Home page logo

oss-sec logo oss-sec mailing list archives

Re: Re: Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 02 Dec 2013 11:16:44 -0700

Hash: SHA1

On 12/02/2013 10:22 AM, Ian Jackson wrote:
Xen.org security team writes ("Xen Security Advisory 82
(CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host
This issue was predisclosed under embargo by the Xen Project
Security team, on the 27th of November.  We treated the issue as
not publicly known because it was not evident from the public
sources that this erratum constitutes a vulnerability
(particularly, that it was a vulnerability in relation to some
Xen configurations).

Since then, the fact that this CPU erratum is likely to
constitute a security problem has been publicly disclosed, on the
oss-security mailing list.

This is a reference to this message: 

This was sent by MITRE as part of the CVE assignment.  It seems
likely to us (the Xen Project security team) that the CVE
assignment was a consequence of our embargoed predisclosure to

The effect of this has been that we have had to end the embargo
early. I think there is room for discussion here about whether we
all did the right thing.  In particular:

* Should the Xen Project security te4am have treated this issue
with an embargo at all, given that the flaw itself was public ?

I would say this depends on the level of public disclosure. For
example from "upstream" (AMD) there was a very limited disclosure (no
public announcement I'm aware of) and just some notes in a single PDF.
However this was also made public via the person who found it and then
picked up by ZDnet in an article, so I would personally count that as
quite public.

* Should we have anticipated that other software would be in a 
similar position and sent message(s) to some other suitable set of 
vendor(s) ?  Which vendors, and how ?

Yes and no, with hardware obviously it's likely that other software
will leave the bug exposed, the problem is finding all of it and
notifying people is a very non trivial task.

* Should MITRE have been asked /not/ to publicly disclose the 
relationship between CVE-2013-6885 and AMD CPU erratum 793, until
the embargo ended ?

That was my fault, I didn't think to ask them to handle this as a
private assignment since the issue was quite public/old (see above).

* Were we right to treat MITRE's message as a trigger for
disclosure ?

Don't know.

Thanks, Ian.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.15 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]