openSUSE-SU-2012:1572

openSUSE-SU-2012:1573

[Xen-announce] 20120612 [Xen-announce] Xen Security Advisory 9 (CVE-2012-2934) - PV guest	host DoS (AMD erratum #121)

51413

55082

GLSA-201309-24

http://support.amd.com/us/Processor_TechDocs/25759.pdf

DSA-2501

53961

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.

This security update of XEN fixes various bugs and security issues.

  - Upstream patch 26088-xend-xml-filesize-check.patch

  - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of-     memory due to malicious kernel/ramdisk (XSA 25)     CVE-2012-4544-xsa25.patch

  - bnc#779212 - CVE-2012-4411: XEN / qemu: guest     administrator can access qemu monitor console (XSA-19)     CVE-2012-4411-xsa19.patch

  - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS     vulnerability CVE-2012-4535-xsa20.patch

  - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS     vulnerability CVE-2012-4536-xsa21.patch

  - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure     DoS vulnerability CVE-2012-4537-xsa22.patch

  - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE     entries DoS vulnerability CVE-2012-4538-xsa23.patch

  - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall     infinite loop DoS vulnerability     CVE-2012-4539-xsa24.patch

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch

  - Upstream patches from Jan     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch

------------------------------------------------------------------- Mon Sep 24 16:41:58 CEST 2012 - ohering@suse.de

  - use BuildRequires: gcc46 only in sles11sp2 or 12.1 to     fix build in 11.4

------------------------------------------------------------------- Thu Sep 20 10:03:40 MDT 2012 - carnold@novell.com

  - Upstream patches from Jan     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - bnc#778105 - first XEN-PV VM fails to spawn xend:
    Increase wait time for disk to appear in host bootloader     Modified existing xen-domUloader.diff

  - Upstream patches from Jan     25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch     25757-x86-EPT-PoD-1Gb-assert.patch     25764-x86-unknown-cpu-no-sysenter.patch     25765-x86_64-allow-unsafe-adjust.patch     25771-grant-copy-status-paged-out.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch

  - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall     vulnerabilities (XSA-15)     CVE-2012-3497-tmem-xsa-15-1.patch     CVE-2012-3497-tmem-xsa-15-2.patch     CVE-2012-3497-tmem-xsa-15-3.patch     CVE-2012-3497-tmem-xsa-15-4.patch     CVE-2012-3497-tmem-xsa-15-5.patch     CVE-2012-3497-tmem-xsa-15-6.patch     CVE-2012-3497-tmem-xsa-15-7.patch     CVE-2012-3497-tmem-xsa-15-8.patch     CVE-2012-3497-tmem-xsa-15-9.patch     tmem-missing-break.patch

This security update of XEN fixes various bugs and security issues.

  - Upstream patch 26088-xend-xml-filesize-check.patch

  - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of-     memory due to malicious kernel/ramdisk (XSA 25)     CVE-2012-4544-xsa25.patch

  - bnc#779212 - CVE-2012-4411: XEN / qemu: guest     administrator can access qemu monitor console (XSA-19)     CVE-2012-4411-xsa19.patch

  - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS     vulnerability CVE-2012-4535-xsa20.patch

  - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS     vulnerability CVE-2012-4536-xsa21.patch

  - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure     DoS vulnerability CVE-2012-4537-xsa22.patch

  - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE     entries DoS vulnerability CVE-2012-4538-xsa23.patch

  - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall     infinite loop DoS vulnerability     CVE-2012-4539-xsa24.patch

  - bnc#784087 - L3: Xen BUG at io_apic.c:129     26102-x86-IOAPIC-legacy-not-first.patch

  - Upstream patches from Jan     26054-x86-AMD-perf-ctr-init.patch     26055-x86-oprof-hvm-mode.patch     26056-page-alloc-flush-filter.patch     26061-x86-oprof-counter-range.patch     26062-ACPI-ERST-move-data.patch     26063-x86-HPET-affinity-lock.patch     26093-HVM-PoD-grant-mem-type.patch

  - Upstream patches from Jan     25931-x86-domctl-iomem-mapping-checks.patch     25952-x86-MMIO-remap-permissions.patch

  - Upstream patches from Jan     25808-domain_create-return-value.patch     25814-x86_64-set-debugreg-guest.patch     25815-x86-PoD-no-bug-in-non-translated.patch     25816-x86-hvm-map-pirq-range-check.patch     25833-32on64-bogus-pt_base-adjust.patch     25834-x86-S3-MSI-resume.patch     25835-adjust-rcu-lock-domain.patch     25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch     25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch     25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch     25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch     25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch     25859-tmem-missing-break.patch 25860-tmem-cleanup.patch     25883-pt-MSI-cleanup.patch     25927-x86-domctl-ioport-mapping-range.patch     25929-tmem-restore-pool-version.patch

  - bnc#778105 - first XEN-PV VM fails to spawn xend:
    Increase wait time for disk to appear in host bootloader     Modified existing xen-domUloader.diff

  - Upstream patches from Jan     25752-ACPI-pm-op-valid-cpu.patch     25754-x86-PoD-early-access.patch     25755-x86-PoD-types.patch     25756-x86-MMIO-max-mapped-pfn.patch     25757-x86-EPT-PoD-1Gb-assert.patch     25764-x86-unknown-cpu-no-sysenter.patch     25765-x86_64-allow-unsafe-adjust.patch     25771-grant-copy-status-paged-out.patch     25773-x86-honor-no-real-mode.patch     25786-x86-prefer-multiboot-meminfo-over-e801.patch

  - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall     vulnerabilities (XSA-15)     CVE-2012-3497-tmem-xsa-15-1.patch     CVE-2012-3497-tmem-xsa-15-2.patch     CVE-2012-3497-tmem-xsa-15-3.patch     CVE-2012-3497-tmem-xsa-15-4.patch     CVE-2012-3497-tmem-xsa-15-5.patch     CVE-2012-3497-tmem-xsa-15-6.patch     CVE-2012-3497-tmem-xsa-15-7.patch     CVE-2012-3497-tmem-xsa-15-8.patch     CVE-2012-3497-tmem-xsa-15-9.patch     tmem-missing-break.patch

This update of XEN fixed multiple security flaws that could be exploited by local attackers to cause a Denial of Service or potentially escalate privileges. Additionally, several other upstream changes were backported.

The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Guest domains could possibly gain privileges, execute arbitrary code, or       cause a Denial of Service on the host domain (Dom0). Additionally, guest       domains could gain information about other virtual machines running on       the same host or read arbitrary files on the host.
  Workaround :

    The CVEs listed below do not currently have fixes, but only apply to Xen       setups which have &ldquo;tmem&rdquo; specified on the hypervisor command line.
      TMEM is not currently supported for use in production systems, and       administrators using tmem should disable it.
      Relevant CVEs:
      * CVE-2012-2497
      * CVE-2012-6030
      * CVE-2012-6031
      * CVE-2012-6032
      * CVE-2012-6033
      * CVE-2012-6034
      * CVE-2012-6035
      * CVE-2012-6036

From Red Hat Security Advisory 2012:0721 :

Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

* It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate)

Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.

Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Three security issues were found in XEN.

Two security issues are fixed by this update :

  - Due to incorrect fault handling in the XEN hypervisor it     was possible for a XEN guest domain administrator to     execute code in the XEN host environment.
    (CVE-2012-0217)

  - Also a guest user could crash the guest XEN kernel due     to a protection fault bounce. The third fix is changing     the Xen behaviour on certain hardware:. (CVE-2012-0218)

  - The issue is a denial of service issue on older pre-SVM     AMD CPUs (AMD Erratum 121). AMD Erratum #121 is     described in 'Revision Guide for AMD Athlon 64 and AMD     Opteron Processors':
    http://support.amd.com/us/Processor_TechDocs/25759.pdf.
    (CVE-2012-2934)

    The following 130nm and 90nm (DDR1-only) AMD processors     are subject to this erratum :

  - First-generation AMD-Opteron(tm) single and dual core     processors in either 939 or 940 packages :

  - AMD Opteron(tm) 100-Series Processors

  - AMD Opteron(tm) 200-Series Processors

  - AMD Opteron(tm) 800-Series Processors

  - AMD Athlon(tm) processors in either 754, 939 or 940     packages

  - AMD Sempron(tm) processor in either 754 or 939 packages

  - AMD Turion(tm) Mobile Technology in 754 package This     issue does not effect Intel processors.

    The impact of this flaw is that a malicious PV guest     user can halt the host system.

    As this is a hardware flaw, it is not fixable except by     upgrading your hardware to a newer revision, or not     allowing untrusted 64bit guestsystems.

    The patch changes the behaviour of the host system     booting, which makes it unable to create guest machines     until a specific boot option is set.

    There is a new XEN boot option 'allow_unsafe' for GRUB     which allows the host to start guests again.

    This is added to /boot/grub/menu.lst in the line looking     like this :

    kernel /boot/xen.gz .... allow_unsafe

    Note: .... in this example represents the existing boot     options for the host.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - It was found that the Xen hypervisor implementation as     shipped with Scientific Linux 5 did not properly     restrict the syscall return addresses in the sysret     return path to canonical addresses. An unprivileged user     in a 64-bit para-virtualized guest, that is running on a     64-bit host that has an Intel CPU, could use this flaw     to crash the host or, potentially, escalate their     privileges, allowing them to execute arbitrary code at     the hypervisor level. (CVE-2012-0217, Important)

  - It was found that guests could trigger a bug in earlier     AMD CPUs, leading to a CPU hard lockup, when running on     the Xen hypervisor implementation. An unprivileged user     in a 64-bit para-virtualized guest could use this flaw     to crash the host. Warning: After installing this     update, hosts that are using an affected AMD CPU (refer     to upstream bug #824966 for a list) will fail to boot.
    In order to boot such hosts, the new kernel parameter,     allow_unsafe, can be used ('allow_unsafe=on'). This     option should only be used with hosts that are running     trusted guests, as setting it to 'on' reintroduces the     flaw (allowing guests to crash the host).
    (CVE-2012-2934, Moderate)

Note: For Scientific Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Several vulnerabilities were discovered in Xen, a hypervisor.

  - CVE-2012-0217     Xen does not properly handle uncanonical return     addresses on Intel amd64 CPUs, allowing amd64 PV guests     to elevate to hypervisor privileges. AMD processors, HVM     and i386 guests are not affected.

  - CVE-2012-0218     Xen does not properly handle SYSCALL and SYSENTER     instructions in PV guests, allowing unprivileged users     inside a guest system to crash the guest system.

  - CVE-2012-2934     Xen does not detect old AMD CPUs affected by AMD Erratum     #121.

For CVE-2012-2934, Xen refuses to start domUs on affected systems unless the 'allow_unsafe' option is passed.

Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

* It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate)

Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.

Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Three security issues were found in XEN.

Two security issues are fixed by this update :

  - Due to incorrect fault handling in the XEN hypervisor it     was possible for a XEN guest domain administrator to     execute code in the XEN host environment.
    (CVE-2012-0217)

  - Also a guest user could crash the guest XEN kernel due     to a protection fault bounce. (CVE-2012-0218)

The third fix is changing the Xen behaviour on certain hardware :

  - The issue is a denial of service issue on older pre-SVM     AMD CPUs (AMD Erratum 121). (CVE-2012-2934)

    AMD Erratum #121 is described in 'Revision Guide for AMD     Athlon 64 and AMD Opteron Processors':
    http://support.amd.com/us/Processor_TechDocs/25759.pdf

    The following 130nm and 90nm (DDR1-only) AMD processors     are subject to this erratum :

o

First-generation AMD-Opteron(tm) single and dual core processors in either 939 or 940 packages :

  - AMD Opteron(tm) 100-Series Processors

  - AMD Opteron(tm) 200-Series Processors

  - AMD Opteron(tm) 800-Series Processors

  - AMD Athlon(tm) processors in either 754, 939 or 940     packages

  - AMD Sempron(tm) processor in either 754 or 939 packages

  - AMD Turion(tm) Mobile Technology in 754 package This     issue does not effect Intel processors.

    The impact of this flaw is that a malicious PV guest     user can halt the host system.

    As this is a hardware flaw, it is not fixable except by     upgrading your hardware to a newer revision, or not     allowing untrusted 64bit guestsystems.

    The patch changes the behaviour of the host system     booting, which makes it unable to create guest machines     until a specific boot option is set.

    There is a new XEN boot option 'allow_unsafe' for GRUB     which allows the host to start guests again.

    This is added to /boot/grub/menu.lst in the line looking     like this :

    kernel /boot/xen.gz .... allow_unsafe

    Note: .... in this example represents the existing boot     options for the host.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-0721.

ID	Name	Product	Family	Severity
84140	OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)	Nessus	OracleVM Local Security Checks	high
74821	openSUSE Security Update : XEN (openSUSE-SU-2012:1573-1)	Nessus	SuSE Local Security Checks	high
74820	openSUSE Security Update : XEN (openSUSE-SU-2012:1572-1)	Nessus	SuSE Local Security Checks	high
74683	openSUSE Security Update : xen (openSUSE-2012-404)	Nessus	SuSE Local Security Checks	high
74682	openSUSE Security Update : xen (openSUSE-SU-2012:0886-1)	Nessus	SuSE Local Security Checks	high
70184	GLSA-201309-24 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
68540	Oracle Linux 5 : kernel (ELSA-2012-0721)	Nessus	Oracle Linux Local Security Checks	high
68539	Oracle Linux 5 : kernel (ELSA-2012-0721-1)	Nessus	Oracle Linux Local Security Checks	high
64233	SuSE 11.1 Security Update : Xen (SAT Patch Number 6399)	Nessus	SuSE Local Security Checks	high
61326	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20120612)	Nessus	Scientific Linux Local Security Checks	high
59779	Debian DSA-2501-1 : xen - several vulnerabilities	Nessus	Debian Local Security Checks	high
59479	CentOS 5 : kernel (CESA-2012:0721)	Nessus	CentOS Local Security Checks	high
59469	SuSE 10 Security Update : Xen (ZYPP Patch Number 8180)	Nessus	SuSE Local Security Checks	high
59467	RHEL 5 : kernel (RHSA-2012:0721)	Nessus	Red Hat Local Security Checks	high
801518	CentOS RHSA-2012-0721 Security Check	Log Correlation Engine	Generic	high

CVE-2012-2934

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins