Bug 1014298 - (CVE-2016-10024) VUL-0: CVE-2016-10024: xen: x86 PV guests may be able to mask interrupts (XSA-202)
(CVE-2016-10024)
VUL-0: CVE-2016-10024: xen: x86 PV guests may be able to mask interrupts (XSA...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Arnold
Security Team bot
CVSSv2:SUSE:CVE-2016-10024:4.4:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-07 15:58 UTC by Marcus Meissner
Modified: 2021-01-21 18:16 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2016-12-07 15:59:27 UTC
Created attachment 705393 [details]
xsa202-4.4.patch

xsa202-4.4.patch
Comment 2 Marcus Meissner 2016-12-07 15:59:47 UTC
Created attachment 705394 [details]
xsa202-4.6.patch

xsa202-4.6.patch
Comment 3 Marcus Meissner 2016-12-07 16:00:03 UTC
Created attachment 705395 [details]
xsa202.patch

xsa202.patch
Comment 4 Swamp Workflow Management 2016-12-07 23:02:26 UTC
bugbot adjusting priority
Comment 5 Marcus Meissner 2016-12-21 12:50:47 UTC
now public

            Xen Security Advisory CVE-2016-10024 / XSA-202
                               version 3

             x86 PV guests may be able to mask interrupts

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Certain PV guest kernel operations (page table writes in particular)
need emulation, and use Xen's general x86 instruction emulator.  This
allows a malicious guest kernel which asynchronously modifies its
instruction stream to effect the clearing of EFLAGS.IF from the state
used to return to guest context.

IMPACT
======

A malicious guest kernel administrator can cause a host hang or
crash, resulting in a Denial of Service.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 PV guests can exploit the vulnerability.

Neither ARM guests nor x86 HVM guests can exploit the vulnerability.

MITIGATION
==========

Running only HVM guests will avoid the vulnerability.

For PV guests the vulnerability can be avoided if the guest kernel is
controlled by the host rather than guest administrator, provided that
further steps are taken to prevent the guest administrator from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa202.patch           xen-unstable, Xen 4.8.x, Xen 4.7.x
xsa202-4.6.patch       Xen 4.6.x, Xen 4.5.x
xsa202-4.4.patch       Xen 4.4.x

$ sha256sum xsa202*
057be742acfef200ba6f094a5dce486dd1c4e15013afe3efc963523ce2ec9cbb  xsa202.patch
cd53dc8b761dc7eb60998ea2419c98af926aa62b4317dbef15f597f5554f9015  xsa202-4.4.patch
e007187639f5392a9256979504d50eff0ae38309a61524ea42c4150fab38b6f4  xsa202-4.6.patch
$
Comment 7 Swamp Workflow Management 2016-12-21 18:08:37 UTC
SUSE-SU-2016:3207-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-9932
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.5_04-22.6.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.5_04-22.6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.5_04-22.6.1
Comment 8 Swamp Workflow Management 2016-12-21 18:09:25 UTC
SUSE-SU-2016:3208-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1014300,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-10025,CVE-2016-9932
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_04-28.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_04-28.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_04-28.1
Comment 9 Swamp Workflow Management 2016-12-22 00:09:05 UTC
SUSE-SU-2016:3221-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-9932
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_12-46.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_12-46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_12-46.1
Comment 10 Marcus Meissner 2016-12-22 12:07:54 UTC
released during emu update
Comment 11 Swamp Workflow Management 2016-12-22 15:07:59 UTC
SUSE-SU-2016:3241-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-9932
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_05-22.28.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_05-22.28.2
Comment 12 Swamp Workflow Management 2017-01-02 12:07:25 UTC
openSUSE-SU-2017:0005-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1012651,1014298,1014300,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-10025,CVE-2016-9932
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_04-6.1
Comment 13 Swamp Workflow Management 2017-01-02 12:12:08 UTC
openSUSE-SU-2017:0007-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1002496,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652,1012651,1013657,1013668,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9101,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9776,CVE-2016-9932
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.5_06-18.1
Comment 14 Swamp Workflow Management 2017-01-02 12:15:27 UTC
openSUSE-SU-2017:0008-1: An update that solves 19 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1000106,1000195,1002496,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,1012651,1014298,1016340,953518
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9932
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_06-58.1
Comment 15 Swamp Workflow Management 2017-02-27 17:14:38 UTC
SUSE-SU-2017:0571-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834
CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_06-31.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_06-31.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_06-31.1
Comment 16 Swamp Workflow Management 2017-03-11 14:08:30 UTC
openSUSE-SU-2017:0665-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1000195,1002496,1005028,1012651,1014298,1014300,1015169,1016340,1022871,1023004,1024834
CVE References: CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_06-9.2
Comment 17 Swamp Workflow Management 2017-03-17 11:11:09 UTC
SUSE-SU-2017:0718-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1002496,1012651,1013657,1013668,1014298,1014507,1015169,1016340,1022871,1023004,1024183,1024834,907805
CVE References: CVE-2014-8106,CVE-2016-10013,CVE-2016-10024,CVE-2016-10155,CVE-2016-9101,CVE-2016-9776,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2016-9932,CVE-2017-2615,CVE-2017-2620
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-35.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-35.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-35.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-35.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-35.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-35.1