Xen issue XSA-108 (XEN 0day)

[Jasson.Pass]

This is a short note to make you aware of the Xen security advisory XSA-108, which may have an impact on Xen hypervisors in SolusVM. It is not a SolusVM issue - it is an issue that affects many Xen environments. 

What is the nature of the advisory?
Unfortunately we are under embargo. We cannot reveal specific details of the issue or patches at this time.
The embargo will be lifted at 1pm UK time on Wednesday 1st October. 
If you are in a position to patch your Xen hypervisors now, we recommend you do so. Otherwise, we recommend that you prepare to patch your hypervisors as soon as possible after the embargo has lifted.

More information, coming soon
Keep watch on the Xen advisory site, where patches will be made available at 1pm on 1st October: http://xenbits.xen.org/xsa/. When the embargo has lifted we will publish a Knowledge Base article with details.
With thanks,
The SolusVM team

Been following up on this and apparently this is a VERY serious threat.

 

[blergh]

Seems pretty odd to issue a statement saying that there's a derp but no solution to said derp except after ~24h.

 

[Francisco]

Seems pretty odd to issue a statement saying that there's a derp but no solution to said derp except after ~24h.

I read it more as 'Hold onto your butts, this is going to get rocky'.

Francisco

 

[DomainBop]

I'd just like to remind all of the low end providers with slabbed nodes to apply the fixes tomorrow because the vulnerability is in the hypervisor. (and have fun explaining to your customers why their openvz nodes are being rebooted)

If you are in a position to patch your Xen hypervisors now,

ProviderService applied the patch and rebooted their Xen nodes today.

I have 2 servers running OracleVM (Xen 4.3) and one running Xen 4.12/Debian and I'll be scrambling to apply updates tomorrow.  Grumbles...

 

[texteditor]

what a couple of weeks for vulns

 

[DomainBop]

Embargo lifted...

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-7188 / XSA-108
                              version 4

              Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa108.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

 

[lowesthost]

after waiting for the sky to fall we are unaffected 

 

[Francisco]

It's a nasty bug but I was thinking it would be some sort of break out.

Francisco

 

[AnthonySmith]

yep, worth while getting on the pre disclosure list for future, once someone gave me a heads up and I got access to the patch/issue in advance it made the prep work and updates much easier to deal with.