|Public release ||2015-12-17 12:00|
|Updated ||2015-12-17 12:38|
|Title ||information leak in legacy x86 FPU/XMM initialization|
Filesadvisory-165.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2015-8555 / XSA-165
information leak in legacy x86 FPU/XMM initialization
UPDATES IN VERSION 3
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.
All Xen versions are vulnerable.
Only x86 systems without XSAVE support or with XSAVE support disabled
ARM systems are not vulnerable.
On XSAVE capable systems, not turning off XSAVE support via the
"no-xsave" hypervisor command line option (or - when defaulting to
off - turning it on via the "xsave" hypervisor command line option)
will avoid the vulnerability. To find out whether XSAVE is in use,
consult the hypervisor log (obtainable e.g. via "xl dmesg") and look
for a message of the form
"xstate_init: using cntxt_size: <number> and states: <number>"
If such a message is present then XSAVE is in use. But note that due
to log buffer size restrictions this boot time message may have
There is no known mitigation on XSAVE-incapable systems.
This issue was discovered by Jan Beulich of SUSE.
Applying the appropriate attached patch resolves this issue.
xsa165-4.6.patch Xen 4.6.x
xsa165-4.5.patch Xen 4.5.x, Xen 4.4.x
xsa165-4.3.patch Xen 4.3.x
$ sha256sum xsa165*
DEPLOYMENT DURING EMBARGO
Deployment of the PATCH (or others which are substantially similar) is
permitted during the embargo, even on public-facing systems with
untrusted guest users and administrators.
However deployment of the XSAVE ENABLEMENT MITIGATION is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List). Specifically, deployment on
public cloud systems is NOT permitted.
This is because enabling xsave is visible to guests, so such
deployment could lead to the rediscovery of the vulnerability.
Deployment of the mitigation is permitted only AFTER the embargo ends.
Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team