** WHITE information - Unlimited distribution allowed **
** see https://go.egi.eu/tlp for distribution restrictions **
EGI CSIRT ADVISORY [EGI-ADV-20141030]
Title: 'HIGH' Risk - (Cloud) Memory Leak in Xen (XSA-108, CVE-2014-7188) [EGI-ADV-20141030]
Date: 2014-10-30
Updated:
Placed on Wiki on 3rd Nov as earlier version on was already there, and the vulnerability is public
URL: https://advisories.egi.eu/CSIRT_Alerts/XSA-108-2014-10-01
Introduction
============
On 2014-10-01, a serious vulnerability in Xen was announced to the general
public by Xen Security Advisory 108 (XSA-108) [R 1]
and been assigned CVE-2014-7188 [R 2]
All Xen versions from 4.1, prior to this being resolved, running on x86 systems
are vulnerable.
In these systems, HVM guest systems can read part of the hypervisor's memory
under certain circumstances, leading to a potential leak of information from
both the hypervisor and other guest machines.
EGI CSIRT considers this to be a HIGH vulnerability; sites should update if
they have not done so already.
It is thought that all affected vendors have now resolved this.
Details
=======
Incorrect handling of machine-specific registers (MSR) in the Xen host system
allows Hardware-Virtualized Machine (HVM) guest systems to read memory parts or
registers assigned to the hypervisor or other guest systems.
Under certain circumstances, it is possible that malicious guest systems are
able to read compromising data from either the hypervisor or other guests, or
is able to crash the entire system. Due to the limited scope of memory that a
malicious guest is able to access through this bug in combination with the
observation that an attacking guest system has almost no way of controlling
exactly what part of memory it will be able to read, the chances of a serious
breach of privacy appear to be slim at this point.
Paravirtualized (PV) guest systems cannot exploit this vulnerability;
therefore, running exclusively PV guests mitigates the issue.
At the time of this writing, no actual exploit code is publicly known.
For a discussion of this bug's impact, see the Qubes Security Bulletin referenced below. [R 3]
Mitigation
==========
As this bug can be exploited only by HVM guest machines, running PV guests
exclusively effectively eliminates the risks of this vulnerability at the cost
of VM performance.
Recommendations
===============
EGI-CSIRT recommends that sites running vulnerable versions of Xen immediately
apply vendor patches as they become available.
Until then, the mitigation as described above is recommended to be implemented.
Vendor patches or non-vulnerability statements are already available for these
distributions:
* CentOS: Vendor patch available [R 4]
* Qubes OS: Vendor patch available [R 3]
* Fedora 19: Vendor patch available [R 5]
* RHEL5: Not vulnerable. [R 6]
* Citrix: Vendor patch available [R 7]
* Debian: Vendor patch available [R 8]
* Ubuntu: Vendor patch available [R 9]
Other information is linked from [R 2]
References
==========
[R 1] Xen Security Advisory: http://xenbits.xen.org/xsa/advisory-108.html
[R 2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7188
[R 3] Qubes Security Bulletin: https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ
[R 4] CentOS: http://lists.centos.org/pipermail/centos-announce/2014-October/020664.html
[R 5] Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1148465
[R 6] RHEL 5: https://bugzilla.redhat.com/show_bug.cgi?id=1144499
[R 7] Citrix: http://support.citrix.com/article/CTX200218
[R 8] Debian: https://security-tracker.debian.org/tracker/CVE-2014-7188
[R 9] Ubuntu: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7188.html
Timeline
========
YYYY-MM-DD
2014-10-01: XSA-108 was published;
2014-10-01: CSIRT considers this 'High' risk
2014-10-29: Check that patches are available.
2014-10-30: Alert sent to sites.
2014-11-03: This alert made public.
On behalf of EGI SVG and EGI CSIRT,