Xen.org security team
2013-Apr-18 13:36 UTC
Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-1917 / XSA-44
version 2
Xen PV DoS vulnerability with SYSENTER
UPDATES IN VERSION 2
===================
Public release.
ISSUE DESCRIPTION
================
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn''t get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.
IMPACT
=====
Malicious or buggy unprivileged user space can cause the entire host to crash.
VULNERABLE SYSTEMS
=================
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable. 32-bit Xen is not affected, as it doesn''t permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn''t affected
since AMD CPUs don''t allow the use of SYSENTER in long mode.
The vulnerability is only exposed by PV guests.
MITIGATION
=========
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
xsa44-4.1.patch Xen 4.1.x
xsa44-4.2.patch Xen 4.2.x
xsa44-unstable.patch xen-unstable
$ sha256sum xsa44*.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783
xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49
xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36
xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl
e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ
Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb
OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog
cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5
0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg=w315
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
Xen.org security team
2013-Apr-18 13:50 UTC
Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-1917 / XSA-44
version 3
Xen PV DoS vulnerability with SYSENTER
UPDATES IN VERSION 3
===================
Backported patch for 4.0 now available.
ISSUE DESCRIPTION
================
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn''t get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.
IMPACT
=====
Malicious or buggy unprivileged user space can cause the entire host to crash.
VULNERABLE SYSTEMS
=================
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable. 32-bit Xen is not affected, as it doesn''t permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn''t affected
since AMD CPUs don''t allow the use of SYSENTER in long mode.
The vulnerability is only exposed by PV guests.
MITIGATION
=========
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
xsa44-4.0.patch Xen 4.0.x
xsa44-4.1.patch Xen 4.1.x
xsa44-4.2.patch Xen 4.2.x
xsa44-unstable.patch xen-unstable
$ sha256sum xsa44*.patch
4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5
xsa44-4.0.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783
xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49
xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36
xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9
lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX
t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU
HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i
zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK
IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk=qSef
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users