Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "EGI CSIRT:Alerts/XSA-108-2014-10-01"

From EGIWiki
Jump to navigation Jump to search
(Created page with "<pre> ** GREEN information - Community-wide distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADV...")
 
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{New-Egi-csirt-header}}
<pre>
<pre>
** GREEN information - Community-wide distribution allowed                 **
** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI CSIRT ADVISORY [EGI-ADV-20141001]
EGI CSIRT ADVISORY [EGI-ADV-20141030]
 
Title:      'HIGH' Risk - (Cloud) Memory Leak in Xen (XSA-108, CVE-2014-7188) [EGI-ADV-20141030]
 
Date:        2014-10-30
Updated:
 
Placed on Wiki on 3rd Nov as earlier version on was already there, and the vulnerability is public
 
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/EGI-ADV-20141030


Title:      CRITICAL Memory Leak in Xen (XSA-108, CVE-2014-7188) [EGI-ADV-20141001]
Date:        October 01, 2014
Last update: October 01, 2014
URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/EGI-ADV-20141001




Line 14: Line 21:
============
============


On 2010-10-01, a critical vulnerability in Xen was announced to the general
On 2014-10-01, a serious vulnerability in Xen was announced to the general public by Xen Security Advisory 108 (XSA-108) [R 1]  
public by Xen Security Advisory 108 (XSA-108). All Xen versions from 4.1
and been assigned CVE-2014-7188 [R 2]
on running on x86 systems are vulnerable.  In these systems, HVM guest
 
systems can read part of the hypervisor's memory under certain
All Xen versions from 4.1, prior to this being resolved, running on x86 systems are vulnerable.   
circumstances, leading to a potential leak of information from both the
hypervisor and other guest machines.


EGI CSIRT considers this to be a HIGH vulnerability; vendor patches should
In these systems, HVM guest systems can read part of the hypervisor's memory under certain circumstances, leading to a
be installed as soon as they become available.
potential leak of information from both the hypervisor and other guest machines.
 
EGI CSIRT considers this to be a HIGH vulnerability; sites should update if they have not done so already.
It is thought that all affected vendors have now resolved this.




Line 28: Line 36:
=======
=======


Incorrect handling of machine-specific registers (MSR) in the Xen host
Incorrect handling of machine-specific registers (MSR) in the Xen host system allows Hardware-Virtualized Machine (HVM)  
system allows Hardware-Virtualized Machine (HVM) guest systems to read
guest systems to read memory parts or registers assigned to the hypervisor or other guest systems.   
memory parts or registers assigned to the hypervisor or other guest
Under certain circumstances, it is possible that malicious guest systems are able to read compromising data from either  
systems.  Under certain circumstances, it is possible that malicious guest
the hypervisor or other guests, or is able to crash the entire system.  Due to the limited scope of memory that a malicious  
systems are able to read compromising data from either the hypervisor or
guest is able to access through this bug in combination with the observation that an attacking guest system has almost no  
other guests, or is able to crash the entire system.  Due to the limited
way of controlling exactly what part of memory it will be able to read, the chances of a serious breach of privacy appear  
scope of memory that a malicious guest is able to access through this bug
to be slim at this point.
in combination with the observation that an attacking guest system has
almost no way of controlling exactly what part of memory it will be able to
read, the chances of a serious breach of privacy appear to be slim at this
point.


Paravirtualized (PV) guest systems cannot exploit this vulnerability;
Paravirtualized (PV) guest systems cannot exploit this vulnerability; therefore, running exclusively PV guests mitigates the issue.
therefore, running exclusively PV guests mitigates the issue.


At the time of this writing, no actual exploit code is publicly known.
At the time of this writing, no actual exploit code is publicly known.


For a discussion of this bug's impact, see the Qubes Security Bulletin
For a discussion of this bug's impact, see the Qubes Security Bulletin referenced below. [R 3]
referenced below.




Line 52: Line 54:
==========
==========


As this bug can be exploited only by HVM guest machines, running PV guests
As this bug can be exploited only by HVM guest machines, running PV guests exclusively effectively eliminates the risks of  
exclusively effectively eliminates the risks of this vulnerability at the
this vulnerability at the cost of VM performance.
cost of VM performance.




Recommendaions
Recommendations
===============
===============


EGI-CSIRT recommends that sites running vulnerable versions of Xen
EGI-CSIRT recommends that sites running vulnerable versions of Xen immediately apply vendor patches as they become available.   
immediately apply vendor patches as they become available.  Until then, the
Until then, the mitigation as described above is recommended to be implemented.
mitigation as described above is recommended to be implemented.


Vendor patches or non-vulnerability statements are already available for
Vendor patches or non-vulnerability statements are already available for these distributions:
these distributions:
  * CentOS: Vendor patch available [R 4]
  * CentOS: Vendor patch available.
  * Qubes OS: Vendor patch available [R 3]
  * Qubes OS: Vendor patch available.
  * Fedora 19: Vendor patch available [R 5]
  * Fedora 19: Vendor patch available.
  * RHEL5: Not vulnerable. [R 6]
  * RHEL5: Not vulnerable.
* Citrix: Vendor patch available [R 7]
* Debian: Vendor patch available [R 8]
* Ubuntu: Vendor patch available [R 9]
 
Other information is linked from [R 2]


References
References
==========
==========


  * CentOS: http://lists.centos.org/pipermail/centos-announce/2014-October/020664.html
[R 1] Xen Security Advisory: http://xenbits.xen.org/xsa/advisory-108.html
* Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1148465
* Qubes Security Bulletin: https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ
* RHEL 5: https://bugzilla.redhat.com/show_bug.cgi?id=1144499
* Xen Security Advisory: http://xenbits.xen.org/xsa/advisory-108.html


Timeline
[R 2]  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7188
 
[R 3]  Qubes Security Bulletin: https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ
 
[R 4]  CentOS: http://lists.centos.org/pipermail/centos-announce/2014-October/020664.html
 
[R 5]  Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1148465
[R 6]  RHEL 5: https://bugzilla.redhat.com/show_bug.cgi?id=1144499
 
[R 7]  Citrix: http://support.citrix.com/article/CTX200218
 
[R 8]  Debian: https://security-tracker.debian.org/tracker/CVE-2014-7188
 
[R 9]  Ubuntu: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7188.html
 
 
 
Timeline
========
========


YYYY-MM-DD
YYYY-MM-DD
2014-10-01: XSA-108 was published; EGI-ADV-20141001 was subsequently published.
2014-10-01: XSA-108 was published;  
2014-10-01: CSIRT considers this 'High' risk
2014-10-29: Check that patches are available.
2014-10-30: Alert sent to sites.
2014-11-03: This alert made public.
 
On behalf of EGI SVG and EGI CSIRT,
 
 
</pre>
</pre>

Latest revision as of 14:20, 3 November 2014

EGI-CSIRT web site EGI-CSIRT Public wiki EGI-CSIRT Contacts EGI-CSIRT Activities EGI-CSIRT Private wiki


** WHITE information - Unlimited distribution allowed                       **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20141030]

Title:       'HIGH' Risk - (Cloud) Memory Leak in Xen (XSA-108, CVE-2014-7188) [EGI-ADV-20141030]

Date:        2014-10-30
Updated: 

Placed on Wiki on 3rd Nov as earlier version on was already there, and the vulnerability is public

URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/EGI-ADV-20141030



Introduction
============

On 2014-10-01, a serious vulnerability in Xen was announced to the general public by Xen Security Advisory 108 (XSA-108) [R 1]  
and been assigned CVE-2014-7188 [R 2]

All Xen versions from 4.1, prior to this being resolved, running on x86 systems are vulnerable.  

In these systems, HVM guest systems can read part of the hypervisor's memory under certain circumstances, leading to a 
potential leak of information from both the hypervisor and other guest machines.

EGI CSIRT considers this to be a HIGH vulnerability; sites should update if they have not done so already. 
It is thought that all affected vendors have now resolved this.  


Details
=======

Incorrect handling of machine-specific registers (MSR) in the Xen host system allows Hardware-Virtualized Machine (HVM) 
guest systems to read memory parts or registers assigned to the hypervisor or other guest systems.  
Under certain circumstances, it is possible that malicious guest systems are able to read compromising data from either 
the hypervisor or other guests, or is able to crash the entire system.  Due to the limited scope of memory that a malicious 
guest is able to access through this bug in combination with the observation that an attacking guest system has almost no 
way of controlling exactly what part of memory it will be able to read, the chances of a serious breach of privacy appear 
to be slim at this point.

Paravirtualized (PV) guest systems cannot exploit this vulnerability; therefore, running exclusively PV guests mitigates the issue.

At the time of this writing, no actual exploit code is publicly known.

For a discussion of this bug's impact, see the Qubes Security Bulletin referenced below. [R 3]


Mitigation
==========

As this bug can be exploited only by HVM guest machines, running PV guests exclusively effectively eliminates the risks of 
this vulnerability at the cost of VM performance.


Recommendations
===============

EGI-CSIRT recommends that sites running vulnerable versions of Xen immediately apply vendor patches as they become available.  
Until then, the mitigation as described above is recommended to be implemented.

Vendor patches or non-vulnerability statements are already available for these distributions:
 * CentOS: Vendor patch available [R 4]
 * Qubes OS: Vendor patch available [R 3] 
 * Fedora 19: Vendor patch available [R 5]
 * RHEL5: Not vulnerable. [R 6]
 * Citrix: Vendor patch available [R 7] 
 * Debian: Vendor patch available [R 8]
 * Ubuntu: Vendor patch available [R 9]

Other information is linked from [R 2] 

References
==========

[R 1]  Xen Security Advisory: http://xenbits.xen.org/xsa/advisory-108.html

[R 2]  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7188

[R 3]  Qubes Security Bulletin: https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ

[R 4]  CentOS: http://lists.centos.org/pipermail/centos-announce/2014-October/020664.html

[R 5]  Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1148465
 
[R 6]  RHEL 5: https://bugzilla.redhat.com/show_bug.cgi?id=1144499

[R 7]  Citrix: http://support.citrix.com/article/CTX200218

[R 8]  Debian: https://security-tracker.debian.org/tracker/CVE-2014-7188

[R 9]  Ubuntu: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7188.html

  

Timeline
========

YYYY-MM-DD
2014-10-01: XSA-108 was published; 
2014-10-01: CSIRT considers this 'High' risk
2014-10-29: Check that patches are available. 
2014-10-30: Alert sent to sites.
2014-11-03: This alert made public.

On behalf of EGI SVG and EGI CSIRT,