Xen project Mailing List

[Xen-devel] Xen Security Advisory 127 (CVE-2015-2751) - Certain domctl operations may be abused to lock up the host

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Tue, 31 Mar 2015 12:10:07 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Tue, 31 Mar 2015 12:10:19 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2751 / XSA-127 version 2 Certain domctl operations may be abused to lock up the host UPDATES IN VERSION 2 ==================== CVE assigned. Public release. ISSUE DESCRIPTION ================= XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups. As a result, the potential security benefits of toolstack disaggregation are not always fully realised. IMPACT ====== Domains deliberately given partial management control may be able to deny service to the entire host. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design. VULNERABLE SYSTEMS ================== Xen versions 4.3 onwards are vulnerable. Xen versions 4.2 and earlier do not have the described disaggregation functionality and hence are not vulnerable. MITIGATION ========== The issues discussed in this advisory are themselves bugs in features used for a security risk mitigation. There is no further mitigation available, beyond general measures to try to avoid parts of the system management becoming controlled by attackers. Those are the kind of measures which we expect any users of radical disaggregation to have already deployed. Switching from disaggregated to a non-disaggregated operation does NOT mitigate these vulnerabilities. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. The robustness benefits of disaggregation are unaffected, and (depending on system design) security benefits are likely to remain despite the vulnerabilities. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa127-unstable.patch xen-unstable xsa127-4.x.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa127*.patch 5b98280738a205c40f56d0a7feb6ea6cd867da7ac1e0d9f4fc4620bae2c09171 xsa127.patch e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5PAAoJEIP+FMlX6CvZMhoH/0zH/JpvOk+dTQHVBN5uYjDB hkW5+/K4NfqRpnxQmTNJ6F5j0gcjbPCusf1yjdwjsAkToX2Y3TmqQAulpzkpT1z2 vvnIl8nYvD92fL1C8U9EBAXj62QmxN/IoX8rSl+g8byhoSO4WmUkbqseOb6LlcV3 wq/H15ZFfE6FjDQQGaFasbYyDOgBQiWFEmrBo2Zx7Qkendv5lt0YV/6/j3m1R8Hm D9fEchB07zKO49YkKnRrucDSf/9JTJI8W8M4Hmm9ykXncdUVI7xTSa66/XDOegcL ArBl9aXvuN9jMETS/JJBkEwqvULTQMy+Ac4NxBJE2W0allkKZxCcHMq50oSq3t0= =qqy0 -----END PGP SIGNATURE-----

Attachment: xsa127.patch
Description: Binary data

Attachment: xsa127-4.x.patch
Description: Binary data

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.