Bug 931627 (CVE-2015-4105)

Summary: VUL-0: CVE-2015-4105: xen: Guest triggerable qemu MSI-X pass-through error messages (XSA-130)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, carnold, jbeulich
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:61876 maint:released:sle11-sp1:61879 maint:released:sle11-sp2:61880 CVSSv2:RedHat:CVE-2015-4105:1.4:(AV:A/AC:H/Au:S/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-4105:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xsa130-qemut.patch
xsa130-qemuu-4.3.patch
xsa130-qemuu.patch

Comment 1 Swamp Workflow Management 2015-05-20 22:00:43 UTC 
bugbot adjusting priority
Comment 5 Charles Arnold 2015-05-30 20:14:51 UTC 
For submission details see bsc#932770 comment #28.
Comment 6 Andreas Stieger 2015-06-02 14:29:49 UTC 
Public via http://xenbits.xen.org/xsa/advisory-130.html

            Xen Security Advisory CVE-2015-4105 / XSA-130
                              version 2

         Guest triggerable qemu MSI-X pass-through error messages

UPDATES IN VERSION 2
====================

Public release.

CVE assigned.

ISSUE DESCRIPTION
=================

Device model code dealing with guest PCI MSI-X interrupt management
activities logs messages on certain (supposedly) invalid guest
operations.

IMPACT
======

A buggy or malicious guest repeatedly invoking such operations may
result in the host disk to fill up, possibly leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Only HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.

Furthermore, the vulnerability is only applicable when the
passed-through PCI devices are MSI-X capable.  (Many modern devices
are.)

MITIGATION
==========

This issue can be avoided by not assigning MSI-X capable PCI devices to
untrusted HVM guests.

This issue can also be avoided by only using PV guests.

It can also be avoided by configuring HVM guests with their device
model run in a separate (stub) domain.  (When using xl, this can be
requested with "device_model_stubdomain_override=1" in the domain
configuration file.)

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa130-qemuu.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa130-qemuu-4.3.patch       Xen 4.3.x
xsa130-qemut.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa130*.patch
0ed6d75b6758c43a3042994f5127cb69d03796acf5c4d305d7ec2486500753da  xsa130-qemut.patch
fd6e835e945c2eee197f9e18501aeefb6e1d33a714f6ce66c16481d5aca8fcd0  xsa130-qemuu-4.3.patch
87fb70041d1fe9c997461c4a6fdaf9157667ec2eff7c77b8db6ee8f9d730753d  xsa130-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 8 Swamp Workflow Management 2015-06-11 15:06:16 UTC 
SUSE-SU-2015:1042-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 906689,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_06-21.1
Comment 9 Swamp Workflow Management 2015-06-11 18:05:32 UTC 
SUSE-SU-2015:1045-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_08-0.9.1
Comment 10 Swamp Workflow Management 2015-06-22 10:10:08 UTC 
openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1
Comment 11 Swamp Workflow Management 2015-06-22 12:05:33 UTC 
openSUSE-SU-2015:1094-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-2751,CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_05-47.1
Comment 12 Swamp Workflow Management 2015-06-29 12:05:54 UTC 
SUSE-SU-2015:1156-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.25.1
Comment 13 Swamp Workflow Management 2015-06-29 13:05:49 UTC 
SUSE-SU-2015:1157-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.13.1
Comment 14 Marcus Meissner 2015-12-08 14:29:55 UTC 
released