From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability Date: Wed, 5 Sep 2012 10:52:11 +0100 Message-ID: <504720CB.8060906@citrix.com> References: <4cb9d7f220dd459c1554c6b5d9e2ed73@abpni.co.uk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3577610866476055842==" Return-path: In-Reply-To: <4cb9d7f220dd459c1554c6b5d9e2ed73@abpni.co.uk> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============3577610866476055842== Content-Type: multipart/alternative; boundary="------------070103020307040001070608" --------------070103020307040001070608 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit On 05/09/12 10:49, Jonathan Tripathy wrote: > Is Xen 3.4.x vulnerable? > > Thanks Yes - Vulnerable (tested and fixed) all the way back as far as Xen-3.2 (which is the earliest version that XenServer still creates security fixes for) ~Andrew > > On 05.09.2012 10:38, Xen.org security team wrote: > Xen Security Advisory CVE-2012-3494 / XSA-12 > version 3 > > hypercall set_debugreg vulnerability > > UPDATES IN VERSION 3 > ==================== > > Public release. > > ISSUE DESCRIPTION > ================= > > set_debugreg allows writes to reserved bits of the DR7 debug control > register on x86-64. > > IMPACT > ====== > > A malicious guest can cause the host to crash, leading to a DoS. > > If the vulnerable hypervisor is run on future hardware, the impact of > the vulnerability might be widened depending on the future assignment > of the currently-reserved debug register bits. > > VULNERABLE SYSTEMS > ================== > > All systems running 64-bit paravirtualised guests. > > The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2 > RCs, and xen-unstable.hg are all vulnerable. > > MITIGATION > ========== > > This issue can be mitigated by ensuring (inside the guest) that the > kernel is trustworthy, or by running only 32-bit or HVM guests. > > RESOLUTION > ========== > > Applying the appropriate attached patch will resolve the issue. > > PATCH INFORMATION > ================= > > The attached patch resolves this issue: > > Xen unstable, 4.1 and 4.0 xsa12-all.patch > > $ sha256sum xsa12-all.patch > 2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13 > xsa12-all.patch > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel -- Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer T: +44 (0)1223 225 900, http://www.citrix.com --------------070103020307040001070608 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit
On 05/09/12 10:49, Jonathan Tripathy wrote:
> Is Xen 3.4.x vulnerable?
>
> Thanks

Yes - Vulnerable (tested and fixed) all the way back as far as Xen-3.2 (which is the earliest version that XenServer still creates security fixes for)

~Andrew

>
> On 05.09.2012 10:38, Xen.org security team wrote:
> Xen Security Advisory CVE-2012-3494 / XSA-12
> version 3
>
> hypercall set_debugreg vulnerability
>
> UPDATES IN VERSION 3
> ====================
>
> Public release.
>
> ISSUE DESCRIPTION
> =================
>
> set_debugreg allows writes to reserved bits of the DR7 debug control
> register on x86-64.
>
> IMPACT
> ======
>
> A malicious guest can cause the host to crash, leading to a DoS.
>
> If the vulnerable hypervisor is run on future hardware, the impact of
> the vulnerability might be widened depending on the future assignment
> of the currently-reserved debug register bits.
>
> VULNERABLE SYSTEMS
> ==================
>
> All systems running 64-bit paravirtualised guests.
>
> The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2
> RCs, and xen-unstable.hg are all vulnerable.
>
> MITIGATION
> ==========
>
> This issue can be mitigated by ensuring (inside the guest) that the
> kernel is trustworthy, or by running only 32-bit or HVM guests.
>
> RESOLUTION
> ==========
>
> Applying the appropriate attached patch will resolve the issue.
>
> PATCH INFORMATION
> =================
>
> The attached patch resolves this issue:
>
> Xen unstable, 4.1 and 4.0 xsa12-all.patch
>
> $ sha256sum xsa12-all.patch
> 2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13
> xsa12-all.patch
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

--
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com

--------------070103020307040001070608-- --===============3577610866476055842== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============3577610866476055842==--