Information

AdvisoryXSA-122
Public release 2015-03-05 12:00
Updated 2015-03-05 12:18
Version 3
CVE(s) CVE-2015-2045
Title Information leak through version information hypercall

Files

advisory-122.txt (signed advisory file)
xsa122.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-2045 / XSA-122
                              version 3

         Information leak through version information hypercall

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The code handling certain sub-operations of the HYPERVISOR_xen_version
hypercall fails to fully initialize all fields of structures
subsequently copied back to guest memory. Due to this hypervisor stack
contents are copied into the destination of the operation, thus
becoming visible to the guest.

IMPACT
======

A malicious guest might be able to read sensitive data relating to
other guests.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

There is no mitigation available for this issue.

CREDITS
=======

This issue was discovered by Aaron Adams of NCC Group.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa122.patch        xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa122*.patch
13404ef363ee347db1571ee91afaa962a68e616a7596c2441a29e26f6db9ec47  xsa122.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJU+EmQAAoJEIP+FMlX6CvZZxIIAJVuGIRZ1dEiX1VPY71dZ52t
CSIBfHMpynwxT7oUwbw/Akk3d1M/uAV/8QvM1DoG9//U6hQgZfY5UVn3Ihp1k7Fy
BitDKdDn3T10ys/URtotX+8+Alm1diM/6sIrAF5kG3IBf0VCkEaV5jVI0ZIuee5u
AOHhj9HJN9bPRGSTlNlkRx0Tjlw8Worrluex2romagALxLEXYejOM8syuQl5qSFj
VdqhNvmZV23664ZTrgSZxU17O+AajMNi+M9sYUFSPfAA8VHu42G7Ox4CqY7pxyg7
b9g2BgVVWRkZIhZPYeEr3RcxNP7wITAeFYP18c48VBd6gmHYK9sSwwSoXgYGuwE=
=ddMG
-----END PGP SIGNATURE-----


Xenproject.org Security Team