Information

Advisory XSA-269
Public release 2018-08-14 17:00
Updated 2023-12-15 15:35
Version 4
CVE(s) CVE-2018-15468
Title x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

Files

advisory-269.txt (signed advisory file)
xsa269.meta
xsa269.patch
xsa269-4.8.patch
xsa269-4.10.patch
xsa269-4.11.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2018-15468 / XSA-269
                               version 4

      x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

UPDATES IN VERSION 4
====================

Normalize version tags

ISSUE DESCRIPTION
=================

The DEBUGCTL MSR contains several debugging features, some of which virtualise
cleanly, but some do not.  In particular, Branch Trace Store is not
virtualised by the processor, and software has to be careful to configure it
suitably not to lock up the core.  As a result, it must only be available to
fully trusted guests.

Unfortunately, in the case that vPMU is disabled, all value checking was
skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes.

IMPACT
======

A malicious or buggy guest administrator can lock up the entire host, causing
a Denial of Service.

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and later are vulnerable.

Only systems using Intel CPUs are affected. ARM and AMD systems are
unaffected.

Only x86 HVM or PVH guests can exploit the vulnerability.  x86 PV guests
cannot exploit the vulnerability.

MITIGATION
==========

Running only x86 PV guests avoids the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa269.patch           xen-unstable
xsa269-4.11.patch      Xen 4.11
xsa269-4.10.patch      Xen 4.10, 4.9
xsa269-4.8.patch       Xen 4.8, 4.7, 4.6

$ sha256sum xsa269*
4733d09bb63523744ca2ee172e2fade0c39082c15d9a746144f279cf1359b723  xsa269.meta
5a5fe36f1f876a5029493e7fa191436fd021929aaba2d820636df17f4ed20113  xsa269.patch
ea11cef818050bca13d4eb89294627c97e4cdb830124f679e77d37a44a370286  xsa269-4.8.patch
45ba1823530f329dd73088b77098e686b32f5daac0bc5177b2afea09f8c3593a  xsa269-4.10.patch
e0ca060311fb9ba3247e2fe65bca4806a131644f8894fd08be374904904b1944  xsa269-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/kMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZsNEIALcCn/17IJkyhzn43iA5CEZLkRQ0Gg45kWJkz2+j
bi+CreEjRPaoclycY38Dx+69d6RXcADBDYEW760QJlxPF4NGvKMwV9mPvoqrhffh
VhrpSoynsznI+HIK9wDrAcxn7NVQkjycDQ5bV3Jmj2eH4uKxAbOGipphrbub8C3A
zTkT8zGGtNuMANk15o/TUzPjXygbi00BTQLdGlgxYuwxFyTao4aA/KTEV7ovMYhJ
XWIj0E0zqyB1kTUYDf1oUVfc0Y+SujctWbXtmixZeNlJfplXn44XB8na76JZs6Ew
Up5y/7ZU+DhCI+2dFBn2gTUp4LS31LND1LZ6g0yXW2DrYpI=
=N5wf
-----END PGP SIGNATURE-----

Xenproject.org Security Team