Date: Tue, 26 Jul 2016 12:04:00 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 182 (CVE-2016-6258) - x86: Privilege escalation in PV guests -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2016-6258 / XSA-182 version 3 x86: Privilege escalation in PV guests UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. IMPACT ====== A malicous PV guest administrator can escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. The vulnerability is only exposed to PV guests on x86 hardware. The vulnerability is not exposed to x86 HVM guests, or ARM guests. MITIGATION ========== Running only HVM guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Jérémie Boutoille of Quarkslab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa182.patch xen-unstable, Xen 4.7.x xsa182-4.6.patch Xen 4.6.x xsa182-4.5.patch Xen 4.5.x, 4.4.x, 4.3.x $ sha256sum xsa182* 303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792 xsa182-unstable.patch 2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2 xsa182-4.5.patch f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813 xsa182-4.6.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXl0M8AAoJEIP+FMlX6CvZvsUIAKeTcuCNrXAkCMsa1jcTOJEB zo1sZB6DeUZjAjYm+vVTv3bcr8E9e+B02Cyg6Y97TByrpwsarvOyYZzds/wf3TO+ 3hm6cKPRBhUdQBgXLi6DqgsBIb+BvMEqT6jXpmNmLWqlJtuJPrCn74e2K0hXFgt2 RDELGjg6qsTW7hJtwNfkEI6/nj2/lBsNVHkp1F7olxT17euC4nJoLEzeDRc8UN/+ pf9UT1yoEVOddPA+iIjC7PeSYyWhJFyNR0m4BN7MshKEoy+tiIQJDZzyLJLh46uf c28vUByyu6fCersz63ZkpF9MHWR0+8cChOvmY3Tuyy/yitUMbcJoygu/35QV2tc= =u+6O -----END PGP SIGNATURE----- Download attachment "xsa182-unstable.patch" of type "application/octet-stream" (4336 bytes) Download attachment "xsa182-4.5.patch" of type "application/octet-stream" (4265 bytes) Download attachment "xsa182-4.6.patch" of type "application/octet-stream" (4291 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ