Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1gFQSc-0001y8-8b@xenbits.xenproject.org>
Date: Wed, 24 Oct 2018 21:13:02 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 278 v1 - x86: Nested VT-x usable even when
 disabled

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-278

               x86: Nested VT-x usable even when disabled

ISSUE DESCRIPTION
=================

When running HVM guests, virtual extensions are enabled in hardware because
Xen is using them.  As a result, a guest can blindly execute the
virtualisation instructions, and will exit to Xen for processing.

In the case that the guest hasn't followed the correct (virtual) configuration
procedure, it shouldn't be able to use the instructions, and Xen should
respond with #UD exception.  When nested virtualisation is disabled for the
guest, it is not permitted to complete the configuration procedure.

Unfortunately, when nested virtualisation is intended to be disabled for the
guest, an incorrect default value leads Xen to believe that the configuration
procedure has already been completed.

IMPACT
======

Guest software which blindly plays with the VT-x instructions can cause Xen to
operate on uninitialised data.  As the backing memory is zeroed, this causes
Xen to suffer a NULL pointer dereference, causing a host Denial of Service.

Other behaviours such as memory corruption or privilege escalation have not
been ruled out.

VULNERABLE SYSTEMS
==================

Systems running Xen 4.9 or later are vulnerable.  Systems running Xen 4.8 or
earlier are not vulnerable.

Only Intel x86 systems are vulnerable.  Systems from other x86 vendors, and
other hardware vendors are not vulnerable.

Only x86 HVM and PVH guests can leverage this vulnerability.  x86 PV guests
cannot leverage this vulnerability.

MITIGATION
==========

Running only x86 PV guests will avoid the issue.

For x86 HVM guests, while enabling nested virtualisation for affected guests
does work around this particular DoS, it is not a security supported
configuration and has other know DoS and suspected privilege escalation
vulnerabilities.  Therefore, it is not a mitigation.

CREDITS
=======

This issue was discovered by Sergey Dyasli of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa278.patch           xen-unstable
xsa278-4.11.patch      Xen 4.11, 4.10, 4.9

$ sha256sum xsa278*
d94c59ee170f96af14f0cf696221ba8b9447b86820fe99fba1815ab93cc89cd7  xsa278.patch
22686a9bbfbd38bb74292a28a452012d263875c9064815d4afd3fd6c62df0c3a  xsa278-4.11.patch
$

NOTE CONCERNING LACK OF EMBARGO
===============================

This issue was first reported in private and was in the usual XSA process.

It was later independently reported in public with enough detail for the issue
to be considered fully public.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAlvQ4AQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZMncIAKPKEhtKfaVxNp3WxA2UYRYQCLjrPieFwn8WF/Bx
Fcou5sCUhKZuRQccM5sOyDT8q/GRwYcvkcn3yXqXCKkijhsEA4fzsDYrCvQlO7RS
xcRMJSBhovz81PPrlDfGVGB6f2Iq3JePVP9DNxwHhgNQJN0+3kdjzEUtKJx3VczE
8LwIpQYyG4Xn3HBIjVD7R6+UiJLcDrD5sdRh9yOgNFNQQUqERtsAOEFJ2raYs/Cm
hUvb5m3HBJSzcsZqdfTe5ovLwpumNygao43xt+lAA1KvKk148yEjO4E1dIklmFOE
1d6Za6n9VD/+vTAo2JMDr0WpHZjzvBxNHkOg4levkYvKiCg=
=fPmO
-----END PGP SIGNATURE-----

Download attachment "xsa278.patch" of type "application/octet-stream" (10641 bytes)

Download attachment "xsa278-4.11.patch" of type "application/octet-stream" (10615 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.