-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2015-2751 / XSA-127 version 3 Certain domctl operations may be abused to lock up the host UPDATES IN VERSION 3 ==================== Fix patch name. ISSUE DESCRIPTION ================= XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups. As a result, the potential security benefits of toolstack disaggregation are not always fully realised. IMPACT ====== Domains deliberately given partial management control may be able to deny service to the entire host. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design. VULNERABLE SYSTEMS ================== Xen versions 4.3 onwards are vulnerable. Xen versions 4.2 and earlier do not have the described disaggregation functionality and hence are not vulnerable. MITIGATION ========== The issues discussed in this advisory are themselves bugs in features used for a security risk mitigation. There is no further mitigation available, beyond general measures to try to avoid parts of the system management becoming controlled by attackers. Those are the kind of measures which we expect any users of radical disaggregation to have already deployed. Switching from disaggregated to a non-disaggregated operation does NOT mitigate these vulnerabilities. Rather, it simply recategorises the vulnerability to hostile management code, regarding it "as designed"; thus it merely reclassifies these issues as "not a bug". Users and vendors of disaggregated systems should not change their configuration. The robustness benefits of disaggregation are unaffected, and (depending on system design) security benefits are likely to remain despite the vulnerabilities. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa127.patch xen-unstable xsa127-4.x.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa127*.patch 5b98280738a205c40f56d0a7feb6ea6cd867da7ac1e0d9f4fc4620bae2c09171 xsa127.patch e5fd3c126ae10fe45283e6eb1a4216b75057f1772d869d2b3a26398b0984c7bd xsa127-4.x.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+wMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ57UIAJiBKdVsYFWoVCOz14Ra7qvvdllccVY4peDbx8Lw xHKinCeeZ7pSKNCqoRYhPhvqU3AitntnaXgdhtbiztr1g3BQn8ijVfAGOJiCEWnG rXMCwmtlQgWNM5U/+Qp4JSWxsfzFD5jX9fJo/b7k764SMqMUaNUx/kKyhV6HQdRP FZS9OsrJKQ1KDRHuYX9v4tn/fQFGMFPjR3kFKaV6AQRBHfKttu/4zn1kHHo7yhCu m05QuQohL7m73pdpB4LAJ7pLHwrU6waRaWrLVKCnNlcnAI/v8/744ZzGvODCKaFG 4PDgWFMYIMGbtuBs42qnxgeCMeJNrXGzqzMysMXVGuEotfo= =NHqR -----END PGP SIGNATURE-----