Re: Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS (Xen.org security team)

Re: Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS (Xen.org security team)

[Andres Lagar-Cavilla]

I realize Gridcentric is neither a service provider, nor a "big vendor",
and therefore not on the pre-disclosure list.

However, this is a bug on which we have first-hand knowledge and ability
to immediately mitigate. In fact, I wrote equivalent code for 4.2/unstable
months ago.

I ignored the xen-devel discussion on pre-disclosure list (my bad), but
understand now that there may be some use to Gridcentric being in that
list.

Thanks
Andres

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>             Xen Security Advisory CVE-2012-3433 / XSA-11
>                           version 3
>
> 	HVM guest destroy p2m teardown host DoS vulnerability
>
> UPDATES IN VERSION 3
> ====================
>
> Embargo ended Thursday 2012-08-09 12:00:00 UTC.
>
> ISSUE DESCRIPTION
> =================
>
> An HVM guest is able to manipulate its physical address space such
> that tearing down the guest takes an extended period amount of
> time searching for shared pages.
>
> This causes the domain 0 VCPU which tears down the domain to be
> blocked in the destroy hypercall. This causes that domain 0 VCPU to
> become unavailable and may cause the domain 0 kernel to panic.
>
> There is no requirement for memory sharing to be in use.
>
> IMPACT
> ======
>
> A guest kernel can cause the host to become unresponsive for a period
> of time, potentially leading to a DoS.
>
> VULNERABLE SYSTEMS
> ==================
>
> All systems running HVM guests with untrusted guest kernels.
>
> This vulnerability effects only Xen 4.0 and 4.1. Xen 3.4 and earlier
> and xen-unstable are not vulnerable.
>
> MITIGATION
> ==========
>
> This issue can be mitigated by running PV (para-virtualised) guests
> only, or by ensuring (inside the guest) that the kernel is
> trustworthy.
>
> RESOLUTION
> ==========
>
> Applying the appropriate attached patch will resolve the issue.
>
> NOTE REGARDING CVE
> ==================
>
> We do not yet have a CVE Candidate number for this vulnerability.
>
> PATCH INFORMATION
> =================
>
> The attached patches resolve this issue
>
>  Xen 4.1, 4.1.x                              xsa11-4.1.patch
>  Xen 4.0, 4.0.x                              xsa11-4.0.patch
>
> $ sha256sum xsa11-*.patch
> c8ab767d831b20a1b22c69a28127303c89cf0379cbf6f1ba3acfda6240aa2a89
> xsa11-4.0.patch
> 61c6424023a26a8b4ea591d0bff6969908091a1a1e1304567d0d910908f21e8d
> xsa11-4.1.patch
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJQI8/0AAoJEIP+FMlX6CvZ+fIH/R8w3J9KUiLiIai/QaA4xOjp
> rkvdR40b0GzcllDQEy9bUCvRY3QPz7DRza90vLvxCL9R5OnbkRtGJxdmbxjwmoVX
> zF03FLaFCd5ypFsTGAcxaUcxtOrt6Ut6R0i8GZp5BCkOV+UkNvu/uaOxL6N3UZ3w
> HfCm88EAWsWeJuShiG5jY3BhgCeR7b3GV9uXP0vG5Pa7cwPGvMnx/E6OsC/zEMG2
> 7yTX0/AI4qKMT9XtiA024vloN1mMlRgN74ZIBqmPuDv5ggv1wLFseARWueYMBn8Y
> aUDi97nJf+YWXIx+YwAmD0XLmJ/5tTAYvaV3B4vjMrfFc/plMKDvOqohVB+hv08=
> =l4LY
> -----END PGP SIGNATURE-----

Re: Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS (Xen.org security team)

[George Dunlap]

On Thu, Aug 9, 2012 at 5:30 PM, Andres Lagar-Cavilla
<andres@lagarcavilla.org> wrote:
> I realize Gridcentric is neither a service provider, nor a "big vendor",
> and therefore not on the pre-disclosure list.
>
> However, this is a bug on which we have first-hand knowledge and ability
> to immediately mitigate. In fact, I wrote equivalent code for 4.2/unstable
> months ago.

I don't quite understand -- are you saying you could have helped craft
a fix?  Or are you saying that you would like to be on the list for
your customers' sake?

> I ignored the xen-devel discussion on pre-disclosure list (my bad), but
> understand now that there may be some use to Gridcentric being in that
> list.

The discussion has not concluded yet; you can even still express your
voice in the "poll" here:

http://xen.org/polls/xen_dev_2012_security_process.html

It would probably be good to take a look at the discussion before
answering; at least my recent posts describing the various options and
the criteria to judge them by. :-)

Peace,
 -George

Re: Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS (Xen.org security team)

[Andres Lagar-Cavilla]

> On Thu, Aug 9, 2012 at 5:30 PM, Andres Lagar-Cavilla
> <andres@lagarcavilla.org> wrote:
>> I realize Gridcentric is neither a service provider, nor a "big vendor",
>> and therefore not on the pre-disclosure list.
>>
>> However, this is a bug on which we have first-hand knowledge and ability
>> to immediately mitigate. In fact, I wrote equivalent code for
>> 4.2/unstable
>> months ago.
>
> I don't quite understand -- are you saying you could have helped craft
> a fix?  Or are you saying that you would like to be on the list for
> your customers' sake?

The former primarily. But ultimately both.

>
>> I ignored the xen-devel discussion on pre-disclosure list (my bad), but
>> understand now that there may be some use to Gridcentric being in that
>> list.
>
> The discussion has not concluded yet; you can even still express your
> voice in the "poll" here:
>
> http://xen.org/polls/xen_dev_2012_security_process.html
>
> It would probably be good to take a look at the discussion before
> answering; at least my recent posts describing the various options and
> the criteria to judge them by. :-)

Yes that will take some serious groking cycles. Thanks for the link.

Andres

>
> Peace,
>  -George
>

Re: Xen Security Advisory 11 (CVE-2012-3433) - HVM destroy p2m host DoS (Xen.org security team)

[Tim Deegan]

At 09:30 -0700 on 09 Aug (1344504612), Andres Lagar-Cavilla wrote:
> I realize Gridcentric is neither a service provider, nor a "big vendor",
> and therefore not on the pre-disclosure list.
> 
> However, this is a bug on which we have first-hand knowledge and ability
> to immediately mitigate. In fact, I wrote equivalent code for 4.2/unstable
> months ago.

For which, thank you -- your patch, and the description of it at the
time, made drafting this response much easier!

> I ignored the xen-devel discussion on pre-disclosure list (my bad), but
> understand now that there may be some use to Gridcentric being in that
> list.

If you mean helping draft a fix, being on the pre-disclosure list
wouldn't have made a difference (unless you see a problem with the
published fix), as that was all done before pre-disclosure.

As to whether GridCentric ought to be on the pre-disclosure list as a
downstream vendor, now is definitely the time to speak up in the
discussion of what the new policy should be.

Cheers,

Tim.