Bug 988676 - (CVE-2016-6259) VUL-0: CVE-2016-6259: xen: x86: Missing SMAP whitelisting in 32-bit exception / event delivery (XSA-183)
(CVE-2016-6259)
VUL-0: CVE-2016-6259: xen: x86: Missing SMAP whitelisting in 32-bit exception...
Status: RESOLVED FIXED
: 988694 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-6259:3.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-13 06:23 UTC by Alexander Bergmann
Modified: 2016-12-22 11:57 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Andreas Stieger 2016-07-13 08:30:06 UTC
*** Bug 988694 has been marked as a duplicate of this bug. ***
Comment 5 Andreas Stieger 2016-07-13 08:52:25 UTC
CVSSv2 base score 5.7 (AV:A/AC:M/Au:N/C:N/I:N/A:C)
CVSSv2 base score 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Comment 11 Andreas Stieger 2016-07-26 12:35:50 UTC
Public at https://xenbits.xen.org/xsa/advisory-183.txt

            Xen Security Advisory CVE-2016-6259 / XSA-183
                              version 5

    x86: Missing SMAP whitelisting in 32-bit exception / event delivery

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Supervisor Mode Access Prevention is a hardware feature designed to make
an Operating System more robust, by raising a pagefault rather than
accidentally following a pointer into userspace.  However, legitimate
accesses into userspace require whitelisting, and the exception delivery
mechanism for 32bit PV guests wasn't whitelisted.

IMPACT
======

A malicious 32-bit PV guest kernel can trigger a safety check, crashing
the hypervisor and causing a denial of service to other VMs on the host.

VULNERABLE SYSTEMS
==================

Xen version 4.5 and newer are vulnerable.  Versions 4.4 and older are
not, due to not having software support for SMAP.

The vulnerability is only exposed on x86 hardware supporting the SMAP
feature (Intel Broadwell and later CPUs).  The vulnerability is not
exposed on ARM hardware, or x86 hardware which do not support SMAP.

The vulnerability is only exposed to x86 32bit PV guests.  The
vulnerability is not exposed to 64bit PV guests or HVM guests.

MITIGATION
==========

Running only HVM guests or 64-bit PV guests, avoids the vulnerability.

Disabling SMAP in the hypervisor by booting Xen with "smap=0" on the
command line will avoid this vulnerability.  (Depending on the
circumstances this workaround may pose a small risk of increasing the
impact of other, possibly unknown, vulnerabilities.)

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa183.patch           xen-unstable, 4.7.x
xsa183-4.6.patch       Xen 4.6.x, 4.5.x

$ sha256sum xsa183*
ea0ea4b294332814330f222e6d78eea3b19c394eac8ae22feb4a5bd21e90331f  xsa183-unstable.patch
0fee41f21a3eb4af1487590098047f4625688bcef7419572a8f418f9fb728468  xsa183-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Deployment of the "smap=0" mitigation is NOT permitted (except
where all the affected systems and VMs are administered and used only
by organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.  This is because this produces a guest-visible
change which could lead to rediscovery of the vulnerability.

And: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 12 Swamp Workflow Management 2016-08-17 16:17:58 UTC
SUSE-SU-2016:2093-1: An update that solves 27 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,957986,958848,961600,963161,964427,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_08-17.1
Comment 13 Charles Arnold 2016-10-03 20:32:23 UTC
This is included in the SLE-12-SP1 maintenance submission.
It is part of SLE-12-SP2 since RC1.
Comment 14 Swamp Workflow Management 2016-10-07 12:10:21 UTC
SUSE-SU-2016:2473-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 953518,955104,959330,959552,970135,971949,988675,988676,990500,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2016-6258,CVE-2016-6259,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_10-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_10-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_10-20.1
Comment 15 Swamp Workflow Management 2016-10-11 17:17:16 UTC
openSUSE-SU-2016:2494-1: An update that solves 46 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,955104,958848,959330,959552,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990500,990843,990923,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2015-7512,CVE-2015-8504,CVE-2015-8558,CVE-2015-8568,CVE-2015-8613,CVE-2015-8743,CVE-2016-1714,CVE-2016-1981,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.3_10-15.2
Comment 16 Marcus Meissner 2016-12-22 11:57:48 UTC
released