-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-15468 / XSA-269 version 4 x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS UPDATES IN VERSION 4 ==================== Normalize version tags ISSUE DESCRIPTION ================= The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes. IMPACT ====== A malicious or buggy guest administrator can lock up the entire host, causing a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 4.6 and later are vulnerable. Only systems using Intel CPUs are affected. ARM and AMD systems are unaffected. Only x86 HVM or PVH guests can exploit the vulnerability. x86 PV guests cannot exploit the vulnerability. MITIGATION ========== Running only x86 PV guests avoids the vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa269.patch xen-unstable xsa269-4.11.patch Xen 4.11 xsa269-4.10.patch Xen 4.10, 4.9 xsa269-4.8.patch Xen 4.8, 4.7, 4.6 $ sha256sum xsa269* 4733d09bb63523744ca2ee172e2fade0c39082c15d9a746144f279cf1359b723 xsa269.meta 5a5fe36f1f876a5029493e7fa191436fd021929aaba2d820636df17f4ed20113 xsa269.patch ea11cef818050bca13d4eb89294627c97e4cdb830124f679e77d37a44a370286 xsa269-4.8.patch 45ba1823530f329dd73088b77098e686b32f5daac0bc5177b2afea09f8c3593a xsa269-4.10.patch e0ca060311fb9ba3247e2fe65bca4806a131644f8894fd08be374904904b1944 xsa269-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/kMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZsNEIALcCn/17IJkyhzn43iA5CEZLkRQ0Gg45kWJkz2+j bi+CreEjRPaoclycY38Dx+69d6RXcADBDYEW760QJlxPF4NGvKMwV9mPvoqrhffh VhrpSoynsznI+HIK9wDrAcxn7NVQkjycDQ5bV3Jmj2eH4uKxAbOGipphrbub8C3A zTkT8zGGtNuMANk15o/TUzPjXygbi00BTQLdGlgxYuwxFyTao4aA/KTEV7ovMYhJ XWIj0E0zqyB1kTUYDf1oUVfc0Y+SujctWbXtmixZeNlJfplXn44XB8na76JZs6Ew Up5y/7ZU+DhCI+2dFBn2gTUp4LS31LND1LZ6g0yXW2DrYpI= =N5wf -----END PGP SIGNATURE-----