Information

AdvisoryXSA-165
Public release 2015-12-17 12:00
Updated 2015-12-17 12:38
Version 3
CVE(s) CVE-2015-8555
Title information leak in legacy x86 FPU/XMM initialization

Files

advisory-165.txt (signed advisory file)
xsa165.patch
xsa165-4.3.patch
xsa165-4.5.patch
xsa165-4.6.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-8555 / XSA-165
                              version 3

         information leak in legacy x86 FPU/XMM initialization

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.

IMPACT
======

A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

Only x86 systems without XSAVE support or with XSAVE support disabled
are vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

On XSAVE capable systems, not turning off XSAVE support via the
"no-xsave" hypervisor command line option (or - when defaulting to
off - turning it on via the "xsave" hypervisor command line option)
will avoid the vulnerability.  To find out whether XSAVE is in use,
consult the hypervisor log (obtainable e.g. via "xl dmesg") and look
for a message of the form

"xstate_init: using cntxt_size: <number> and states: <number>"

If such a message is present then XSAVE is in use. But note that due
to log buffer size restrictions this boot time message may have
scrolled off.

There is no known mitigation on XSAVE-incapable systems.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa165.patch           xen-unstable
xsa165-4.6.patch       Xen 4.6.x
xsa165-4.5.patch       Xen 4.5.x, Xen 4.4.x
xsa165-4.3.patch       Xen 4.3.x

$ sha256sum xsa165*
6422db857dd469f5978b80be95e93d1db4bab965668430e07005b7b6369742be  xsa165.patch
bced245fb1111b7fa2db642971cceb0523e691367ba8bfbc6ff0da421f198c97  xsa165-4.3.patch
dd15e301f2757e0c7975bdccfe49ddf41c730bc124dd90166e0844d332eeedad  xsa165-4.5.patch
4bb18f2e44f49f140932c2d1e956e2e28017439cbb0e76eb16a8af617c4112ac  xsa165-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the PATCH (or others which are substantially similar) is
permitted during the embargo, even on public-facing systems with
untrusted guest users and administrators.


However deployment of the XSAVE ENABLEMENT MITIGATION is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List).  Specifically, deployment on
public cloud systems is NOT permitted.

This is because enabling xsave is visible to guests, so such
deployment could lead to the rediscovery of the vulnerability.

Deployment of the mitigation is permitted only AFTER the embargo ends.


Also: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWcqzAAAoJEIP+FMlX6CvZAYYH/1KqrQG0r23AiTYXqS4IBYMd
RU5edyJkNKRCkJMU3m20LPyZ4/NCMg8rgejLHQDiHav0CNUEX6gUSqIUm8d3vrNg
IYtGNhLZUcjRqRK1f/oqgFw3TEXlC59EQdSKdNLaZ+Fj/HN4TQtaQWpUW0r5OYXi
tSbZYJ+NT4wHLzmai2tdFekVEBFzL+e6RxngrAl+X17mX3O0jdHFpOPqjwGCXXhh
N46sZTi/o3QSHBG7yzcxlA5HKJArxVAQNSKJJrSaj3m8O44V5d6+IkMmCpexvq/R
rFA1iiMXu481UQq6kLNIC2kpgSNUaNTHDElVQdeUUGu95INAgsrlMdUqNKL2V8o=
=QBGV
-----END PGP SIGNATURE-----


Xenproject.org Security Team