Bug 950706 – VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152)

Bug 950706 - (CVE-2015-7971) VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without rate limiting (XSA-152)

(CVE-2015-7971)
Summary:	VUL-0: CVE-2015-7971: xen: x86: some pmu and profiling hypercalls log without...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:NVD:CVE-2015-7971:2.1:(AV:L/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-10-16 08:08 UTC by Andreas Stieger
Modified:	2021-01-21 18:25 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Swamp Workflow Management 2015-10-16 22:00:46 UTC

bugbot adjusting priority

Comment 4 Andreas Stieger 2015-10-29 12:38:19 UTC

public at http://xenbits.xen.org/xsa/advisory-152.html

            Xen Security Advisory CVE-2015-7971 / XSA-152
                              version 3

      x86: some pmu and profiling hypercalls log without rate limiting

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

HYPERCALL_xenoprof_op and HYPERVISOR_xenpmu_op log some errors and
attempts at invalid operations.

These log messages are not rate-limited, even though they can be
triggered by guests.

IMPACT
======

A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.

VULNERABLE SYSTEMS
==================

Xen versions 3.2.x and later are affected.  (The VPMU part of the
vulnerability is applicable only to Xen 4.6 and later.)

ARM systems are not affected.  (The pmu hypercall is x86-specific, and
xenoprof is not supported on ARM.)

MITIGATION
==========

The problematic log messages are issued with priority Warning.
Therefore they can be rate limited by adding "loglvl=error/warning" to
the hypervisor command line or suppressed entirely by adding
"loglvl=error".

On systems where the guest kernel is controlled by the host rather
than guest administrator, running only kernels which do not call these
hypercalls will also prevent untrusted guest users from exploiting
this issue. However untrusted guest administrators can still trigger
it unless further steps are taken to prevent them from loading code
into the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa152-unstable.patch        xen-unstable, Xen 4.6.x
xsa152-4.5.patch             Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa152*.patch
596f51797aa591b5abd068ead03e21215cf70997c98a4a562392499afe47b81c  xsa152.patch
7ae2811ea80da29ee234ad5a2cbb5908e03db8fb6c50774d378d77d273e74e39  xsa152-4.5.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

Comment 5 Swamp Workflow Management 2015-10-30 16:16:57 UTC

SUSE-SU-2015:1853-1: An update that solves 8 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 877642,907514,910258,918984,923967,932267,941074,944463,944697,947165,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_14-18.2

Comment 6 Swamp Workflow Management 2015-11-03 10:36:51 UTC

SUSE-SU-2015:1894-1: An update that solves 8 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,932267,944463,944697,945167,947165,949138,949549,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.3_02-26.2

Comment 7 Swamp Workflow Management 2015-11-04 16:16:33 UTC

SUSE-SU-2015:1908-1: An update that solves 8 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,932267,944463,944697,945167,947165,949138,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.3_02-22.12.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.3_02-22.12.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.3_02-22.12.1

Comment 8 Swamp Workflow Management 2015-11-10 17:11:38 UTC

SUSE-SU-2015:1952-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 877642,932267,944463,944697,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-20.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-20.1

Comment 9 Swamp Workflow Management 2015-11-11 14:07:37 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-11-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62332

Comment 10 Swamp Workflow Management 2015-11-12 11:12:52 UTC

openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_06-50.1

Comment 11 Swamp Workflow Management 2015-11-12 11:14:13 UTC

openSUSE-SU-2015:1965-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 877642,932267,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.1_12-3.1

Comment 12 Swamp Workflow Management 2015-11-17 10:15:54 UTC

openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_02-30.1

Comment 13 Marcus Meissner 2015-12-03 10:22:14 UTC

was released

Comment 14 Swamp Workflow Management 2015-12-18 21:13:43 UTC

SUSE-SU-2015:2306-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 950703,950704,950705,950706,951845,953527,954405,956408,956411,956832
CVE References: CVE-2015-5307,CVE-2015-7504,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-23.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-23.1

Comment 15 Swamp Workflow Management 2015-12-19 15:14:08 UTC

SUSE-SU-2015:2326-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_18-21.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_18-21.1

Comment 16 Swamp Workflow Management 2015-12-19 15:17:13 UTC

SUSE-SU-2015:2328-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.3_06-22.15.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.3_06-22.15.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.3_06-22.15.1

Comment 17 Swamp Workflow Management 2015-12-22 12:12:25 UTC

SUSE-SU-2015:2338-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 947165,950703,950704,950705,950706,951845,954018,954405,955399,956408,956409,956411,956592,956832
CVE References: CVE-2015-5307,CVE-2015-7311,CVE-2015-7504,CVE-2015-7835,CVE-2015-7969,CVE-2015-7970,CVE-2015-7971,CVE-2015-7972,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8341,CVE-2015-8345
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.3_06-29.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.3_06-29.1

Comment 18 Swamp Workflow Management 2016-01-19 11:49:01 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-01-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62448

Comment 19 Swamp Workflow Management 2016-03-04 21:14:52 UTC

SUSE-SU-2016:0658-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 877642,932267,944463,950706,953527,954405,956408,956411,957988,958009,958493,958523,962360
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-5307,CVE-2015-7504,CVE-2015-7512,CVE-2015-7971,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8504,CVE-2015-8550,CVE-2015-8555
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.23.2