SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen AVX/LWP XSAVE/XRSTOR May Disclose Sensitive Information to Local Users
SecurityTracker Alert ID:  1029090
SecurityTracker URL:  http://securitytracker.com/id/1029090
CVE Reference:   CVE-2013-1442   (Links to External Site)
Date:  Sep 26 2013
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Xen. A guest operating system can obtain potentially sensitive information from another guest.

On processors that support AVX and/or LWP, a guest operating system can perform XSAVE/XRSTOR operations to access register values from a previous vCPU and obtain sensitive information, such as cryptographic keys from another domain.

Xen 3.x and prior are not vulnerable.

Jan Beulich reported this vulnerability.

Impact:   A guest operating system can obtain potentially sensitive information from another guest.
Solution:   The vendor has issued a fix (xsa62.patch, xsa62-4.1.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 25 Sep 2013 08:31:11 +0000
Subject:  [oss-security] Xen Security Advisory 62 (CVE-2013-1442) - Information leak on AVX and/or LWP capable CPUs

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2013-1442 / XSA-62
                              version 2

            Information leak on AVX and/or LWP capable CPUs

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

When a guest increases the set of extended state components for a vCPU saved/
restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM
registers, or AMD's LWP state) after already having touched other extended
registers restored via XRSTOR (e.g. floating point or XMM ones) during its
current scheduled CPU quantum, the hypervisor would make those registers
accessible without discarding the values an earlier scheduled vCPU may have
left in them.

IMPACT
======

A malicious domain may be able to leverage this to obtain sensitive information
such as cryptographic keys from another domain.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting AVX and/or LWP.  Any kind of guest can exploit the vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by
default; therefore systems running these versions are not vulnerable unless
support is explicitly enabled using the "xsave" hypervisor command line option.

Systems using processors supporting neither AVX nor LWP are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line option
will avoid the vulnerability.

CREDITS
=======

Jan Beulich discovered this issue.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
xsa62-4.1.patch             Xen 4.1.x

$ sha256sum xsa62*.patch
3cec8ec26552f2142c044422f1bc0f77892e681d789d1f360ecc06e1d714b6bb  xsa62-4.1.patch
364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856  xsa62.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSQp1tAAoJEIP+FMlX6CvZvMYIAKe6fyuMdVlP3gJVqAnttQb7
E/TuXwIKBgUFNu34SdkGd6g1l13pfSeiovDD56SqNj5kwCD0rb6+LgHu/uqVsxSn
w+JtPGFXQpAfNzEcDPqYP9ArJIp63ogC9CLwk9KcDoy0FnxpHFD3Ke5C62G83DAJ
qhjEpknTQCwjXBG6fYXjYKhFR8kzkWHGRpECE3EwlLo1gWxQj8/p/TopY8kzmA5m
ssDuM/XzBHjI+7NwiB5oNuZfS8Om+UVQUilv+bjarh9zJy55FGSL1gJzdcXGhFx5
sXw/PcciIAcCC8k8f2+tYY1eN9Orthw81YMh9Q/n6JC4RMgBYK3tkZ9AsOR7H9s=
=Qbk6
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa62-4.1.patch"
Content-Disposition: attachment; filename="xsa62-4.1.patch"
Content-Transfer-Encoding: base64

eDg2L3hzYXZlOiBpbml0aWFsaXplIHVudXNlZCByZWdpc3RlciBzdGF0ZSB3
aGVuIHJlc3RvcmluZyBmb3IgZ3Vlc3QKCkluIG9yZGVyIHRvIGF2b2lkIGxl
YWtpbmcgcmVnaXN0ZXIgY29udGVudHMgZnJvbSB0aGUgcHJpb3IgdXNlIG9m
IHRoZQpyZWdpc3RlcnMgcmVzdG9yZWQgdGhyb3VnaCB4cnN0b3IgZHVlIHRv
IGEgZ3Vlc3QgZW5hYmxpbmcgY2VydGFpbiB4Y3IwCmJpdHMgbGF0ZSAocGFy
dGljdWxhcmx5IGFmdGVyIHRoZSBjb250ZXh0IHJlc3RvciBpbiBxdWVzdGlv
biksIGZvcmNlCnJlc3RvcmluZyBvZiBhbGwga25vd24gcmVnaXN0ZXJzICh0
aGUgb25lcyB0aGF0IG5ldmVyIGdvdCBzYXZlZCB3b3VsZApiZSBmb3JjZWQg
dG8gdGhlaXIgaW5pdCBzdGF0ZSkuCgpUaGlzIGlzIENWRS0yMDEzLTE0NDIg
LyBYU0EtNjIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxp
Y2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRy
ZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2kz
ODcuYworKysgYi94ZW4vYXJjaC94ODYvaTM4Ny5jCkBAIC0xMDMsOSArMTAz
LDkgQEAgdm9pZCBzZXR1cF9mcHUoc3RydWN0IHZjcHUgKnYpCiAgICAgewog
ICAgICAgICAvKgogICAgICAgICAgKiBYQ1IwIG5vcm1hbGx5IHJlcHJlc2Vu
dHMgd2hhdCBndWVzdCBPUyBzZXQuIEluIGNhc2Ugb2YgWGVuIGl0c2VsZiwg
Ci0gICAgICAgICAqIHdlIHNldCBhbGwgc3VwcG9ydGVkIGZlYXR1cmUgbWFz
ayBiZWZvcmUgZG9pbmcgc2F2ZS9yZXN0b3JlLgorICAgICAgICAgKiB3ZSBz
ZXQgYWxsIHN1cHBvcnRlZCBmZWF0dXJlIG1hc2sgYmVmb3JlIHJlc3Rvcmlu
Zy4KICAgICAgICAgICovCi0gICAgICAgIHNldF94Y3IwKHYtPmFyY2gueGNy
MF9hY2N1bSk7CisgICAgICAgIHNldF94Y3IwKHhmZWF0dXJlX21hc2spOwog
ICAgICAgICB4cnN0b3Iodik7CiAgICAgICAgIHNldF94Y3IwKHYtPmFyY2gu
eGNyMCk7CiAgICAgfQpAQCAtMTQ5LDcgKzE0OSw3IEBAIHZvaWQgc2F2ZV9p
bml0X2ZwdShzdHJ1Y3QgdmNwdSAqdikKICAgICBpZiAoIHhzYXZlX2VuYWJs
ZWQodikgKQogICAgIHsKICAgICAgICAgLyogWENSMCBub3JtYWxseSByZXBy
ZXNlbnRzIHdoYXQgZ3Vlc3QgT1Mgc2V0LiBJbiBjYXNlIG9mIFhlbiBpdHNl
bGYsCi0gICAgICAgICAqIHdlIHNldCBhbGwgYWNjdW11bGF0ZWQgZmVhdHVy
ZSBtYXNrIGJlZm9yZSBkb2luZyBzYXZlL3Jlc3RvcmUuCisgICAgICAgICAq
IHdlIHNldCBhbGwgYWNjdW11bGF0ZWQgZmVhdHVyZSBtYXNrIGJlZm9yZSBz
YXZpbmcuCiAgICAgICAgICAqLwogICAgICAgICBzZXRfeGNyMCh2LT5hcmNo
LnhjcjBfYWNjdW0pOwogICAgICAgICBpZiAoIGNwdV9oYXNfeHNhdmVvcHQg
KQo=

--=separator
Content-Type: application/octet-stream; name="xsa62.patch"
Content-Disposition: attachment; filename="xsa62.patch"
Content-Transfer-Encoding: base64

eDg2L3hzYXZlOiBpbml0aWFsaXplIGV4dGVuZGVkIHJlZ2lzdGVyIHN0YXRl
IHdoZW4gZ3Vlc3RzIGVuYWJsZSBpdAoKVGlsbCBub3csIHdoZW4gc2V0dGlu
ZyBwcmV2aW91c2x5IHVuc2V0IGJpdHMgaW4gWENSMCB3ZSB3b3VsZG4ndCB0
b3VjaAp0aGUgYWN0aXZlIHJlZ2lzdGVyIHN0YXRlLCB0aHVzIGxlYXZpbmcg
aW4gdGhlIG5ld2x5IGVuYWJsZWQgcmVnaXN0ZXJzCndoYXRldmVyIGEgcHJp
b3IgdXNlciBvZiBpdCBsZWZ0IHRoZXJlLCBpLmUuIHBvdGVudGlhbGx5IGxl
YWtpbmcKaW5mb3JtYXRpb24gYmV0d2VlbiBndWVzdHMuCgpUaGlzIGlzIENW
RS0yMDEzLTE0NDIgLyBYU0EtNjIuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1
bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcg
Q29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVu
L2FyY2gveDg2L3hzdGF0ZS5jCisrKyBiL3hlbi9hcmNoL3g4Ni94c3RhdGUu
YwpAQCAtMzA3LDYgKzMwNyw3IEBAIGludCB2YWxpZGF0ZV94c3RhdGUodTY0
IHhjcjAsIHU2NCB4Y3IwX2EKIGludCBoYW5kbGVfeHNldGJ2KHUzMiBpbmRl
eCwgdTY0IG5ld19idikKIHsKICAgICBzdHJ1Y3QgdmNwdSAqY3VyciA9IGN1
cnJlbnQ7CisgICAgdTY0IG1hc2s7CiAKICAgICBpZiAoIGluZGV4ICE9IFhD
Ul9YRkVBVFVSRV9FTkFCTEVEX01BU0sgKQogICAgICAgICByZXR1cm4gLUVP
UE5PVFNVUFA7CkBAIC0zMjAsOSArMzIxLDIzIEBAIGludCBoYW5kbGVfeHNl
dGJ2KHUzMiBpbmRleCwgdTY0IG5ld19idikKICAgICBpZiAoICFzZXRfeGNy
MChuZXdfYnYpICkKICAgICAgICAgcmV0dXJuIC1FRkFVTFQ7CiAKKyAgICBt
YXNrID0gbmV3X2J2ICYgfmN1cnItPmFyY2gueGNyMF9hY2N1bTsKICAgICBj
dXJyLT5hcmNoLnhjcjAgPSBuZXdfYnY7CiAgICAgY3Vyci0+YXJjaC54Y3Iw
X2FjY3VtIHw9IG5ld19idjsKIAorICAgIG1hc2sgJj0gY3Vyci0+ZnB1X2Rp
cnRpZWQgPyB+WFNUQVRFX0ZQX1NTRSA6IFhTVEFURV9OT05MQVpZOworICAg
IGlmICggbWFzayApCisgICAgeworICAgICAgICB1bnNpZ25lZCBsb25nIGNy
MCA9IHJlYWRfY3IwKCk7CisKKyAgICAgICAgY2x0cygpOworICAgICAgICBp
ZiAoIGN1cnItPmZwdV9kaXJ0aWVkICkKKyAgICAgICAgICAgIGFzbSAoICJz
dG14Y3NyICUwIiA6ICI9bSIgKGN1cnItPmFyY2gueHNhdmVfYXJlYS0+ZnB1
X3NzZS5teGNzcikgKTsKKyAgICAgICAgeHJzdG9yKGN1cnIsIG1hc2spOwor
ICAgICAgICBpZiAoIGNyMCAmIFg4Nl9DUjBfVFMgKQorICAgICAgICAgICAg
d3JpdGVfY3IwKGNyMCk7CisgICAgfQorCiAgICAgcmV0dXJuIDA7CiB9CiAK

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC