-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-8555 / XSA-165 version 3 information leak in legacy x86 FPU/XMM initialization UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers. IMPACT ====== A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. Only x86 systems without XSAVE support or with XSAVE support disabled are vulnerable. ARM systems are not vulnerable. MITIGATION ========== On XSAVE capable systems, not turning off XSAVE support via the "no-xsave" hypervisor command line option (or - when defaulting to off - turning it on via the "xsave" hypervisor command line option) will avoid the vulnerability. To find out whether XSAVE is in use, consult the hypervisor log (obtainable e.g. via "xl dmesg") and look for a message of the form "xstate_init: using cntxt_size: and states: " If such a message is present then XSAVE is in use. But note that due to log buffer size restrictions this boot time message may have scrolled off. There is no known mitigation on XSAVE-incapable systems. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa165.patch xen-unstable xsa165-4.6.patch Xen 4.6.x xsa165-4.5.patch Xen 4.5.x, Xen 4.4.x xsa165-4.3.patch Xen 4.3.x $ sha256sum xsa165* 6422db857dd469f5978b80be95e93d1db4bab965668430e07005b7b6369742be xsa165.patch bced245fb1111b7fa2db642971cceb0523e691367ba8bfbc6ff0da421f198c97 xsa165-4.3.patch dd15e301f2757e0c7975bdccfe49ddf41c730bc124dd90166e0844d332eeedad xsa165-4.5.patch 4bb18f2e44f49f140932c2d1e956e2e28017439cbb0e76eb16a8af617c4112ac xsa165-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the PATCH (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. However deployment of the XSAVE ENABLEMENT MITIGATION is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because enabling xsave is visible to guests, so such deployment could lead to the rediscovery of the vulnerability. Deployment of the mitigation is permitted only AFTER the embargo ends. Also: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWcqzAAAoJEIP+FMlX6CvZAYYH/1KqrQG0r23AiTYXqS4IBYMd RU5edyJkNKRCkJMU3m20LPyZ4/NCMg8rgejLHQDiHav0CNUEX6gUSqIUm8d3vrNg IYtGNhLZUcjRqRK1f/oqgFw3TEXlC59EQdSKdNLaZ+Fj/HN4TQtaQWpUW0r5OYXi tSbZYJ+NT4wHLzmai2tdFekVEBFzL+e6RxngrAl+X17mX3O0jdHFpOPqjwGCXXhh N46sZTi/o3QSHBG7yzcxlA5HKJArxVAQNSKJJrSaj3m8O44V5d6+IkMmCpexvq/R rFA1iiMXu481UQq6kLNIC2kpgSNUaNTHDElVQdeUUGu95INAgsrlMdUqNKL2V8o= =QBGV -----END PGP SIGNATURE-----