Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YzmoF-0001rG-Vs@xenbits.xen.org>
Date: Tue, 02 Jun 2015 14:04:51 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 131 (CVE-2015-4106) - Unmediated PCI
 register access in qemu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-4106 / XSA-131
                              version 3

                Unmediated PCI register access in qemu

UPDATES IN VERSION 3
====================

Public release.

CVE assigned.

ISSUE DESCRIPTION
=================

Qemu allows guests to not only read, but also write all parts of the
PCI config space (but not extended config space) of passed through PCI
devices not explicitly dealt with for (partial) emulation purposes.

IMPACT
======

Since the effect depends on the specific purpose of the the config
space field, it's not possbile to give a general statement about the
exact impact on the host or other guests.  Privilege escalation, host
crash (Denial of Service), and leaked information all cannot be
excluded.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Only HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted HVM
guests.

This issue can also be avoided by only using PV guests.

It can also be avoided by configuring HVM guests with their device
model run in a separate (stub) domain.  (When using xl, this can be
requested with "device_model_stubdomain_override=1" in the domain
configuration file.)

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa131-qemuu-$n.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa131-qemuu-4.4-1.patch        Xen 4.4.x replacement for xsa131-qemuu-1.patch
xsa131-qemuu-4.3-$n.patch       Xen 4.3.x
xsa131-qemut-$n.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
xsa131-qemut-4.2-1.patch        Xen 4.2.x replacement for xsa131-qemut-1.patch

$ sha256sum xsa131*.patch
2ff4aa092247ff0911d837adc5f4de1ffa8ed32a39eaea9b0bfc4a40b7921b06  xsa131-qemut-1.patch
dafa524374d890e517d4e2600a594064b55af645172422b9e81a64b5f4a64575  xsa131-qemut-2.patch
b37d3e22ce4410bf0db87217c60a543f0143a23ab0652f1746bd5fe17dbadd70  xsa131-qemut-3.patch
b5f0882717129142f11297a62b2ed826da94ce5ed42f6b2ea60f9101b652aed9  xsa131-qemut-4.2-1.patch
3bfc58b6288bafb4c2039265be32c6bd9e048b63a4cae279ead3ec1154af9abe  xsa131-qemut-4.patch
60c44b63d2c7bd7e12631db7fd05622d782e1a5ccd7dfa17a1671b36b5ff7bee  xsa131-qemut-5.patch
8f2a9c4333155fac670ad3a932703051ce8a47f4f6d3a067458e5ab49da7e93a  xsa131-qemut-6.patch
ed4facfa80b2ab7ecfc9b232878d3f4d54ad93214c75f4b4af71c8f07a1d04c4  xsa131-qemut-7.patch
d400d03ae792699fec9a54bbb6b08c2f5523427ef8af85b0c5ede497ba87f61c  xsa131-qemut-8.patch
7a7f294303a8bcf9a316e3e6b8a0511dac3e92dbf7e373b21c94b97835c03f2f  xsa131-qemuu-1.patch
dc72bd4993fdcea3dc98d18f314da3ac1c7e73e0b99dac325b0e59d0229f67e5  xsa131-qemuu-2.patch
61524a47fd29406ba9a2983ea9cb59e45a56d716d65d78689177d9c8e95f76e6  xsa131-qemuu-3.patch
21493c5db68115d97a6aecf1159ee05023b59545627d7f03d7fdaa238bb3bd27  xsa131-qemuu-4.3-1.patch
5828647db6f090ce6c7ea20f90331008f2a0bba18b3a3a371f2ba9054871a7cb  xsa131-qemuu-4.3-2.patch
eab05df32e8a7c729cc52affd28b109a8f75cabb8fd4027934059d303b2232fa  xsa131-qemuu-4.3-3.patch
8dc95a2a8a45d851476b938e4cab2e65d87b8dc28c721949824ce900552ba489  xsa131-qemuu-4.3-4.patch
7a358fba18ae9c0dde1134564151a97c8e6d6f5982ac74c450f81d2ed8e9d540  xsa131-qemuu-4.3-5.patch
fcb77a8d2adde1daf03f8faeb6e92788b2727f5b11563b6f770c74251b0964a4  xsa131-qemuu-4.3-6.patch
79933b2744e7b69c4eb23f3974d242e2592cb4553be115a4aec1c6e30e7564cf  xsa131-qemuu-4.3-7.patch
bb4021a36a9f36dc0082cfd42869adc737ec4afea92ac1100f0971118174b58c  xsa131-qemuu-4.3-8.patch
f70516fa38a3d2e0cf906c41e3b7dfd7cf998c9189b232dac20633c7b0d1ab8b  xsa131-qemuu-4.4-1.patch
041c82a341755bcbab18f834a0fccf9c031674d956958092cbfa5e64f05b6318  xsa131-qemuu-4.patch
91aeb9c0d3e9a251faf12840e0519a342cfb7e35af3fea429bedb452182fae47  xsa131-qemuu-5.patch
60482fe37fd405032b92de85ed5d333c210c85662b1645016dce2f0053aa6ec0  xsa131-qemuu-6.patch
05fc2e614620449e52a056ce6e5f4033970ade22fde623e3b789fc57b3e4143e  xsa131-qemuu-7.patch
358849d7c0dff29bf96f49e56d00c4d7bd4c8d0c71c122a7b3655e10f45cb53b  xsa131-qemuu-8.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or migitations is NOT permitted (except on
systems used and administered only by organisations which are members
of the Xen Project Security Issues Predisclosure List).  Specifically,
deployent on public cloud systems is NOT permitted.

This is because the altered PCI config space access behavior is visible
to guests.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJVbbdZAAoJEIP+FMlX6CvZ1yEIAKWoq6O8Nk8zewvKojXnmt0J
irQ4p9uXBDN682d9Vloq+y86PSt5NLs83ZfAHWSkWPkkgyDXy4tmnte9LGMLmVI+
Z7nZs4dsH2bixFMJfqjKWE//py37TIVmI4M37xOgkNV8HTQJ0ZHWgYur5ilNJu9x
HJ1duL3//+zkelA+zUQQSNMPvc2OUCSRGW5UVDwn95xJDAgURWe2d6c6bg8yG7T6
ufwO0x1CWTRaVsbLRSCST3NEVl7bxmYR5RBxlBaUIpgzT53aK3XHoiAezjTdK1Ul
TiZ3Hb0XVtFbNEz2cCWQBEdQPKYhJjxpUBdRi9zlsiFwHa+lG+CA3i1IcqXIXQo=
=tNVc
-----END PGP SIGNATURE-----

Download attachment "xsa131-qemut-1.patch" of type "application/octet-stream" (2258 bytes)

Download attachment "xsa131-qemut-2.patch" of type "application/octet-stream" (5149 bytes)

Download attachment "xsa131-qemut-3.patch" of type "application/octet-stream" (795 bytes)

Download attachment "xsa131-qemut-4.2-1.patch" of type "application/octet-stream" (2303 bytes)

Download attachment "xsa131-qemut-4.patch" of type "application/octet-stream" (10539 bytes)

Download attachment "xsa131-qemut-5.patch" of type "application/octet-stream" (779 bytes)

Download attachment "xsa131-qemut-6.patch" of type "application/octet-stream" (3101 bytes)

Download attachment "xsa131-qemut-7.patch" of type "application/octet-stream" (2442 bytes)

Download attachment "xsa131-qemut-8.patch" of type "application/octet-stream" (5307 bytes)

Download attachment "xsa131-qemuu-1.patch" of type "application/octet-stream" (2149 bytes)

Download attachment "xsa131-qemuu-2.patch" of type "application/octet-stream" (2684 bytes)

Download attachment "xsa131-qemuu-3.patch" of type "application/octet-stream" (785 bytes)

Download attachment "xsa131-qemuu-4.3-1.patch" of type "application/octet-stream" (2155 bytes)

Download attachment "xsa131-qemuu-4.3-2.patch" of type "application/octet-stream" (2676 bytes)

Download attachment "xsa131-qemuu-4.3-3.patch" of type "application/octet-stream" (777 bytes)

Download attachment "xsa131-qemuu-4.3-4.patch" of type "application/octet-stream" (9476 bytes)

Download attachment "xsa131-qemuu-4.3-5.patch" of type "application/octet-stream" (799 bytes)

Download attachment "xsa131-qemuu-4.3-6.patch" of type "application/octet-stream" (2765 bytes)

Download attachment "xsa131-qemuu-4.3-7.patch" of type "application/octet-stream" (2254 bytes)

Download attachment "xsa131-qemuu-4.3-8.patch" of type "application/octet-stream" (4559 bytes)

Download attachment "xsa131-qemuu-4.4-1.patch" of type "application/octet-stream" (2163 bytes)

Download attachment "xsa131-qemuu-4.patch" of type "application/octet-stream" (9484 bytes)

Download attachment "xsa131-qemuu-5.patch" of type "application/octet-stream" (807 bytes)

Download attachment "xsa131-qemuu-6.patch" of type "application/octet-stream" (2781 bytes)

Download attachment "xsa131-qemuu-7.patch" of type "application/octet-stream" (2262 bytes)

Download attachment "xsa131-qemuu-8.patch" of type "application/octet-stream" (4583 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.