SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen AMD CPU Bug May Let Local Guest Users Deny Service on the Host System
SecurityTracker Alert ID:  1029415
SecurityTracker URL:  http://securitytracker.com/id/1029415
CVE Reference:   CVE-2013-6885   (Links to External Site)
Date:  Dec 2 2013
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.3 and later
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can cause denial of service conditions on the target host operating system.

A local administrative user on the guest operating system can trigger a flaw in AMD-based CPUs to cause a CPU core to hang and the target host system to crash.

The underlying vulnerability is described in AMD CPU erratum 793 ("Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang").

Xen versions 3.3 and later running on family 16h model 00h-0fh AMD CPUs are affected.

Jan Beulich reported this vulnerability.

Impact:   A local user on the guest operating system can cause the target host operating system to crash.
Solution:   The vendor has issued a fix (xsa82.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 22 2014 (Citrix Issues Fix for Citrix XenServer) Xen AMD CPU Bug May Let Local Guest Users Deny Service on the Host System
Citrix has issued a fix for Citrix XenServer.



 Source Message Contents

Date:  Mon, 02 Dec 2013 17:14:09 +0000
Subject:  [oss-security] Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-6885 / XSA-82
                              version 3

          Guest triggerable AMD CPU erratum may cause host hang

UPDATES IN VERSION 3
====================

Early public release.

This issue was predisclosed under embargo by the Xen Project Security
team, on the 27th of November.  We treated the issue as not publicly
known because it was not evident from the public sources that this
erratum constitutes a vulnerability (particularly, that it was a
vulnerability in relation to some Xen configurations).

Since then, the fact that this CPU erratum is likely to constitute a
security problem has been publicly disclosed, on the oss-security
mailing list.

Under the circumstances, and in accordance with the Xen Project
security vulnerability policy, it has been decided that it is no
longer appropriate to retain the embargo, as the key facts are now in
the open.

ISSUE DESCRIPTION
=================

AMD CPU erratum 793 "Specific Combination of Writes to Write Combined
Memory Types and Locked Instructions May Cause Core Hang" describes a
situation under which a CPU core may hang.

IMPACT
======

A malicious guest administrator can mount a denial of service attack
affecting the whole system.

VULNERABLE SYSTEMS
==================

The vulnerability is applicable only to family 16h model 00h-0fh AMD
CPUs.

Such CPUs running Xen versions 3.3 onwards are vulnerable.  We have
not checked earlier versions of Xen.

HVM guests can always exploit the vulnerability if it is present.
PV guests can exploit the vulnerability only if they have been granted
access to physical device(s).

Non-AMD CPUs are not vulnerable.

CREDITS
=======

This issue's security impact was discovered by Jan Beulich.

MITIGATION
==========

This issue can be avoided by neither running HVM guests, nor assigning
PCI devices to PV guests.

RESOLUTION
==========

The attached patch contains a software workaround which resolves this
issue.

Alternatively, the recommended workaround can be implemented in
firmware, so a suitable firmware update will resolve the issue.
If you require a firmware update please consult your vendor.

xsa82.patch             Xen 4.1.x, Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa82*.patch
0a58f3564ca91fd2668c202446c607fdb1ec8643e558a3921046d43675f58c08  xsa82.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSnL+JAAoJEIP+FMlX6CvZw6gIAKqUkevFcn14iRT7g6iiTjbw
Fq9oiu/RtSmPDS/8FkAW6vdhYTe5cA6wCxUbErp/oZ6IwtlAmbZUQ2oVrfw8Tep/
G1hpLDkGLeRD4sqPB3Yj/RS8MUWlZhX3H9FwJLzhDqFaGiVAOHe3zl/OgwMFEnUx
PYSxdgPeiU3gavpJcDd5JamID+wLkihXMOHFKtdziOZsEAuv2lhIBSCamOVc638m
vRMtE4LbcUCv80EvvMxtrUDkt+M+TS2JfQK+09mr5/hFkyicoeEawYLgeWUbuNhj
CWbcKdyat6GauvhL46NE/aWlbUqSXHc8jcIdCDM2pRK1NR86qJiMC5av5EcPjOo=
=V/Az
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa82.patch"
Content-Disposition: attachment; filename="xsa82.patch"
Content-Transfer-Encoding: base64

eDg2L0FNRDogd29yayBhcm91bmQgZXJyYXR1bSA3OTMKClRoZSByZWNvbW1l
bmRhdGlvbiBpcyB0byBzZXQgYSBiaXQgaW4gYW4gTVNSIC0gZG8gdGhpcyBp
ZiB0aGUgZmlybXdhcmUKZGlkbid0LCBjb25zaWRlcmluZyB0aGF0IG90aGVy
d2lzZSB3ZSBleHBvc2Ugb3Vyc2VsdmVzIHRvIGEgZ3Vlc3QKaW5kdWNlZCBE
b1MuCgpUaGlzIGlzIENWRS0yMDEzLTY4ODUgLyBYU0EtODIuCgpTaWduZWQt
b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CkFja2Vk
LWJ5OiBTdXJhdmVlIFN1dGhpa3VscGFuaXQgPHN1cmF2ZWUuc3V0aGlrdWxw
YW5pdEBhbWQuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2NwdS9hbWQuYwor
KysgYi94ZW4vYXJjaC94ODYvY3B1L2FtZC5jCkBAIC00NzYsNiArNDc2LDIw
IEBAIHN0YXRpYyB2b2lkIF9fZGV2aW5pdCBpbml0X2FtZChzdHJ1Y3QgY3AK
IAkJICAgICAgICIqKiogUGFzcyBcImFsbG93X3Vuc2FmZVwiIGlmIHlvdSdy
ZSB0cnVzdGluZyIKIAkJICAgICAgICIgYWxsIHlvdXIgKFBWKSBndWVzdCBr
ZXJuZWxzLiAqKipcbiIpOwogCisJaWYgKGMtPng4NiA9PSAweDE2ICYmIGMt
Png4Nl9tb2RlbCA8PSAweGYpIHsKKwkJcmRtc3JsKE1TUl9BTUQ2NF9MU19D
RkcsIHZhbHVlKTsKKwkJaWYgKCEodmFsdWUgJiAoMSA8PCAxNSkpKSB7CisJ
CQlzdGF0aWMgYm9vbF90IHdhcm5lZDsKKworCQkJaWYgKGMgPT0gJmJvb3Rf
Y3B1X2RhdGEgfHwgb3B0X2NwdV9pbmZvIHx8CisJCQkgICAgIXRlc3RfYW5k
X3NldF9ib29sKHdhcm5lZCkpCisJCQkJcHJpbnRrKEtFUk5fV0FSTklORwor
CQkJCSAgICAgICAiQ1BVJXU6IEFwcGx5aW5nIHdvcmthcm91bmQgZm9yIGVy
cmF0dW0gNzkzXG4iLAorCQkJCSAgICAgICBzbXBfcHJvY2Vzc29yX2lkKCkp
OworCQkJd3Jtc3JsKE1TUl9BTUQ2NF9MU19DRkcsIHZhbHVlIHwgKDEgPDwg
MTUpKTsKKwkJfQorCX0KKwogCS8qIEFNRCBDUFVzIGRvIG5vdCBzdXBwb3J0
IFNZU0VOVEVSIG91dHNpZGUgb2YgbGVnYWN5IG1vZGUuICovCiAJY2xlYXJf
Yml0KFg4Nl9GRUFUVVJFX1NFUCwgYy0+eDg2X2NhcGFiaWxpdHkpOwogCi0t
LSBhL3hlbi9pbmNsdWRlL2FzbS14ODYvbXNyLWluZGV4LmgKKysrIGIveGVu
L2luY2x1ZGUvYXNtLXg4Ni9tc3ItaW5kZXguaApAQCAtMjEzLDYgKzIxMyw3
IEBACiAKIC8qIEFNRDY0IE1TUnMgKi8KICNkZWZpbmUgTVNSX0FNRDY0X05C
X0NGRwkJMHhjMDAxMDAxZgorI2RlZmluZSBNU1JfQU1ENjRfTFNfQ0ZHCQkw
eGMwMDExMDIwCiAjZGVmaW5lIE1TUl9BTUQ2NF9JQ19DRkcJCTB4YzAwMTEw
MjEKICNkZWZpbmUgTVNSX0FNRDY0X0RDX0NGRwkJMHhjMDAxMTAyMgogI2Rl
ZmluZSBBTUQ2NF9OQl9DRkdfQ0Y4X0VYVF9FTkFCTEVfQklUCTQ2Cg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC