|Public release ||2015-03-05 12:00|
|Updated ||2015-03-05 12:18|
|Title ||Information leak through version information hypercall|
Filesadvisory-122.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2015-2045 / XSA-122
Information leak through version information hypercall
UPDATES IN VERSION 3
The code handling certain sub-operations of the HYPERVISOR_xen_version
hypercall fails to fully initialize all fields of structures
subsequently copied back to guest memory. Due to this hypervisor stack
contents are copied into the destination of the operation, thus
becoming visible to the guest.
A malicious guest might be able to read sensitive data relating to
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
There is no mitigation available for this issue.
This issue was discovered by Aaron Adams of NCC Group.
Applying the attached patch resolves this issue.
xsa122.patch xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa122*.patch
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team