[(Major) Xen Security Issue] XSA-108 under embargo, Amazon rebooting everything

Raymii

Amazon is rebooting all their VM's, Xen has an embargo'd security issue: http://xenbits.xen.org/xsa/ (XSA-108) and it will be public on October 1st.

I wonder what it is, and why it is so serious. Might be a hypervisor exploit, or cross-vm access or something. Probably not the bash bug.

I expect a lot of LET providers will be affected by this.

Anybody with inside info?

msg7086

It must be confidential. Leaking such info and they lost their job.

Wintereise

It's embargoed, and confidential for a reason.

I doubt anyone would think sharing it on a public forum to be a good idea.

AnthonySmith

oh for fucks sake!

drserver

from where did you find out that it is security issue ?

AnthonySmith

drserver said: from where did you find out that it is security issue ?

I think the fact that Amazon are rebooting their infrastructure on short notice is a fair sign this is security related.

mike0000

@AnthonySmith Add Rackspace to that list.. so it must be something big: https://status.rackspace.com/

AnthonySmith

Opened a ticket with soluslabs, from the webinar they claim to now be a collectively bigger player in the market than Amazon and as onapp is Xen primary it would make sense that they release an update and or are aware of this very soon.

AnthonySmith

And to be fair.... I got a reply back within 10 minutes letting me know they are aware and they are investigating.

wojons

I find it very intersting and not sure if its "fair" that bug's and patches will be with held. Right now amazon, rackspace and i am sure a few other major compines will be given access to the patch a day or 2 ahead of time of the release. everyone else will have to wait for the patch to go public getting the patch the same time hackers get a chance to attack them while big compaines are already protected.

tdale

I understand why they don't tell the world but... I do not believe its fair because X company only makes X or only has X customers should be held back from something like this. Unless Amazon figured it out themselves, fixed it and then released the patch for other people. That would be more understandable.

trexos

Just got an email from @OnePound that they will update their servers tomorrow

Hsunami

It doesn't look like Linode's affected, per caker's reply: https://forum.linode.com/viewtopic.php?f=20&t=11331

Or that they're able to patch w/o rebooting.

TACServers

This is a list of all the companies that get disclosure, since SolusVM is part of OnApp, and listed on the pre-disclosure list, they are privy to the same information as Amazon. Would be interesting to see what comes of this. Linode is also a part of this list, wonder why Amazon is choosing to reboot everything, and Linode is not. Must be a feature that Amazon uses that is the problem..

Organizations on the pre-disclosure list:

This is a list of organisations on the pre-disclosure list (not email addresses or internal business groups).


Amazon
CentOS
Citrix
Debian
Gandi.net
GoGrid.com
Host Virtual Inc.
Intel
Invisible Things Lab
Linode
Mageia
Novell
OnApp.com
Oracle
prgmr.com
Rackspace
Redhat
SolusVM.com
SuSE
Ubuntu
Xen Made Easy
Xen Security Response Team
Xen 3.4 stable tree maintainer


wojons

cncking2000 said: Must be a feature that Amazon uses that is the problem..

Lets pertend that its something that requires a restart. Linode may have san storage for all of there customer data. Where as amazon has instance storage so amazon is then unable to do migration of vms because machines would loose there instance storage that some poeple use.

mpkossen

Amazon says they're only rebooting less than 10% of their EC2 infra.

AnthonySmith

mpkossen said: Amazon says they're only rebooting less than 10% of their EC2 infra.

I read that this was just a smoke screen as almost 90% of it actually got rebooted.

obakfahad

rebooting ? @AnthonySmith

AnthonySmith

obakfahad said: rebooting ? @AnthonySmith

I guess so, however because it has been put under limited release the reboots will not be until the release date.

doughnet

couldn't someone just figure out what's different on their amazon/rackspace VM now after the reboot compared to what it was previously?

PhillB

@doughnet said:
couldn't someone just figure out what's different on their amazon/rackspace VM now after the reboot compared to what it was previously?
@doughnet said:
couldn't someone just figure out what's different on their amazon/rackspace VM now after the reboot compared to what it was previously?

Not really. Xen runs on the host not the VM

jeff_lfcvps

We signed up for the pre-disclosure list and have now received a copy of the XSA -- It is unlikely to affect the LET/LEB community very much.

0xdragon

DISCLOSURE :O

AnthonySmith

jeff_lfcvps said: We signed up for the pre-disclosure list and have now received a copy of the XSA -- It is unlikely to affect the LET/LEB community very much.

I know you cant say but I just hope you are not saying that because it does not affect 3.x

drserver

well, at least we will have good time.

How many hosts are here with big xen deployments ?

virtualizor

Just a day left before this is disclosed.

Symlink

virtualizor said: Just a day left before this is disclosed.

Setup a cron job to update the system automatically every 5 minutes starting at midnight

AnthonySmith

Symlink said: Setup a cron job to update the system automatically every 5 minutes starting at midnight

It will require a reboot based on amazons response

zafouhar

@AnthonySmith said:
It will require a reboot based on amazons response

Setup the cron job to update the system every 5 minutes and reboot the Server every 10 minutes :P

Raymii

Yay, HVM only:

Information
Advisory    XSA-108
Public release  2014-10-01 12:00
Updated     2014-10-01 12:02
Version     4
CVE(s)  CVE-2014-7188
Title   Improper MSR range used for x2APIC emulation
Files
advisory-108.txt (signed advisory file)
xsa108.patch
Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-7188 / XSA-108
                              version 4

              Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT
======

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered Jan Beulich at SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa108.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa108*.patch
cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e  xsa108.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdyAMc8bmQv+IxrMN
ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ3PKtmFtxMwa3WS
my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2yQ0xMR1mJio
7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa7CMCZ5Q3IuJ53S
hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkLQgu1ERtZ
p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ+gJyJBcpy/a5Q=
=m0tK
-----END PGP SIGNATURE-----

Xenproject.org Security Team

jeff_lfcvps

HVM guests are the only ones that can reproduce the bug but PV guests can have their memory read if they share a host with a HVM guest that hasn't been patched and rebooted.