Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 26 Jun 2013 13:19:17 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 58 (CVE-2013-1432) - Page reference
 counting error due to XSA-45/CVE-2013-1918 fixes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1432 / XSA-58
                            version 2

        Page reference counting error due to XSA-45/CVE-2013-1918 fixes

UPDATES IN VERSION 2
====================

Public release.  Credits section added.

ISSUE DESCRIPTION
=================

The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke
page reference counting by not retaining a reference on pages stored for
deferred cleanup. This would lead to the hypervisor prematurely attempting to
free the page, generally crashing upon finding the page still in use.

CREDITS
=======

Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.

IMPACT
======

Malicious or buggy PV guest kernels can mount a denial of service attack
affecting the whole system. It can't be excluded that this could also be
exploited to mount a privilege escalation attack.

VULNERABLE SYSTEMS
==================

All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable.

The vulnerability is only exposed by PV guests.

MITIGATION
==========

Running only HVM guests, or PV guests with trusted kernels, will avoid this
vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa58-4.1.patch             Xen 4.1.x
xsa58-4.2.patch             Xen 4.2.x
xsa58-unstable.patch        xen-unstable

$ sha256sum xsa58*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641  xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2  xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5  xsa58-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRyuoNAAoJEIP+FMlX6CvZY3EH/04uBhD797FdBhCRkq/y1ACc
Dvg1BRZ4lHkURDp97gD4Fdyf95Lw4qtniYBq8H/kpVPWJgN7+Dmj8uoluWhOI62Y
Q7a97CZ3O39VcuNRQnZG8c6dduGwMTzbJMkftG0CcltygAxVVRU4uHSG4+MHQ5PZ
N1xauljWrbw49iZz0shxZv4BA/1MQyuyZGFIpOaYoom0vV67pfrQJ2kgCMDUctmq
WXNkVcOiS7lwS/+++goPIboSEy6UJCIVrhZmL7GhbNfiznlOFVgExMttQRcUDi/D
4SS4ghl3IyB34TwoX1P7TPEeHGbfonObGpzBQNduBIJDM32nqO7P8097XG0j0Tw=
=aw1s
-----END PGP SIGNATURE-----

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ