[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Publicity] Draft technical blog post

To: "publicity@xxxxxxxxxxxxxxxxxxxx" <publicity@xxxxxxxxxxxxxxxxxxxx>, Andrew Halley <andrew.halley@xxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
Date: Thu, 2 Oct 2014 15:48:30 +0100
Delivery-date: Thu, 02 Oct 2014 14:49:43 +0000
List-id: "List for Xen Publicity, PR and events" <publicity.lists.xenproject.org>

Hey all,

Below is a more technical draft blog post in response to the recentmedia flurry about XSA-108. If you've updated your blog logins you canalso preview the post here:https://blog.xenproject.org/?p=10093&preview=true


Let me know if you have any feedback!

 -George

XSA-108: Not the disaster you're looking for

There has an unusual amount of media attention to XSA-108, whose embargoperiod ended Wednesday -- far more than any of the previous 107vulnerabilities the Xen Project has reported. It began when a bloggernoticed that Amazon was telling customers it would be rebooting VMs incertain regions before a specific date -- a date which happened tocoincide with the release of XSA-108. He conjectured that the rebootshad something to do with that, and further conjectured that, because ofthe major impact to customers of rebooting, that it must be somethingvery big and important, similar to the recent Heartbleed and Shell Shockvulnerabilities. Amazon confirmed that the reboots had to do withXSA-108, but could say nothing else because of the security embargo.

Unfortunately, because of the nature of embargoes, nobody with anyactual knowledge of the vulnerability was allowed to say anything aboutit, and so the media was entirely free to speculate without any actualfacts getting in the way.

Now that the embargo has lifted, we can talk in detail about thevulnerability; and I'm afraid that people looking for another ShellShock or Heartbleed are going to be disappointed.


<h1>What is the vulnerability?</h1>

XSA-108 has to do with the emulation of a piece of hardware called anx2apic. x2apic is an interrupt controller: it allows the operatingsystem to control when and how and where urgent messages from outsidethe chip, and from other cores within the same chip, are delivered.

Interrupt controllers occupy a rather awkward position in thearchitecture. They are fairly complicated to implement in hardware;which is why they are not yet implemented by Intel's VT hardware. (Thismay change in the future.) But they are far too performance criticalfor Xen to pass emulation off to qemu, as it does with virtual disks orvirtual networks. This means that they must be emulated within Xen.

The actual vulnerability, like most vulnerabilities, is pretty simple.Xen implements 256 x2apic registers. These registers are stored in abuffer big enough to hold exactly 256 registers. However, the limitcheck for reading these registers was erroneosly set to 1024.

What this means is that, without the fix, if you read x2apic registers0-255, you'll get the correct emulated value from the register buffer;but if you read x2apic registers 256-1023, Xen will copy hypervisormemory from directly afterwards into the guest.

So what this bug gives you is the ability to read (and only read) the12k [1] of memory directly adjacent to where Xen is storing the first256 registers (and no other area of memory).


The fix simply corrects the limit check to 256.

The emulated x2apic functionality was introduced in Xen 4.1, so previousversions of Xen are not affected. Neither are PV guests, since Xen doesnot provide them with any emulated hardware.


<h1>The impact</h1>

If this seems like a relatively minor issue, that's because it is. Themost likely scenario is that that 12k of memory contains other Xen datastructures which contain no important information. There is, however, asmall chance that this memory might contain memory from anotherVM; and a small chance that this memory might contain sensitiveinformation, like passwords, encryption keys, or other private data.

Nonetheless, this is a security issue, and the XenProject takesall potential security issues very seriously, no matter how minor. Wehave a mature <ahref=http://www.xenproject.org/security-policy.html>process</a> in placeto notify cloud providers, distributions, and software providers so thatthey can have a fix in place before publicly disclosing any vulnerability.

Applying security patches proactively, even though there's very low riskthat anyone might have their secret data leaked because of it, is aconscientious and diligient thing to do. We're glad to see that so manycloud providers using Xen are demonstrating how seriously they takeprotecting customer data.

But it is by no means a disaster. Those looking for a major scandallike Heartbleed and Shellshocker will be disappointed.

[1] You may see this reported elsewhere as 3k; saying either 3k or 12kis simplifiying the truth in different ways. The MSR data is laid outas a 16-byte structure, of which only the first four bytes (one 32-bitword) can be read by this vulnerability. So the actual amount of datawhich is exposed is 3k, but it's spread out in 4-byte chunks across 12kof memory.



_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

Follow-Ups:
- Re: [Publicity] Draft technical blog post
  - From: Richard Mortier
- Re: [Publicity] Draft technical blog post
  - From: George Dunlap
- Re: [Publicity] Draft technical blog post
  - From: Ian Jackson
- Re: [Publicity] Draft technical blog post
  - From: Anil Madhavapeddy
- Re: [Publicity] Draft technical blog post
  - From: Konrad Rzeszutek Wilk

Prev by Date: Re: [Publicity] FOSDEM talk on CentOS SIGs
Next by Date: Re: [Publicity] Draft technical blog post
Previous by thread: Re: [Publicity] FOSDEM talk on CentOS SIGs
Next by thread: Re: [Publicity] Draft technical blog post
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.