Bugzilla – Bug 867910
VUL-0: CVE-2014-2599: xen: XSA-89: HVMOP_set_mem_access is not preemptible
Last modified: 2014-12-30 16:38:09 UTC
Xen Security Advisory XSA-89 HVMOP_set_mem_access is not preemptible *** EMBARGOED UNTIL 2014-03-25 12:00 UTC *** ISSUE DESCRIPTION ================= Processing of the HVMOP_set_mem_access HVM control operations does not check the size of its input and can tie up a physical CPU for extended periods of time. IMPACT ====== In a configuration where device models run with limited privilege (for example, stubdom device models), a guest attacker who successfully finds and exploits an unfixed security flaw in qemu-dm could leverage the other flaw into a Denial of Service affecting the whole host. In the more general case, in more abstract terms: a malicious administrator of a domain privileged with regard to an HVM guest can cause Xen to become unresponsive leading to a Denial of Service. VULNERABLE SYSTEMS ================== All Xen versions from 4.1 onwards are vulnerable. In 4.2 only 64-bit versions of the hypervisor are vulnerable (HVMOP_set_mem_access is not available in 32-bit hypervisors). The vulnerability is only exposed to service domains for HVM guests which have privilege over the guest. In a usual configuration that means only device model emulators (qemu-dm). In the case of HVM guests whose device model is running in an unrestricted dom0 process, qemu-dm already has the ability to cause problems for the whole system. So in that case the vulnerability is not applicable. The situation is more subtle for an HVM guest with a stub qemu-dm. That is, where the device model runs in a separate domain (in the case of xl, as requested by "device_model_stubdomain_override=1" in the xl domain configuration file). The same applies with a qemu-dm in a dom0 process subjected to some kind kernel-based process privilege limitation (eg the chroot technique as found in some versions of XCP/XenServer). In those latter situations this issue means that the extra isolation does not provide as good a defence (against denial of service) as intended. That is the essence of this vulnerability. However, the security is still better than with a qemu-dm running as an unrestricted dom0 process. Therefore users with these configurations should not switch to an unrestricted dom0 qemu-dm. Finally, in a radically disaggregated system: where the HVM service domain software (probably, the device model domain image) is not always supplied by the host administrator, a malicious service domain administrator can excercise this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. In a radically disaggregated system, restricting HVM service domains to software images approved by the host administrator will avoid the vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa89.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x xsa89-4.1.patch Xen 4.1.x $ sha256sum xsa89*.patch 741c8fbbfa8e425d8debba17135d4c2e1e962d15717769bc93d68a65b5dc5ea6 xsa89.patch 7d965e9bf1894b7d909bfaddbc6b7bdcee0ba91b86942ce85e0ae80464f2463e xsa89-4.1.patch $
Affected packages: SLE-11-SP3: xen SLE-10-SP3-TERADATA: xen SLE-11-SP1-TERADATA: xen SLE-11-SP2: xen
bugbot adjusting priority
is public now can you clarify affectedness
Without stub domains (which we don't use) there's no real harm, since qemu-dm running in Dom0 already has other ways to do bad things to the overall system.
CVE-2014-2599 was assigned.
So we don't have to follow-up on this issue, right? If so, feel free to close as WONTFIX.
Doing just so then (we'll pull in the fix anyway, but just as a normal bug fix).
openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available. Category: security (important) Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657 CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188 Sources used: openSUSE 12.3 (src): xen-4.2.4_04-1.32.1
SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657 CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_04-0.9.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_04-0.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_04-0.9.1
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_08-0.5.1