Xen devel - Sep 2012 - Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3494 / XSA-12
                             version 3

	      hypercall set_debugreg vulnerability

UPDATES IN VERSION 3
===================
Public release.

ISSUE DESCRIPTION
================
set_debugreg allows writes to reserved bits of the DR7 debug control
register on x86-64.

IMPACT
=====
A malicious guest can cause the host to crash, leading to a DoS.

If the vulnerable hypervisor is run on future hardware, the impact of
the vulnerability might be widened depending on the future assignment
of the currently-reserved debug register bits.

VULNERABLE SYSTEMS
=================
All systems running 64-bit paravirtualised guests.

The vulnerability dates back to at least Xen 4.0.  4.0, 4.1, the 4.2
RCs, and xen-unstable.hg are all vulnerable.

MITIGATION
=========
This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy, or by running only 32-bit or HVM guests.

RESOLUTION
=========
Applying the appropriate attached patch will resolve the issue.

PATCH INFORMATION
================
The attached patch resolves this issue:

 Xen unstable, 4.1 and 4.0		xsa12-all.patch

$ sha256sum xsa12-all.patch
2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13 
xsa12-all.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRx0+AAoJEIP+FMlX6CvZnMAH/0fcm9nfiChokydCyqXgdKtJ
U2NqeqKzEP6emwLE+cvc+2EBP40fiBXsNATVdXc6Vx15eyzSMfJD3ndYF9OaKMVH
MVP6KU/tyK1G/9WgQK9PHBj/Kzp8hwrY0Qw45od7z+R7XMGieLH9l1O1xwkNCYDw
R8Xy2GI9IqsXLNpwy3BFYSyGYIX9o8/aBx4ZxHCV8H0OYUWv5hDGZZVXPDqGm11c
N+qmUaPV2QlW8Aoww1SiwW5E+/CpyJT5+awEMgZ4IOHPbCBXJfyXbw4aMM2q5Soe
mStqvPKL4H10SahaygdjxO+e4NqCHao0rYUXXpUr+aikIXvEearukp3FezR5IUE=/LmZ
-----END PGP SIGNATURE-----


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Is Xen 3.4.x vulnerable?

Thanks

On 05.09.2012 10:38, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>             Xen Security Advisory CVE-2012-3494 / XSA-12
>                              version 3
>
> 	      hypercall set_debugreg vulnerability
>
> UPDATES IN VERSION 3
> ===================>
> Public release.
>
> ISSUE DESCRIPTION
> ================>
> set_debugreg allows writes to reserved bits of the DR7 debug control
> register on x86-64.
>
> IMPACT
> =====>
> A malicious guest can cause the host to crash, leading to a DoS.
>
> If the vulnerable hypervisor is run on future hardware, the impact of
> the vulnerability might be widened depending on the future assignment
> of the currently-reserved debug register bits.
>
> VULNERABLE SYSTEMS
> =================>
> All systems running 64-bit paravirtualised guests.
>
> The vulnerability dates back to at least Xen 4.0.  4.0, 4.1, the 4.2
> RCs, and xen-unstable.hg are all vulnerable.
>
> MITIGATION
> =========>
> This issue can be mitigated by ensuring (inside the guest) that the
> kernel is trustworthy, or by running only 32-bit or HVM guests.
>
> RESOLUTION
> =========>
> Applying the appropriate attached patch will resolve the issue.
>
> PATCH INFORMATION
> ================>
> The attached patch resolves this issue:
>
>  Xen unstable, 4.1 and 4.0		xsa12-all.patch
>
> $ sha256sum xsa12-all.patch
> 2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13
> xsa12-all.patch
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJQRx0+AAoJEIP+FMlX6CvZnMAH/0fcm9nfiChokydCyqXgdKtJ
> U2NqeqKzEP6emwLE+cvc+2EBP40fiBXsNATVdXc6Vx15eyzSMfJD3ndYF9OaKMVH
> MVP6KU/tyK1G/9WgQK9PHBj/Kzp8hwrY0Qw45od7z+R7XMGieLH9l1O1xwkNCYDw
> R8Xy2GI9IqsXLNpwy3BFYSyGYIX9o8/aBx4ZxHCV8H0OYUWv5hDGZZVXPDqGm11c
> N+qmUaPV2QlW8Aoww1SiwW5E+/CpyJT5+awEMgZ4IOHPbCBXJfyXbw4aMM2q5Soe
> mStqvPKL4H10SahaygdjxO+e4NqCHao0rYUXXpUr+aikIXvEearukp3FezR5IUE> =/LmZ
> -----END PGP SIGNATURE-----

On 05/09/12 10:49, Jonathan Tripathy wrote:
> Is Xen 3.4.x vulnerable?
>
> Thanks
Yes - Vulnerable (tested and fixed) all the way back as far as Xen-3.2
(which is the earliest version that XenServer still creates security
fixes for)

~Andrew
>
> On 05.09.2012 10:38, Xen.org security team wrote:
> Xen Security Advisory CVE-2012-3494 / XSA-12
> version 3
>
> hypercall set_debugreg vulnerability
>
> UPDATES IN VERSION 3
> ===================>
> Public release.
>
> ISSUE DESCRIPTION
> ================>
> set_debugreg allows writes to reserved bits of the DR7 debug control
> register on x86-64.
>
> IMPACT
> =====>
> A malicious guest can cause the host to crash, leading to a DoS.
>
> If the vulnerable hypervisor is run on future hardware, the impact of
> the vulnerability might be widened depending on the future assignment
> of the currently-reserved debug register bits.
>
> VULNERABLE SYSTEMS
> =================>
> All systems running 64-bit paravirtualised guests.
>
> The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2
> RCs, and xen-unstable.hg are all vulnerable.
>
> MITIGATION
> =========>
> This issue can be mitigated by ensuring (inside the guest) that the
> kernel is trustworthy, or by running only 32-bit or HVM guests.
>
> RESOLUTION
> =========>
> Applying the appropriate attached patch will resolve the issue.
>
> PATCH INFORMATION
> ================>
> The attached patch resolves this issue:
>
> Xen unstable, 4.1 and 4.0 xsa12-all.patch
>
> $ sha256sum xsa12-all.patch
> 2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13
> xsa12-all.patch
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
-- 
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

>>> On 05.09.12 at 11:49, Jonathan Tripathy <jonnyt@abpni.co.uk>
wrote:
> Is Xen 3.4.x vulnerable?
All versions supporting x86-64 are vulnerable afaict (checked back
to 3.2.x, but I suppose even 3.0.x would be affected).

Jan