Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513824 (CVE-2014-4021) - <app-emulation/xen-{4.2.4-r4,4.3.2-r4},<app-emulation/xen-tools-{4.2.4-r6,4.3.2-r5}: Hypervisor heap contents leaked to guests (CVE-2014-4021) (XSA-100)
Summary: <app-emulation/xen-{4.2.4-r4,4.3.2-r4},<app-emulation/xen-tools-{4.2.4-r6,4.3...
Status: RESOLVED FIXED
Alias: CVE-2014-4021
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-19 09:38 UTC by Agostino Sarubbo
Modified: 2014-07-16 16:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-19 09:38:18 UTC
From ${URL} :

              Xen Security Advisory CVE-2014-4021 / XSA-100
                             version 3

              Hypervisor heap contents leaked to guests

UPDATES IN VERSION 3
====================

Public Release.  CVE assigned.

ISSUE DESCRIPTION
=================

While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned.  Such exposure of information would happen through
memory pages freshly allocated to or by the guest.

Normally the leaked data is administrative information of limited
value to an attacker.  However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.

IMPACT
======

A malicious guest might be able to read data relating to other guests
or the hypervisor itself.

Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
cryptographic keys.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

No comprehensive mitigation is available.

An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest.  This includes a situation where
the attacker can cause the victim guest to crash.

Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa100.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later
additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely")
found at
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b
will be required if not already in place in the respective tree.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yixun Lan archtester gentoo-dev 2014-07-09 06:37:44 UTC
+*xen-4.4.0-r5 (09 Jul 2014)
+*xen-4.3.2-r4 (09 Jul 2014)
+*xen-4.2.4-r4 (09 Jul 2014)
+
+  09 Jul 2014; Yixun Lan <dlan@gentoo.org> +xen-4.2.4-r4.ebuild,
+  +xen-4.3.2-r4.ebuild, +xen-4.4.0-r5.ebuild:
+  bump stable/security patches, fix bug 515106, 513824
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-10 05:01:18 UTC
dlan,

As per discussion please either call for stabilization, or advise when ready for stabilization.
Comment 3 Yixun Lan archtester gentoo-dev 2014-07-10 08:52:54 UTC
Arches, please test and mark stable:
=app-emulation/xen-4.2.4-r4
=app-emulation/xen-tools-4.2.4-r6
Target keywords Both : "amd64 x86"

=app-emulation/xen-4.3.2-r4
=app-emulation/xen-tools-4.3.2-r5
Target keywords Only: "amd64"
Comment 4 Agostino Sarubbo gentoo-dev 2014-07-12 11:01:17 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-07-12 11:01:28 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Yixun Lan archtester gentoo-dev 2014-07-12 14:19:04 UTC
thanks, old versions have been pruned out.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-07-15 21:54:49 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-07-15 21:55:18 UTC
CVE-2014-4021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4021):
  Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from
  guests, which allows local guest OS users to obtain sensitive information
  via unspecified vectors.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-07-16 11:46:21 UTC
Added to an existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:47:09 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).