Date: Wed, 24 Sep 2014 10:30:21 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-7155 / XSA-105 version 3 Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation UPDATES IN VERSION 3 ==================== This issue has been assigned CVE-2014-7155. ISSUE DESCRIPTION ================= The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT). IMPACT ====== Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered Andrei Lutas at BitDefender and analyzed by Andrew Cooper at Citrix. RESOLUTION ========== Applying the attached patch resolves this issue. xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa105*.patch dfb5ede7cc5609a812a7b1239479cefd387f9f9c8c25e11e64199bc592ad7e39 xsa105.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUIpzkAAoJEIP+FMlX6CvZ0IkIALIftvFcaV2iH54bpvWuurXs m87HvWm0Omy8S5R+K+meJmy05jERWVUg0eaX0nn8KcFsg8H9lNEsdJwc8vmGyhxx tIY1IeHHH/Mbx7kdtdmVrtUaoz/IV2LYIHzsLEPcQ7gLMkMwydCxKL97Rf83Tsq+ Y6Zu3H0vQoR0wVVeh1ks8708TM2TZeNOc0B9foJBult3Zm/ihdBo12eZzVqm/e9g HCYswBKFntj4Iq0sAyhfc5KATirkCnWqpKXJ6oMACEy5H3+Xrh9/u79zatHd/FWL 3FL2yGwQTGqqtVRUhEQD7cfWl9FLRcFZyudWQzIkSlDAGHHrpxVinp/nplm5PvA= =lJ+I -----END PGP SIGNATURE----- Download attachment "xsa105.patch" of type "application/octet-stream" (1304 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.