Date: Wed, 05 Sep 2012 11:14:11 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 18 (CVE-2012-3516) - grant table entry swaps have inadequate bounds checking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3516 / XSA-18 version 2 grant table entry swaps have inadequate bounds checking UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does not perform adequate checks on the input grant references. IMPACT ====== A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they control, with an invalid one allowing them to write abitrary values to hypervisor memory. This could potentially lead to a privilege escalation. VULNERABLE SYSTEMS ================== Xen-unstable, including Xen 4.2 release candidates are vulnerable to this issue. Xen 4.1 and earlier do not include this hypercall and are therefore not vulnerable. MITIGATION ========== The only mitigation is not to run guests which have untrusted administrators. RESOLUTION ========== Applying the attached patch will resolve the issue. PATCH INFORMATION ================= The attached patch resolves this issue Xen unstable xsa18-unstable.patch $ sha256sum xsa18-unstable.patch ad354a1964fc52b0e48d405514156935cc8dfcb5bdaee307e3e74afcc0ca8914 xsa18-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRzP3AAoJEIP+FMlX6CvZ350H/jfmrx6a1pNYF3KYtVVIXu1y ZERi/qxji162XGvB+7gdq+IdhLYAeWXRFF309U1FwcRxaQJPRAT024q6Hs+ITr9i L7OnSP9s+UHT4251X3UlOnEfQyKF6NKJIYbamQbfVIvVPdUtNLj4SKYqxlvjyyc3 DpqiARD5f9+i7OkcojvhXszlbMgbpSQ8TYCW5De0dTkZgKQYq2hRuYf/1hmZ1lJt vFEkTCFxO7uxoH6gulyuEjszDYFAUmE3xdxKbT11mIkwnS1wfgp4Ob5H0ioSDNJo oOxqt4KsuNXHDW/B8QlxnQejKBL0INtmOjh7GMox4bvxg4gP57ZlDweC2lkR37c= =dD8C -----END PGP SIGNATURE----- [ CONTENT OF TYPE application/octet-stream SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ