Date: Tue, 26 Nov 2013 17:03:26 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to privilege rings 1 and 2 of HVM guests -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-4554 / XSA-76 version 3 Hypercalls exposed to privilege rings 1 and 2 of HVM guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT ====== Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use. VULNERABLE SYSTEMS ================== Xen 3.0.3 and later are vulnerable. Xen 3.0.2 and earlier are not vulnerable. MITIGATION ========== Running only PV guests, or running HVM guests known to not make use of protection rings 1 and 2 will avoid this issue. As far as we are aware no mainstream OS (Linux, Windows, BSD) make use of these rings. CREDITS ======= This issue was discovered by Jan Beulich. RESOLUTION ========== Applying the attached patch resolves this issue. xsa76.patch xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x $ sha256sum xsa76*.patch 8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1 xsa76.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSlNMiAAoJEIP+FMlX6CvZn4kH/38vSCRckKM2JuQJfIJb8WtT hz7XFDLhDBgeei7J3G3HiZIdaVGVYvThKDl6Dk0Kfc7V7vqIOEYN6OGAOqsJY5GL Yqqxqol4ncyM0okLn3mvgeX1FlpLi1rlkwWkR7on7KMahxITjeGpWs00z9o9fpxy 21hIEw3vtXxg+C22QK2GS2fHKrkU23Fi7OPC09aU179nWjQWom+7qNsRvJlw+dRq NZs5EvvGofqXN7KaLAirJkNUmxDOS0+XxNcF/1zLpXa/bIXjKCju6LoLb86UZOsM JkSSfFYiz3UxAqjZtr4x4cbUl/0LeGUETVygIOOtx/56TKMxzgbaXHDevCiu3bw= =oChf -----END PGP SIGNATURE----- Download attachment "xsa76.patch" of type "application/octet-stream" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ