When running on an ARM platform Xen was not context switching the CNTKCTL_EL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. A malicious guest kernel can reconfigure CNTKCTL_EL1 to block userspace access to the timer hardware for all domains, including control domains. Depending on the other guest kernels in use this may cause an unexpected exception in those guests which may lead to a kernel crash and therefore a denial of service. 64-bit ARM Linux is known to be susceptible to crashing in this way. A malicious guest kernel can also enable userspace access to the timer control registers, which may not be expected by kernels running in other domains. This can allow user processes to reprogram timer interrupts and therefore lead to unexpected behaviour, potentially up to and including crashing the guest. Userspace processes will also be able to read the current timestamp value for the domain perhaps leaking information to those processes. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: Not vulnerable. This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.
MITRE assigned CVE-2014-3125 to this issue: http://seclists.org/oss-sec/2014/q2/209