Date: Mon, 03 Dec 2012 17:51:45 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 29 (CVE-2012-5513) - XENMEM_exchange may overwrite hypervisor memory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5513 / XSA-29 version 3 XENMEM_exchange may overwrite hypervisor memory UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. The vulnerability is only exposed to PV guests. MITIGATION ========== Running only HVM guests, or ensuring that PV guests only use trusted kernels, will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa29-4.1.patch Xen 4.1.x xsa29-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa29*.patch 7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8 xsa29-4.1.patch 54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73 xsa29-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885 nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0 KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/ nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9 N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4= =pD8C -----END PGP SIGNATURE----- [ CONTENT OF TYPE application/octet-stream SKIPPED ] [ CONTENT OF TYPE application/octet-stream SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ