Bug 950172 - (CVE-2015-7813) VUL-0: CVE-2015-7813: xen: arm: various unimplemented hypercalls log without rate limiting (XSA-146)
(CVE-2015-7813)
VUL-0: CVE-2015-7813: xen: arm: various unimplemented hypercalls log without ...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Charles Arnold
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-13 14:29 UTC by Andreas Stieger
Modified: 2015-10-29 12:30 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Stieger 2015-10-13 14:33:03 UTC
SUSE does not ship Xen on ARM. Closing.
Comment 2 Andreas Stieger 2015-10-29 12:30:16 UTC
Public at http://xenbits.xen.org/xsa/advisory-146.html

            Xen Security Advisory CVE-2015-7813 / XSA-146
                              version 3

   arm: various unimplemented hypercalls log without rate limiting

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The HYPERVISOR_physdev_op hypercall and most suboperations of the
HYPERVISOR_hvm_op hypercall are not currently implemented by Xen on
ARM and when called will log the use to the hypervisor
console. However these guest accessible log messages are not
rate-limited.

IMPACT
======

A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.

VULNERABLE SYSTEMS
==================

Xen 4.4 and later systems running on ARM hardware are vulnerable.

x86 systems are not affected.

MITIGATION
==========

The problematic log messages are issued with priority Warning.

Therefore they can be rate limited by adding "loglvl=error/warning" to the
hypervisor command line or suppressed entirely by adding "loglvl=error".

On systems where the guest kernel is controlled by the host rather
than guest administrator, running only kernels which do not call these
hypercalls will also prevent untrusted guest users from exploiting
this issue. However untrusted guest administrators can still trigger
it unless further steps are taken to prevent them from loading code
into the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Julien Grall of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa146.patch        xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa146*.patch
1d0ff203581ac5bcc0ec4469a4909da968b218ed83280efd217020c396028591  xsa146.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html