Difference between revisions of "EGI CSIRT:Alerts/XSA-108-2014-10-01"

** GREEN information - Community-wide distribution allowed                  **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI CSIRT ADVISORY [EGI-ADV-20141001]

Title:       HIGH Memory Leak in Xen (XSA-108, CVE-2014-7188) [EGI-ADV-20141001]
Date:        October 01, 2014
Last update: October 01, 2014
URL:         https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/EGI-ADV-20141001


Introduction
============

On 2010-10-01, a serious vulnerability in Xen was announced to the general
public by Xen Security Advisory 108 (XSA-108).  All Xen versions from 4.1
on running on x86 systems are vulnerable.  In these systems, HVM guest
systems can read part of the hypervisor's memory under certain
circumstances, leading to a potential leak of information from both the
hypervisor and other guest machines.

EGI CSIRT considers this to be a HIGH vulnerability; vendor patches should
be installed as soon as they become available.


Details
=======

Incorrect handling of machine-specific registers (MSR) in the Xen host
system allows Hardware-Virtualized Machine (HVM) guest systems to read
memory parts or registers assigned to the hypervisor or other guest
systems.  Under certain circumstances, it is possible that malicious guest
systems are able to read compromising data from either the hypervisor or
other guests, or is able to crash the entire system.  Due to the limited
scope of memory that a malicious guest is able to access through this bug
in combination with the observation that an attacking guest system has
almost no way of controlling exactly what part of memory it will be able to
read, the chances of a serious breach of privacy appear to be slim at this
point.

Paravirtualized (PV) guest systems cannot exploit this vulnerability;
therefore, running exclusively PV guests mitigates the issue.

At the time of this writing, no actual exploit code is publicly known.

For a discussion of this bug's impact, see the Qubes Security Bulletin
referenced below.


Mitigation
==========

As this bug can be exploited only by HVM guest machines, running PV guests
exclusively effectively eliminates the risks of this vulnerability at the
cost of requiring a customized guest OS.  Therefore, this mitigation path 
may not be feasible for all sites.                                        


Recommendations
===============

EGI-CSIRT recommends that sites running vulnerable versions of Xen
immediately apply vendor patches as they become available.  Until then, the
mitigation as described above is recommended to be implemented.

Vendor patches or non-vulnerability statements are already available for
these distributions:
 * CentOS: Vendor patch available.
 * Qubes OS: Vendor patch available.
 * Fedora 19: Vendor patch available.
 * RHEL5: Not vulnerable.

References
==========

 * CentOS: http://lists.centos.org/pipermail/centos-announce/2014-October/020664.html
 * Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1148465
 * Qubes Security Bulletin: https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ
 * RHEL 5: https://bugzilla.redhat.com/show_bug.cgi?id=1144499
 * Xen Security Advisory: http://xenbits.xen.org/xsa/advisory-108.html

Timeline  
========

YYYY-MM-DD
2014-10-01: XSA-108 was published; EGI-ADV-20141001 was subsequently published.