Bug 895802 (CVE-2014-7156)

Summary: VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carnold, jbeulich, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp1:59013 maint:released:sle11-sp3:59232 maint:running:59647:moderate maint:released:sle11-sp2:59949 maint:released:sle11-sp1:59807 maint:released:sle11-sp1:59948
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xsa106.patch

Description Marcus Meissner 2014-09-09 12:57:40 UTC 
embargoed, via pre-advisory mail

                    Xen Security Advisory XSA-106

    Missing privilege level checks in x86 emulation of software interrupts

              *** EMBARGOED UNTIL 2014-09-23 12:00 UTC ***

ISSUE DESCRIPTION
=================

The emulation of instructions which generate software interrupts fails
to perform supervisor mode permission checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand (implicit for the affected instructions) lives
  in (emulated or passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to crash the guest.

VULNERABLE SYSTEMS
==================

Xen versions from 3.3 onwards are vulnerable.

Only user processes in HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa106.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa106*.patch
004051a839851d779de79b7804c5ef9a4d290bf2c8724b57299ca3a7b5a6173a  xsa106.patch
$
Comment 1 Marcus Meissner 2014-09-09 12:58:03 UTC 
Created attachment 605561 [details]
xsa106.patch

attached patch
Comment 2 SMASH SMASH 2014-09-09 13:30:33 UTC 
Affected packages:

SLE-10-SP3-TERADATA: xen
SLE-11-SP1-TERADATA: xen
SLE-11-SP3: xen
SLE-11-SP3-PRODUCTS: xen
SLE-11-SP3-UPTU: xen
Comment 3 Swamp Workflow Management 2014-09-09 22:00:41 UTC 
bugbot adjusting priority
Comment 4 Charles Arnold 2014-09-19 00:36:34 UTC 
Xen submitted for relevant SLE platforms.
Comment 5 Marcus Meissner 2014-09-23 12:53:16 UTC 
is public
Comment 6 Marcus Meissner 2014-09-24 08:02:07 UTC 
CVE-2014-7156
Comment 7 Swamp Workflow Management 2014-10-09 11:08:27 UTC 
openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1
Comment 8 Swamp Workflow Management 2014-10-09 11:11:21 UTC 
openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1
Comment 9 Swamp Workflow Management 2014-10-22 23:08:16 UTC 
SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1
Comment 10 Swamp Workflow Management 2014-12-24 18:06:13 UTC 
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1
Comment 11 Swamp Workflow Management 2014-12-30 19:05:45 UTC 
SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1
Comment 12 Marcus Meissner 2015-02-10 10:50:01 UTC 
SLE12 was fixed before GA