Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents
SecurityTracker Alert ID: 1030442|
SecurityTracker URL: http://securitytracker.com/id/1030442
(Links to External Site)
Date: Jun 18 2014
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 3.2.x and later|
A vulnerability was reported in Xen. A local user can obtain potentially sensitive information from other domains.|
The system does not properly control access to memory pages during memory cleanup for dying guest systems. A local user on a guest system can access information from guest or hypervisor memory, potentially including guest CPU register state and hypercall arguments.
Versions 3.1.x and prior have not been evaluated to determine if they are affected.
Jan Beulich reported this vulnerability.
A local user on a guest system can access information from guest or hypervisor memory in certain cases.|
The vendor has issued a fix (xsa100.patch; Advisory XSA-100).|
[Editor's note: On systems with AMD IOMMU, an additional commit is necessary. See the advisory for more information.]
Vendor URL: www.xen.org/ (Links to External Site)
Access control error|
|Underlying OS: Linux (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [oss-security] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests|
Content-Type: text/plain; charset="utf-8"
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-4021 / XSA-100
Hypervisor heap contents leaked to guests
UPDATES IN VERSION 3
Public Release. CVE assigned.
While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned. Such exposure of information would happen through
memory pages freshly allocated to or by the guest.
Normally the leaked data is administrative information of limited
value to an attacker. However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.
A malicious guest might be able to read data relating to other guests
or the hypervisor itself.
Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.
No comprehensive mitigation is available.
An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest. This includes a situation where
the attacker can cause the victim guest to crash.
Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.
This issue was discovered by Jan Beulich.
Applying the attached patch resolves this issue.
xsa100.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x
Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later
additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely")
will be required if not already in place in the respective tree.
$ sha256sum xsa100*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Content-Type: application/octet-stream; name="xsa100.patch"
Content-Disposition: attachment; filename="xsa100.patch"