Date: Wed, 24 Sep 2014 10:30:24 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7156 / XSA-106 version 3 Missing privilege level checks in x86 emulation of software interrupts UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7156. ISSUE DESCRIPTION ================= The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand (implicit for the affected instructions) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest. VULNERABLE SYSTEMS ================== Xen versions from 3.3 onwards are vulnerable. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa106.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa106*.patch 301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270 xsa106.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpznAAoJEIP+FMlX6CvZNzsH/2EiupxpKxmHXoWxZAqlDz5E +cdmv5axHGO74bU8xGe/WFcfOCjx8LaPifWd/g6AMlSa7BHe1i1sPmOifr6jhRlz xfJonBcXl6/Z7LpfaYdu2M+6mDXoO2Ov5yKEYDNPyzwfmRH+bLBBGrGTzJvyaEj2 PS2JgtIzIVRFHdmYh7zJeS9isKt9+/lKplAIluKUUUhnX1pMUaTV9Ax67MUs7BdJ SHh37YoMIZAxAkRl80nT7gBdohLUmQJZm3CVFFjk71hSFlvdRJNZuVJnxMyXXBA3 awQlxUAhUQmP8ls1JTK0EMVe9EAPvyqgPlk/2Ch8UBtpg0MeGzBs9UJwjYeP47Y= =c9bK -----END PGP SIGNATURE----- Download attachment "xsa106.patch" of type "application/octet-stream" (922 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.