Bug 903970 (CVE-2014-8595)

Summary: VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carnold, jbeulich, jsegitz, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle10-sp3:59806 maint:released:sle10-sp4:59947 maint:released:sle11-sp3:59810 maint:released:sle11-sp2:59949 maint:released:sle11-sp1:59807 maint:released:sle11-sp1:59948 maint:running:60766:moderate CVSSv2:NVD:CVE-2014-8595:1.9:(AV:L/AC:M/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xen-unstable, Xen 4.4.x
Xen 4.3.x, Xen 4.2.x

Description Johannes Segitz 2014-11-05 09:42:25 UTC 
*** EMBARGOED UNTIL 2014-11-18 12:00 UTC ***

ISSUE DESCRIPTION
=================

The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory
  mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.

VULNERABLE SYSTEMS
==================

Xen 3.2.1 and onward are vulnerable on x86 systems.

ARM systems are not vulnerable.

Only user processes in x86 HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.

xsa110-unstable.patch        xen-unstable, Xen 4.4.x
xsa110-4.3-and-4.2.patch     Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa110*.patch
a114ba586d18125b368112527a077abfe309826ad47aca8cc80ba4549c5f9ae2  xsa110-4.3-and-4.2.patch
eac4691848dcd093903e0a0f5fd7ab15be15d0f10b98575379911e91e5dcbd70  xsa110.patch
Comment 1 Johannes Segitz 2014-11-05 09:43:06 UTC 
Created attachment 612450 [details]
xen-unstable, Xen 4.4.x
Comment 2 Johannes Segitz 2014-11-05 09:43:23 UTC 
Created attachment 612451 [details]
Xen 4.3.x, Xen 4.2.x
Comment 3 Swamp Workflow Management 2014-11-05 23:00:47 UTC 
bugbot adjusting priority
Comment 4 Johannes Segitz 2014-11-10 15:46:08 UTC 
CVE got assigned: CVE-2014-8595
Comment 5 Swamp Workflow Management 2014-11-13 15:29:02 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59647
Comment 6 Charles Arnold 2014-11-25 22:31:06 UTC 
Xen has been submitted with the following MR/SR numbers:

SLE12: MR#46616
SLE11-SP3: SR#46617
SLE11-SP2: SR#46618
SLE11-SP1: SR#46619
SLE11-SP1-Teradata: SR#46622
SLE10-SP4: SR#46620
SLE10-SP3: SR#46621

Bugs fixes included in each distro are as follows:

Security and Maintenance SLE12
==============================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#905465 - VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903967 - VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls
- bnc#889526 - VUL-0: CVE-2014-5146, CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu operations are not preemptible
- bnc#826717 - VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor
- bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore
- bnc#903359 - Temporary migration name is not cleaned up after migration
- bnc#866902 - L3: Xen save/restore of HVM guests cuts off disk and networking
- bnc#901317 - L3: increase limit domUloader to 32MB
- bnc#898772 - SLES 12 RC3 - XEN Host crashes when assigning non-VF device (SR-IOV) to guest
- bsc#900292 - xl: change default dump directory
- bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus
- bnc#897906 - libxc: check return values on mmap() and madvise() on xc_alloc_hypercall_buffer()
- bnc#897614 - Virtualization/xen: Bug `xen-tools` uninstallable; grub2-x86_64-xen dependency not available
- bnc#896023 - L3: Adjust xentop column layout

Security and Maintenance SLE11-SP3
==================================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#905465 - VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903967 - VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls
- bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation
- bnc#866902 - L3: Xen save/restore of HVM guests cuts off disk and networking
- bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus
- bnc#901317 - L3: increase limit domUloader to 32MB
- bnc#896023 - L3: Adjust xentop column layout

Security SLE11-SP2
==================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#905465 - VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903967 - VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls
- bnc#897657 - VUL-0: CVE-2014-7188: xen: XSA-108 Improper MSR range used for x2APIC emulation
- bnc#826717 - VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests
- bnc#875668 - VUL-0: CVE-2014-3124: xen: XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
- bnc#867910 - VUL-0: CVE-2014-2599: xen: XSA-89: HVMOP_set_mem_access is not preemptible
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor

Security SLE11-SP1
==================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#905465 - VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903967 - VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls
- bnc#826717 - VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor
- bnc#895802 - VUL-0: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#895798 - VUL-0: xen: XSA-104: Race condition in HVMOP_track_dirty_vram
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Security SUSE:SLE-11-SP1:Update:Teradata:Test
=============================================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#905465 - VUL-0: CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode hypercall argument translation
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903967 - VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls
- bnc#826717 - VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor

Security SLE10-SP4
==================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor
- bnc#895799 - VUL-0: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
- bnc#880751 - VUL-0: CVE-2014-4021: xen: XSA-100: Hypervisor heap contents leaked to guests

Security SLE10-SP3
==================
- bnc#906439 - VUL-0: CVE-2014-9030: XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
- bnc#905467 - VUL-0: CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
- bnc#903970 - VUL-0: CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86 emulation of far branches
- bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not handled by hypervisor

I'm not sure which of the above platforms still requires LTSS support.

openSUSE 12.3/13.1/13.2 will be updated sometime next week.
Comment 9 Swamp Workflow Management 2014-12-23 18:05:30 UTC 
SUSE-SU-2014:1691-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 880751,895799,903850,903970,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.9.1
Comment 10 Swamp Workflow Management 2014-12-24 07:08:13 UTC 
SUSE-SU-2014:1700-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 866902,882089,896023,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_02-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_02-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_02-0.7.1
Comment 11 Swamp Workflow Management 2014-12-24 18:07:05 UTC 
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1
Comment 12 Swamp Workflow Management 2014-12-30 19:06:06 UTC 
SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1
Comment 13 Swamp Workflow Management 2015-01-09 11:07:36 UTC 
SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Server 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.1_08-5.2
Comment 14 Swamp Workflow Management 2015-02-06 10:07:21 UTC 
openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.1 (src):    xen-4.3.3_04-34.1
Comment 15 Marcus Meissner 2015-02-09 11:02:26 UTC 
close
Comment 16 Swamp Workflow Management 2015-02-11 14:08:00 UTC 
openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.2 (src):    xen-4.4.1_08-9.1