Bug 903967 - (CVE-2014-8594) VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU update hypercalls
(CVE-2014-8594)
VUL-0: CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:59810 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-05 09:30 UTC by Johannes Segitz
Modified: 2016-11-22 17:18 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xen-unstable, Xen 4.4.x, Xen 4.3.x (790 bytes, patch)
2014-11-05 09:31 UTC, Johannes Segitz
Details | Diff
Xen 4.2.x (786 bytes, patch)
2014-11-05 09:31 UTC, Johannes Segitz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-05 09:30:28 UTC
*** EMBARGOED UNTIL 2014-11-18 12:00 UTC ***

ISSUE DESCRIPTION
=================

MMU update operations targeting page tables are intended to be used on
PV guests only. The lack of a respective check made it possible for
such operations to access certain function pointers which remain NULL
when the target guest is using Hardware Assisted Paging (HAP).

IMPACT
======

Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.

Only PV domains with privilege over other guests can exploit this
vulnerability; and only when those other guests are HVM using HAP, or
PVH.  The vulnerability is therefore exposed to PV domains providing
hardware emulation services to HVM guests.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

The vulnerability is only exposed to PV service domains for HVM or
PVH guests which have privilege over the guest.  In a usual
configuration that means only device model emulators (qemu-dm).

In the case of HVM guests whose device model is running in an
unrestricted dom0 process, qemu-dm already has the ability to cause
problems for the whole system.  So in that case the vulnerability is
not applicable.

The situation is more subtle for an HVM guest with a stub qemu-dm.
That is, where the device model runs in a separate domain (in the case
of xl, as requested by "device_model_stubdomain_override=1" in the xl
domain configuration file).  The same applies with a qemu-dm in a dom0
process subjected to some kind kernel-based process privilege
limitation (eg the chroot technique as found in some versions of
XCP/XenServer).

In those latter situations this issue means that the extra isolation
does not provide as good a defence (against denial of service) as
intended.  That is the essence of this vulnerability.

However, the security is still better than with a qemu-dm running as
an unrestricted dom0 process.  Therefore users with these
configurations should not switch to an unrestricted dom0 qemu-dm.

Finally, in a radically disaggregated system: where the HVM or PVH
service domain software (probably, the device model domain image in the
HVM case) is not always supplied by the host administrator, a malicious
service domain administrator can exercise this vulnerability.

MITIGATION
==========

Running only PV guests or HVM guests with shadow paging enabled will
avoid this issue.

In a radically disaggregated system, restricting HVM service domains
to software images approved by the host administrator will avoid the
vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa109.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x
xsa109-4.2.patch    Xen 4.2.x

$ sha256sum xsa109*.patch
759d1b8cb8c17e53d17ad045ab89c5aaf52cb85fd93eef07e7acbe230365c56d  xsa109-4.2.patch
729b87c2b9979fbda47c96e934db6fcfaeb10e07b4cfd66bb1e9f746a908576b  xsa109.patch
Comment 1 Johannes Segitz 2014-11-05 09:31:03 UTC
Created attachment 612447 [details]
xen-unstable, Xen 4.4.x, Xen 4.3.x
Comment 2 Johannes Segitz 2014-11-05 09:31:18 UTC
Created attachment 612448 [details]
Xen 4.2.x
Comment 3 Swamp Workflow Management 2014-11-05 23:00:37 UTC
bugbot adjusting priority
Comment 4 Johannes Segitz 2014-11-10 15:45:34 UTC
CVE got assigned: CVE-2014-8594
Comment 5 Swamp Workflow Management 2014-11-13 15:29:12 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-27.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59647
Comment 6 Charles Arnold 2014-11-25 22:35:10 UTC
Xen has been submitted with the following MR/SR numbers:

SLE12: MR#46616
SLE11-SP3: SR#46617
SLE11-SP2: SR#46618
SLE11-SP1: SR#46619
SLE11-SP1-Teradata: SR#46622
Comment 7 Swamp Workflow Management 2014-12-24 07:08:03 UTC
SUSE-SU-2014:1700-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 866902,882089,896023,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_02-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_02-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_02-0.7.1
Comment 8 Swamp Workflow Management 2014-12-24 18:06:55 UTC
SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1
Comment 9 Swamp Workflow Management 2014-12-30 19:05:55 UTC
SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1
Comment 10 Swamp Workflow Management 2015-01-09 11:07:25 UTC
SUSE-SU-2015:0022-1: An update that solves 8 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897614,897906,898772,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Server 12 (src):    xen-4.4.1_08-5.2
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.1_08-5.2
Comment 11 Swamp Workflow Management 2015-02-06 10:07:11 UTC
openSUSE-SU-2015:0226-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,900292,901317,903357,903359,903850,903967,903970,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.1 (src):    xen-4.3.3_04-34.1
Comment 12 Marcus Meissner 2015-02-09 11:02:34 UTC
close
Comment 13 Swamp Workflow Management 2015-02-11 14:07:51 UTC
openSUSE-SU-2015:0256-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 826717,866902,882089,889526,896023,897906,898772,900292,901317,903357,903359,903850,903967,903970,904255,905465,905467,906439,906996,910681
CVE References: CVE-2013-3495,CVE-2014-5146,CVE-2014-5149,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030,CVE-2014-9065,CVE-2014-9066,CVE-2015-0361
Sources used:
openSUSE 13.2 (src):    xen-4.4.1_08-9.1