Xen issue XSA-108

[John_E]

Xen issue XSA-108



Hi John,
This is a short note to make you aware of the Xen security advisory XSA-108, which may have an impact on Xen hypervisors in SolusVM. It is not a SolusVM issue - it is an issue that affects many Xen environments.

What is the nature of the advisory?
Unfortunately we are under embargo. We cannot reveal specific details of the issue or patches at this time.
The embargo will be lifted at 1pm UK time on Wednesday 1st October.
If you are in a position to patch your Xen hypervisors now, we recommend you do so. Otherwise, we recommend that you prepare to patch your hypervisors as soon as possible after the embargo has lifted.

More information, coming soon
Keep watch on the Xen advisory site, where patches will be made available at 1pm on 1st October: http://xenbits.xen.org/xsa/. When the embargo has lifted we will publish a Knowledge Base article with details.
With thanks,
The SolusVM team




So Amazon gets first crack at this and the rest have to rush before a 0day hits? No more community aspect?

[VN-Ken]

Yes, this has been out for a while now (not announced through SVM/OnApp though until recently). Looking forward to tomorrow.

[John_E]

I was reading about a few days back when they were trying to put off the security rumor, but people can see past the poker face. Especially when they have to cover their butts before the rest of the world, and still not disclose anything. Must be more than one, "we can't discuss the patches at this time".

Sounds plural to me.


**and omg that logo is huge, it wasn't that big when I threaded it... feel free to clean that up...

[John_E]

Evidently Linode has known for a while as well, or so I've been told.

[VN-Ken]

Yes, there is a list of companies who already have disclosure including SolusVM themselves, Amazon, Linode, RedHat and others. Not sure how long they have known about it however.

[FRH Lisa]

"We recommend that you patch Xen now."
"Patches will be released tomorrow."

Am I missing something here?

[TQ Mark]

"We recommend that you patch Xen now."
"Patches will be released tomorrow."

Am I missing something here?

Patches will be released publicly on Oct 1.

Organizations on the pre-disclosure list already have access to the patches www.xenproject.org/security-policy.html

[FRH Lisa]

Patches will be released publicly on Oct 1.

Organizations on the pre-disclosure list already have access to the patches www.xenproject.org/security-policy.html

So the short version is "ouch".

[Kailash12]

Just a quick question, if i am using Xen PV in SolusVM, how can I upgrade it to apply the patch (when it is released)?

[John_E]

Just a quick question, if i am using Xen PV in SolusVM, how can I upgrade it to apply the patch (when it is released)?

How have you been doing them in the past?

It're really going to depend on how bad it is. I don't think anyone's going to die over this, but it will keep many people I know pretty darn busy.

[Kailash12]

How have you been doing them in the past?

This is a new SolusVM setup so never updated.

[HostingBig]

So the short version is "ouch".

Dang not on the list

If you are in a position to patch your Xen hypervisors now, we recommend you do so

and where would you get the update
Centos XEN last update June 2014 and on xen project page 2 Sep

[FRH Lisa]

From the XSA:

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Full details: http://xenbits.xen.org/xsa/advisory-108.html

Content, because their site is lagging bad for me:

Information
Advisory XSA-108
Public release 2014-10-01 12:00
Updated 2014-10-01 12:02
Version 4
CVE(s) CVE-2014-7188
Title Improper MSR range used for x2APIC emulation
Files
advisory-108.txt (signed advisory file)
xsa108.patch
Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xen Security Advisory CVE-2014-7188 / XSA-108
version 4

Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa108.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa108*.patch
cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e xsa108.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdyAMc8bmQv+IxrMN
ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ3PKtmFtxMwa3WS
my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2yQ0xMR1mJio
7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa7CMCZ5Q3IuJ53S
hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkLQgu1ERtZ
p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ+gJyJBcpy/a5Q=
=m0tK
-----END PGP SIGNATURE-----

Xenproject.org Security Team

[HostingBig]

Looks like they just updated it a few minutes ago

they made it seem like the sky was falling and it does not even affect us

[AcheronMedia-VK]

Keep watch on the Xen advisory site, where patches will be made available at 1pm on 1st October: http://xenbits.xen.org/xsa/

Just a heads up regarding that link, the link in that post above (not the xen.org URL itself) is actually redirected. Yes, I am paranoid and I hate when security posts like that are redirected and tokenized through something I never heard of especially if it sounds like a bot-registered random domain I can't get info about on the first page of google...

[Kijjy]

Does this effect my XenServer 6.1 64 bit servers?

[Daniel B]

Just a heads up regarding that link, the link in that post above (not the xen.org URL itself) is actually redirected. Yes, I am paranoid and I hate when security posts like that are redirected and tokenized through something I never heard of especially if it sounds like a bot-registered random domain I can't get info about on the first page of google...

I'm assuming it's just a tracking link for email purposes.

http://xenbits.xen.org/xsa/advisory-108.html

Is a direct link

[WebHostDog]

Do this mean 64bit Xen hosts are not affected or they are ?

[FastServ]

Does this effect my XenServer 6.1 64 bit servers?

Check /var/log/xen-dmesg for the xen version. Anything => 4.1 is affected. And all xenserver hosts are 32 bit.

[Ed-Freethought]

Does this effect my XenServer 6.1 64 bit servers?

Citrix have got patches out for XenServer 6.0/6.1/6.2: http://support.citrix.com/article/CTX200218

[WebHostDog]

What you mean all are 32 bit ? The Xen in installed on top of CentOS 64bit.

[Ed-Freethought]

What you mean all are 32 bit ? The Xen in installed on top of CentOS 64bit.

All version of Citrix XenServer are 32-bit in Dom0, which is what FastServ was replying to.

[WebHostDog]

We are using normal Xen installed on CentOS 64bit. So the question was if this is affecting hosts like this ?

[Ed-Freethought]

We are using normal Xen installed on CentOS 64bit. So the question was if this is affecting hosts like this ?

CentOS have pushed x86_64 patches for Xen4CentOS to fix XSA-108: http://lists.centos.org/pipermail/ce...er/020664.html

[John_E]

We are using normal Xen installed on CentOS 64bit. So the question was if this is affecting hosts like this ?

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.
Only x86 systems are vulnerable.
ARM systems are not vulnerable.

What is a "normal Xen?" PV? HVM? I believe this was Paravirtualized guests only. If your host node is an x86_64 then it sounds like you're fine.