Xen Security Advisory 269 v2 - x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Xen Security Advisory 269 v2 - x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

Xen.org security team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-269
                              version 2

      x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The DEBUGCTL MSR contains several debugging features, some of which virtualise
cleanly, but some do not.  In particular, Branch Trace Store is not
virtualised by the processor, and software has to be careful to configure it
suitably not to lock up the core.  As a result, it must only be available to
fully trusted guests.

Unfortunately, in the case that vPMU is disabled, all value checking was
skipped, allowing the guest to chose any MSR_DEBUGCTL setting it likes.

IMPACT
======

A malicious or buggy guest administrator can lock up the entire host, causing
a Denial of Service.

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and later are vulnerable.

Only systems using Intel CPUs are affected. ARM and AMD systems are
unaffected.

Only x86 HVM or PVH guests can exploit the vulnerability.  x86 PV guests
cannot exploit the vulnerability.

MITIGATION
==========

Running only x86 PV guests avoids the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa269.patch           xen-unstable
xsa269-4.11.patch      Xen 4.11
xsa269-4.10.patch      4.10, 4.9
xsa269-4.8.patch       Xen 4.8, 4.7, 4.6

$ sha256sum xsa269*
4733d09bb63523744ca2ee172e2fade0c39082c15d9a746144f279cf1359b723  xsa269.meta
5a5fe36f1f876a5029493e7fa191436fd021929aaba2d820636df17f4ed20113  xsa269.patch
ea11cef818050bca13d4eb89294627c97e4cdb830124f679e77d37a44a370286  xsa269-4.8.patch
45ba1823530f329dd73088b77098e686b32f5daac0bc5177b2afea09f8c3593a  xsa269-4.10.patch
e0ca060311fb9ba3247e2fe65bca4806a131644f8894fd08be374904904b1944  xsa269-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJbcw6sAAoJEIP+FMlX6CvZNaQIAIPnev8ld7Rt9Gaty0mymCq8
WkKMRcqqSTbmHCgFvsWPPoji9yqQZR5QMkb+q7voE7PvzqH5sTAP6i8tHtsPjZNS
jmron4grWnhoNMpM+jywIFjWyy0MT1WIDehP0GqzLIBgLODg1TIfGN1HMxBIxj5P
yC9BRiGLNkIclOKknh0Yo2fj04XX38rETpeT7J3kbfRw8wzx5sTRgoIwwkkfoqjj
GbcKSDmJmcm8OpCdl5xnMxdOxBv50p91j3VyBfOXzPeHw3sFzjURDSZgG16V5NY7
mrDzaHiRCFwdhN+k43zpyn8+A2JRI1dTz0yqGzJctyuCgFkkt4HEYLDafpeyEyg=
=CK+x
-----END PGP SIGNATURE-----

_______________________________________________
Xen-announce mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-announce

xsa269.meta (2K) Download Attachment
xsa269.patch (6K) Download Attachment
xsa269-4.8.patch (7K) Download Attachment
xsa269-4.10.patch (6K) Download Attachment
xsa269-4.11.patch (5K) Download Attachment