Bugzilla – Bug 826717
VUL-0: CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
Last modified: 2016-04-27 19:00:18 UTC
bugbot adjusting priority
Public: Xen Security Advisory CVE-2013-3495 / XSA-59 version 4 Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts UPDATES IN VERSION 4 ==================== Public release. Extensive changes to Description, Vulnerable Systems and Mitigation. Additional technical information has been supplied by the vendor, Intel. ISSUE DESCRIPTION ================= Message Signaled Interrupts (MSI) interrupts on Intel platforms are defined as DWORD writes to a special address location (0xFEE?????). MSIs on Intel Platforms supporting VT-d have two defined formats - Remappable format interrupts, and Compatibility (not remappable) format interrupts, based on the format of their data payload. Remappable interrupts are subject to interrupt-remapping protection checks, while compatibility format interrupts are not. For protection reasons, host software disables compatibility format interrupts (causing them to be blocked by interrupt translation hardware) and manages the remappable interrupts through programming of interrupt-remapping table entries. Malformed MSIs are transactions to the special (0xFEE?????) address range that do not have proper attributes of MSI requests (e.g., size of request is invalid). Such malformed transactions are detected and aborted by the platform, before they are subject to further interrupt remapping/processing. For RAS purposes, some platforms may be configured to support System Error Reporting (SERR) capability. These platforms raise a PCI system error (SERR#) due to Unsupported Request, which are typically delivered as Non-Maskable Interrupts (NMI), to report such errors to software. Depending on hypervisor and Dom0 kernel configuration, such an NMI may be handled by the hypervisor/Dom0 or can result in a host software halt ("panic"). On platforms with SERR enabled, such malformed MSI requests can be generated by guest OS with an assigned device, causing hypervisor/Dom0 receive NMI despite using VT-d and interrupt remapping for device assignment. IMPACT ====== A malicious domain, given access to a device which bus mastering capable, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================== Xen version 3.3 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable where system firmware (BIOS) may enable SERR in Host Bridge device. In order to verify whether SERR is enabled, one can read the SERR Enable (SERRE) bit (bit 8) in PCICMD register (offset 0x4) in PCI configuration space of the Host Bridge device (BDF 00:00.0). Value 1 of PCICMD[SERRE] indicates SERR logic is enabled. It is currently not known whether all or just some chipsets supporting VT-d are affected. Any domain which is given access to a PCI device that is bus mastering capable can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests. There are possible workarounds, but none of these have been implemented at the current time: A possible workaround is for hypervisor or Dom0 to disable SERR in the Host Bridge device by clearing SERRE bit in PCICMD register in PCI configuration space of Host Bridge device (BDF 00:00.0) which will block all system error messages generated by the Host Bridge. This is applicable to all chipsets. Alternatively hypervisor or Dom0 can block SERR error signaling due to Unsupported Request error resulting from malformed MSI requests by setting bit 20 ("Unsupported Request Error Mask") in memory configuration register at offset 0x1C8 (DMIUEMSK) in Root Complex Register Range. The base address of Root Complex Register Range is defined by DMIBAR register (offset 0x68) in PCI configuration space of the Host Bridge (BDF 00:00.0). For this alternative, less intrusive workaround it was so far not determined whether it is applicable to all or just some Intel chipsets. CREDITS ======= This vulnerability was discovered by Gábor PÉK (from CrySyS Lab). RESOLUTION ========== There is currently no resolution to this issue.
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): xen-4.1.6_08-0.5.1
SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439 CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): xen-4.0.3_21548_18-0.9.1
SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.1_08-5.2 SUSE Linux Enterprise Server 12 (src): xen-4.4.1_08-5.2 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.1_08-5.2
openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361 Sources used: openSUSE 13.1 (src): xen-4.3.3_04-34.1
openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681 CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361 Sources used: openSUSE 13.2 (src): xen-4.4.1_08-9.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-03-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60766
released