Bug 820920 - VUL-1: CVE-2013-2078: xen: Hypervisor crash due to missing exception recovery on XSETBV (XSA-54)
VUL-1: CVE-2013-2078: xen: Hypervisor crash due to missing exception recovery...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:52751 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-21 09:16 UTC by Matthias Weckbecker
Modified: 2018-10-19 18:20 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2013-05-21 09:16:56 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-2078 / XSA-54
                            version 2

       Hypervisor crash due to missing exception recovery on XSETBV

             *** EMBARGOED UNTIL 2013-06-03 12:00 UTC ***

UPDATES IN VERSION 2
====================

Explain that Xen 4.1.x is not vulnerable by default, since XSAVE is
disabled by default in 4.1.x.

ISSUE DESCRIPTION
=================

Processors do certain validity checks on the register values passed to
XSETBV.  For the PV emulation path for that instruction the hypervisor
code didn't check for certain invalid bit combinations, thus exposing
itself to a fault occurring when invoking that instruction on behalf
of the guest.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host
to crash.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE.  Only PV guests can exploit the vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the "xsave"
hypervisor command line option.

Systems using processors not supporting XSAVE are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa54.patch                 Xen 4.1.x, Xen 4.2.x, xen-unstable

$ sha256sum xsa54-*.patch
5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7  xsa54.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRlqVcAAoJEIP+FMlX6CvZaHQH/jlXJMvhgz6U0FuhOXAxKBxJ
sfCVOkq/fyyVPUMor/8SBvJcOIHrGXNHbEebALSiBHNlhCyGg46VkN6EgpGWmKVF
dg5cA2H/WvjYGBlVLMuHo82y/IXy/b7y0m9XRxfgrompIPBXAqiO/5Qpkq0hIj+9
S9qJjlZYHXm4FnlNcK4YGivJD3/OoSbJSLgXgX6MOlfN4NOLuXuedHAGtFs+LBSf
Kfh6LiL0vdx8FyLKNndMt8OsHvjTWNrNq0XSz3TxmBZX9wSt7/Qndl3PR6YJE7TU
/uXxlqeoSSr139PNt6tsybfRmLQya/dOG6vnowWYgfOUTO93L+vddmePFA5O6D8=
=ka10
-----END PGP SIGNATURE-----
Comment 2 Swamp Workflow Management 2013-05-21 22:00:10 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2013-05-23 09:16:17 UTC
The SWAMPID for this issue is 52595.
This issue was rated as important.
Please submit fixed packages until 2013-05-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Charles Arnold 2013-05-28 22:06:35 UTC
Submitted for SLE11SP2:
Xen: SR#26763
Vm-install: SR#26764
libvirt: SR#26758
virt-manager: SR#26765

See bnc#813673 for detailed bug fix list.
Comment 5 Alexander Bergmann 2013-06-03 23:44:48 UTC
Now public via "Xen.org security team" <security@xen.org>.
Comment 6 Swamp Workflow Management 2013-06-25 07:59:06 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 7 Swamp Workflow Management 2013-08-09 10:56:29 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)
Comment 8 Marcus Meissner 2013-08-12 10:58:44 UTC
opensuse affected still
Comment 9 Swamp Workflow Management 2013-08-30 14:08:23 UTC
openSUSE-SU-2013:1392-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 801663,803712,809662,813673,813675,813677,814709,816156,816159,816163,819416,820917,820919,820920,823011,823608,823786,824676,826882
CVE References: CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1920,CVE-2013-1952,CVE-2013-1964,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078,CVE-2013-2211
Sources used:
openSUSE 12.2 (src):    xen-4.1.5_04-5.29.1
Comment 10 Swamp Workflow Management 2013-09-04 13:09:42 UTC
openSUSE-SU-2013:1404-1: An update that solves 13 vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 797285,797523,801663,802221,808085,808269,809662,813673,813675,814059,814709,816159,816163,817068,817210,817799,817904,818183,819416,820917,820919,820920,823011,823608,824676,826882
CVE References: CVE-2012-6075,CVE-2013-0151,CVE-2013-1432,CVE-2013-1917,CVE-2013-1918,CVE-2013-1919,CVE-2013-1922,CVE-2013-1952,CVE-2013-2007,CVE-2013-2072,CVE-2013-2076,CVE-2013-2077,CVE-2013-2078
Sources used:
openSUSE 12.3 (src):    xen-4.2.2_06-1.16.1
Comment 11 Alexander Bergmann 2013-09-26 12:44:18 UTC
Closed as fixed.