Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1qKMmq-00035B-SS@xenbits.xenproject.org>
Date: Fri, 14 Jul 2023 17:41:00 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Notice 1 v1 - winpvdrvbuild.xenproject.org
 potentially compromised

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                     Xen Security Notice 1

         winpvdrvbuild.xenproject.org potentially compromised

ISSUE DESCRIPTION
=================

Software running on the Xen Project hosted subdomain
winpvdrvbuild.xenproject.org is outdated and vulnerable to several
CVEs.  Some of the reported issues include remote code execution.  The
affected host was running the Jenkins build system for the Windows PV
Drivers subproject.

IMPACT
======

Since the list of CVEs reported include remote code execution we no
longer have confidence that binaries previously available at:

https://xenbits.xen.org/pvdrivers/win/

are trustworthy.  This includes binaries signed with Xen Project's EV
key that is cross-signed by Microsoft.

Note that the source code for the windows drivers, hosted on
xenbits.xen.org is in a separate system and we are confident that it
has not been tampered with.  The EV key was also not available to the
possibly compromised system.

ACTIONS TAKEN
=============

The possibly compromised system has been decommissioned.

We have removed all previous binaries from:

https://xenbits.xen.org/pvdrivers/win/

A new set of drivers based on the current master branch
(9.0-unstable) and built on a trusted environment have been uploaded
on the same folder with the following hashes:

$ sha256sum xen*.tar
b089e46d52ffc64a14799c609272ccdded805c1552a88b45d95a64a27e775de7  xenbus.tar
afc6f11f9078cb457daa000b8b8d8ab69656d3950e7afbf6f40aaa5da217301a  xencons.tar
7bbcedcda5e2ffa8ab32eb3d207d1c7db5b91e22926b26d75750bfadde6611f0  xenhid.tar
a8f3344e370647696e3ed39201f5c9db693aca1c093a638fde8b7a928a4416c2  xeniface.tar
560d7049f5e321545dda25c26b5f56e0975a7f62d35629f4c9a73f0fbd148cf3  xennet.tar
9cb34cd135aab045a2401098c4044c95dbd179c454718e43045e433401b8e3dd  xenvbd.tar
47c1b9bc6e90e20d3f524036a3171cf7f8da1d94186febbae0d4a108db7bb3b5  xenvif.tar
09a4b108a9d3fca699c3c31aeb4836cfee2538e588462b0646dcccbde42a4263  xenvkbd.tar

ACTIONS IN PROGRESS
===================

The security team is attempting to inspect existing binaries to
determine whether there are any obvious signs of tampering.

CREDITS
=======

We would like to thank Mahmud Hasan for bringing this to our
attention.

WHAT IS AN XSN
==============

A Xen Security Notice is a mechanism the Security Team was already in
the process of introducing, for providing official communication of
security-relevant information that is not of the form that fits in the
normal XSA template.  Please bear with us as we find the right balance
while trying to fast-track it into use.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmSxe3YMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZgwgH/1serMIChH2tFlbU0HSgVk07KCO17lFcCJnhDSA8
uEv3uYiW8NCZEwaD2wmgxN9tW7yTIoeSrsnTyU9D305M6gy3F9g1XcktAv9HhtEO
fS/Pdq1q/ec4vStOYUzx6yG/2GIKNYny5Um4X2Odr/dvYcdZJPkmeJtv6yIa5wSC
q3jCou/VoBCwXUGqlqzRdRsJ+srmsFfmsTn/oNuM28gkV+qRAUc+J6z+psObo2yp
KE/Jgl9B6Nq2+d7sbcgto77a/4FrgtW01qFgIbvQPcE8BBlPF4xymKeCBSGEY/yL
MrOyYpw81cOd0IvSVdQglW63+DO76EksBJJWQbtazwhbPDs=
=jmGB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.