Date: Mon, 03 Dec 2012 17:51:45 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 29 (CVE-2012-5513) - XENMEM_exchange may overwrite hypervisor memory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5513 / XSA-29 version 3 XENMEM_exchange may overwrite hypervisor memory UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The handler for XENMEM_exchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT ====== A malicious guest administrator can cause Xen to crash. If the out of address space bounds access does not lead to a crash, a carefully crafted privilege escalation cannot be excluded, even though the guest doesn't itself control the values written. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. The vulnerability is only exposed to PV guests. MITIGATION ========== Running only HVM guests, or ensuring that PV guests only use trusted kernels, will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa29-4.1.patch Xen 4.1.x xsa29-4.2-unstable.patch Xen 4.2.x, xen-unstable $ sha256sum xsa29*.patch 7246a5534bc1e6a47bb6a860f6eb61c8353ad8b46209310783e823b4f7e2eae8 xsa29-4.1.patch 54dcd3ac5c84903bfb04f8591107a74c27b079815f2c6843212e05f776873c73 xsa29-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQvOJ3AAoJEIP+FMlX6CvZ7u8IAM01+jNn5fwdGmoo/LIdH885 nWr5aSc+qMqVuSvla0KKh1SOLFaVWFgovLN1Sfu2hAxLgrK3HxN86RqHU/vLo0k0 KTFM+9xQlxhJNQzyQSiDryH/qSrHTQI6ERxUEYgfjtTieK8y30SZqkd6jBmwoir/ nAMMP8oFmVevM2WfYEWjNNsWPaiUlUYP13qxiWGPcGzhcNNKRwcmrIY4N+F6kHID Ipl4l5vhoeSaQ0fKkcJKHa+3QGd+706jHZ5VTCwPdWBCnBJLFuMWbc2UlyIg2EB9 N+3Olwf3jCF0zIzBJkomA+FAg+D7kw31DCjc+y1PdGIyuoMkk+JRwYFVkZcKLi4= =pD8C -----END PGP SIGNATURE----- Download attachment "xsa29-4.1.patch" of type "application/octet-stream" (2087 bytes) Download attachment "xsa29-4.2-unstable.patch" of type "application/octet-stream" (2099 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.