LTSS (src): xen-3.2.3_17040_28-0.6.21.3
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: openSUSE 12.3 (src): xen-4.2.4_02-1.26.2