XSA-108 Advisory

Well looks like Mr De Raadt was right again:<p><i>&#x27;x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.<p>You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can&#x27;t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.&#x27;</i><p>Source: <a href="http://marc.info/?l=openbsd-misc&amp;m=119318909016582" rel="nofollow">http:&#x2F;&#x2F;marc.info&#x2F;?l=openbsd-misc&amp;m=119318909016582</a><p>Personally, I have hope for things like cgroups&#x2F;jails and MAC&#x2F;SELinux over virtualization.

Thanks to Jan Beulich, the SUSE Xen maintainer in Germany who is credited with finding this x86 HVM vulnerability.<p>It would be helpful if errata announcements included documentation of the static analysis tools, code review process or automated testing techniques which identified the weakness, along with a postmortem of previous audits of relevant code paths.<p>What made it possible for this issue to be identified now, when the issue escaped previous analysis, audits and tests? Such process improvement knowledge is possibly more valuable to the worldwide technical community than any point fix.<p>Heartbleed was discovered by an external party, but this issue which affects the data of millions of users was found by the originating open-source project. Kudos to Jan for finding this cross-domain escalation.

I have to wonder if my recent blog post, &quot;The MSRs of EC2&quot;, on September 15th has prompted this discovery: <a href="http://www.brendangregg.com/blog/2014-09-15/the-msrs-of-ec2.html" rel="nofollow">http:&#x2F;&#x2F;www.brendangregg.com&#x2F;blog&#x2F;2014-09-15&#x2F;the-msrs-of-ec2....</a> . When I posted that, I could find no examples of MSR usage in EC2 or Xen.<p>I haven&#x27;t checked after the reboot, but I hope the MSRs I&#x27;m using can still be accessed: IA32_MPERF and IA32_APERF (to calculate real CPU MHz); IA32_THERM_STATUS and MSR_TEMPERATURE_TARGET (to calculate CPU temperatures); and MSR_TURBO_RATIO_LIMIT and MSR_TURBO_RATIO_LIMIT1 (to see turbo ratios).<p>I use them in the showboost, cputemp, and cpuhot MSR-based tools: <a href="https://github.com/brendangregg/msr-cloud-tools" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;brendangregg&#x2F;msr-cloud-tools</a>

interesting link ... from 2010 <a href="http://xen.1045712.n5.nabble.com/x2APIC-emulation-for-HVM-guest-td3288786.html" rel="nofollow">http:&#x2F;&#x2F;xen.1045712.n5.nabble.com&#x2F;x2APIC-emulation-for-HVM-gu...</a>

Can somebody please confirm that it is impossible to boot a HVM system on Linode? The hypervisor on my Linode host certainly supports HVM (according to cat &#x2F;sys&#x2F;hypervisor&#x2F;properties&#x2F;capabilities). The host Xen is 4.1 and therefore vulnerable in the case that another user could be running HV guests.

It will be interesting to see which providers didn&#x27;t get the embargoed release.<p>So if you get a reboot announcment from your xen vps provider after today 12:00Z, you should list them here.

Ouch, isn&#x27;t one of the cardinal sins of hypervisors reading memory outside of your allocation? Certainly explains the embargo

I assume this is why AWS forcefully rebooted many of their VMs recently?

I wonder if Amazon or someone will take the time to make a ksplice-like system for Xen so that future security upgrades probably won&#x27;t have to go through such disruptive reboot events.<p>(Or, for that matter, whether they considered making an ad-hoc machine code patch - based on the source patch, it looks like it would probably be doable just by changing a few bytes. I guess it&#x27;s a bit risky...)

The advisory says PV is safe and HVM is dangerous. What about PV-HVM?<p>Got a reasonably long list of VPS providers to submit tickets to.

I had &quot;dedicated&quot; AWS instances that were rebooted. A dedicated instance means there is only one guest per box, right? So I&#x27;m curious why those had to be rebooted if there is no network-facing vector to this vulnerability. I guess because we could have read from the hypervisor&#x27;s memory?

<i>Desktop</i> risk analysis from Qubes, <a href="http://qubes-os.org" rel="nofollow">http:&#x2F;&#x2F;qubes-os.org</a> via <a href="https://groups.google.com/forum/m/#!topic/qubes-devel/HgQ_aWt-EBU" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;forum&#x2F;m&#x2F;#!topic&#x2F;qubes-devel&#x2F;HgQ_aW...</a><p>---<p>This seemingly looks like a serious problem, but if we think a little bit about the practical impact the conclusion might be quite different.<p>First, there are really no secrets or keys in the hypervisor memory that might make a good target for an exploit here. Xen hypervisor does not do encryption, neither it deals with any storage subsystems. Also there is no explicit guest memory content intermixed with the hypervisor code and data.<p>But one place to see pieces of potentially sensitive data are the Xen internal structures where the guest _registers_ are stored whenever the guest execution is interrupted (e.g. because of a trap). These registers might contain e.g. (parts of) keys or other secrets, if the guest was executing some sensitive crypto operation just before it got interrupted.<p>The vulnerability allows to read only a few kB of the hypervisor memory, with only relative addressing from the emulated APIC registers page, whose address is not known to the attacker. Still, for the exactly same systems (same binaries running, same ACPI tables, etc) it&#x27;s likely that the attacker would be able to guess the address of the APIC page. However, it is much less probable she would be able to predict what Xen structures are located in the adjacent memory. Much less the attacker would be able to control what structure are located there, as there doesn&#x27;t seem to be many ways of how a malicious HVM might be significantly affecting the layout of the hypervisor heap (e.g. force arch_vcpu structures of interesting domains to appear nearby).<p>Nevertheless, it might happen, by pure coincidence, that an arch_vcpu structure with a content of an interesting VM will just happen to be located adjacently to the emulated APIC page.<p>In that case, the next problem for the attacker would be lack of control and knowledge over the target VM execution: even if the attacker were somehow lucky to find the other VM&#x27;s register-holding-structure adjacent to the APIC page, it would still be unclear what the target VM was executing at the time it was suspended and so, whether the registers stored in the structure are worthwhile or not.<p>It is thinkable that the attacker might attempt to use some form of a heuristic, such as e.g. &quot;if RIP == X, then RAX likely contains (parts of) the important key&quot;, hoping that this specific RIP would signify a specific interesting instruction (e.g. part of some crypto library) being executed while the VM was interrupted, and so the key is to be found in one of the registers.<p>But the attacker&#x27;s memory reading exploit doesn&#x27;t offer a comfort of synchronization, so even though the attacker might be so extremely lucky as to find out that<p><pre><code> *(apic_page + guessed_offset_to_rip) == X </code></pre> (the attacker here assumes the &#x27;guessed_offset_to_rip&#x27; is the distance between the APIC page and the address where RIP is stored in the presumable arch_vcpu structure, that presumably is located adjacently), still there is no guarantees that the next read to<p><pre><code> *(apic_page + guest_offset_to_rax) </code></pre> will return the content of RAX from the same moment that RIP was snapshot (and which the attacker considered interesting).<p>Arguably the attacker might try to fire up the attack continuously, thus increasing chances of success. Assuming this won&#x27;t cause system to crash due to accessing non-mapped memory, this might sound like a somehow good strategy.<p>However, in case of a desktop system like Qubes OS, the attacker has very limited control over other domains. Unlike as in case of attacking a VM playing a role of a Web server for instance, the attacker probably won&#x27;t be able to force the target VMs to do lots of repeated crypto operations, neither choose moments when the target VM traps.<p>It seems like exploiting this bug in an IaaS scenario might be more practical, though, as the attacker also has some control of domain creation&#x2F;termination, so can affect Xen heap to some extent. But on a system like Qubes OS, it seems unlikely.<p>So, are we doomed? We likely are, but probably not because of this bug.<p>---

Some impact analysis from the Qubes OS project: <a href="https://groups.google.com/forum/#!msg/qubes-devel/HgQ_aWt-EBU/8VWzu2IrQdQJ" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;forum&#x2F;#!msg&#x2F;qubes-devel&#x2F;HgQ_aWt-EB...</a>

Patches to XenServer (releases 6.0 through 6.2) are now available from Citrix: <a href="https://support.citrix.com/article/CTX200218" rel="nofollow">https:&#x2F;&#x2F;support.citrix.com&#x2F;article&#x2F;CTX200218</a>

&gt; A buggy or malicious HVM guest can crash the host<p>Given that writes are no-ops, I don&#x27;t understand this mechanism. Can someone explain it, please?

Interesting that the patch is just one characters difference (applied in two locations)<p>0x3ff to 0xff

Heh, it&#x27;s been a rough couple of weeks.