|Public release ||2015-03-05 12:00|
|Updated ||2015-03-05 12:18|
|Title ||Information leak via internal x86 system device emulation|
Filesadvisory-121.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2015-2044 / XSA-121
Information leak via internal x86 system device emulation
UPDATES IN VERSION 3
Emulation routines in the hypervisor dealing with certain system
devices check whether the access size by the guest is a supported one.
When the access size is unsupported these routines failed to set the
data to be returned to the guest for read accesses, so that hypervisor
stack contents are copied into the destination of the operation, thus
becoming visible to the guest.
A malicious HVM guest might be able to read sensitive data relating
to other guests.
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
Only HVM guests can take advantage of this vulnerability.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Running only PV guests will avoid this issue.
This issue was discovered by Jan Beulich of SUSE.
Applying the attached patch resolves this issue.
xsa121.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa121*.patch
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team