Bugzilla – Bug 860302
VUL-0: CVE-2014-1666: xen: XSA-87: PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
Last modified: 2015-02-19 01:47:11 UTC
Xen Security Advisory XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests ISSUE DESCRIPTION ================= The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available to privileged guests (domain 0 in non-disaggregated setups) only, but the necessary privilege check was missing. IMPACT ====== Malicious or misbehaving unprivileged guests can cause the host or other guests to malfunction. This can result in host-wide denial of service. Privilege escalation, while seeming to be unlikely, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable. Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable. Only PV guests can take advantage of this vulnerability. MITIGATION ========== Running only HVM guests will avoid this issue. There is no mitigation available for PV guests. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa87-unstable-4.3.patch xen-unstable, Xen 4.3.x xsa87-4.2.patch Xen 4.2.x xsa87-4.1.patch Xen 4.1.x $ sha256sum xsa87*.patch 45e5cc892626293067cc088a671a6bbdc18b018f54ff09b6a1cbb1fabbdf114d xsa87-4.1.patch df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d xsa87-4.2.patch a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38 xsa87-unstable-4.3.patch $
Created attachment 575720 [details] Xen 4.1.x
Created attachment 575721 [details] Xen 4.2.x
Created attachment 575722 [details] xen-unstable, Xen 4.3.x
bugbot adjusting priority
"Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable. Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable." This effects SLE11-SP2, SLE11-SP3, openSUSE:12.3 and openSUSE:13.1.
Xen package submitted for this bug with the following requests: SUSE:SLE-11-SP3:Update:Test: SR#33408 SUSE:SLE-11-SP2:Update:Test: SR#33409 openSUSE:13.1:Update: MR#223835 openSUSE:12.3:Update: MR#223847
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP2 (i386, x86_64) SLE-SERVER 11-SP2-LTSS (i386, x86_64)
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU Products: SLE-DEBUGINFO 11-SP3 (i386, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, x86_64)
SUSE-SU-2014:0372-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833483,842417,846849,848014,849667,849668,853049,860163,860302,861256 CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6885,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1950 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_06-0.5.1
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_02-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_02-0.7.1
Fixed and released. Closing Bug.
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297 CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950 Sources used: openSUSE 12.3 (src): xen-4.2.4_02-1.26.2