Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1UXv3J-00018f-9u@xenbits.xen.org>
Date: Thu, 02 May 2013 15:04:09 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 49 (CVE-2013-1952) - VT-d interrupt
 remapping source validation flaw for bridges

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1952 / XSA-49
                              version 2

        VT-d interrupt remapping source validation flaw for bridges

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Interrupt remapping table entries for MSI interrupts set up by bridge
devices did not get any source validation set up on them, allowing
misbehaving or malicious guests to inject interrupts into the domain
owning the bridges.

In a typical Xen system bridge devices are owned by domain 0, leaving
it vulnerable to such an attack. Such a DoS is likely to have an impact
on other guests running in the system.

IMPACT
======

A malicious domain, given access to a device which bus mastering
capable, can mount a denial of service attack affecting the whole
system.

VULNERABLE SYSTEMS
==================

Xen version 4.0 onwards is vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

Any domain which is given access to a PCI device that is bus mastering
capable can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted
guests.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa49-unstable.patch          Xen xen-unstable
xsa49-4.2.patch               Xen 4.2.x
xsa49-4.1.patch               Xen 4.1.x

$ sha256sum xsa49-*.patch
666aec709795163e7c19e99f71ff88cb9a4d66f3f0599ef66446310323fd8d9e  xsa49-4.1.patch
37055cbc74111cbc507af3f09d6ac2e472f24efd54cd3e08583dc635e66a539f  xsa49-4.2.patch
ba07b4ff0393084282edc24db7f03eb95b0a4bbc8d40d6ede601d0182a0fc852  xsa49-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRgnfXAAoJEIP+FMlX6CvZoHsH/jNpyc3Y1ga9GPQSxZ+GaXme
z/TzcW1gZsP8TVlsoXJbGSVMbDLNLkTA7LpPkep/tSNOfQ3Umg/70sLtvXmpm2PR
zvpLgjpKut5ziqLLhFX1kTRZIrg9X8p9k9DHiq3JKK7WUZ1S21i8zQH8w6k9R2Q5
JO6WTP5VidDVByn23HcIwUI1/z4mbPIe5MI2/I81dbw3BnMLHeX8RGlIHz1Cj729
W7UqRDkivdH0CjF4D/hBskcI+3bZOS2I+JrQf78YP5kq2zr1tSJ6wH9VhxgI0ku1
LgmmEPfqoeCXK8/s0QcLFj+nAMx6OZWeTPJ31RT41106ZWku+gazddFsZJ+PeuY=
=no/g
-----END PGP SIGNATURE-----

Download attachment "xsa49-4.1.patch" of type "application/octet-stream" (1847 bytes)

Download attachment "xsa49-4.2.patch" of type "application/octet-stream" (1877 bytes)

Download attachment "xsa49-unstable.patch" of type "application/octet-stream" (1916 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.