SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen Nested HVM Memory Leak Lets Local Users Deny Service
SecurityTracker Alert ID:  1028032
SecurityTracker URL:  http://securitytracker.com/id/1028032
CVE Reference:   CVE-2013-0152   (Links to External Site)
Date:  Jan 24 2013
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2 only
Description:   A vulnerability was reported in Xen. A local user can cause denial of service conditions.

A flaw exists in the processing of nested HVMs. A local user on a guest operating system can trigger a memory leak and can cause denial of service conditions on the target host system.

Systems running only PV guests are not affected.

Impact:   A local user on the guest operating system can cause denial of service conditions on the target host system.
Solution:   The vendor has issued a fix (xsa35-4.2-with-xsa34.patch, or xsa35.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 23 Jan 2013 18:29:03 +0000
Subject:  [oss-security] Xen Security Advisory 35 (CVE-2013-0152) - Nested HVM exposes host to being driven out of memory by guest

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-0152 / XSA-35
                           version 4

       Nested HVM exposes host to being driven out of memory by guest

UPDATES IN VERSION 4
====================

Fix corrupt patch xsa35-4.2-with-xsa34.patch.

ISSUE DESCRIPTION
=================

Guests are currently permitted to enable nested virtualization on
themselves. Missing error handling cleanup in the handling code makes
it possible for a guest, particularly a multi-vCPU one, to repeatedly
invoke this operation, thus causing a leak of - over time - unbounded
amounts of memory.

IMPACT
======

A malicious domain can mount a denial of service attack affecting the
whole system.

VULNERABLE SYSTEMS
==================

Only Xen 4.2 and Xen unstable are vulnerable. Xen 4.1 and earlier are
not vulnerable.

The vulnerability is only exposed by HVM guests.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

To fix both XSA 34 and XSA 35, first apply xsa34-4.2.patch from XSA 34
and then *also* apply xsa35-4.2-with-xsa34.patch from this advisory.

To fix this issue without addressing XSA 34, use xsa35.patch.

$ sha256sum xsa35*.patch
4a103bf14dd060f702289db539a8c6c69496bdfd1de5d0c0468c3aab7b34f6a5  xsa35-4.2-with-xsa34.patch
e69b01033b0fa4c3d175697566d2f0b161337e8d206654919937f77721dbf866  xsa35.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRACvBAAoJEIP+FMlX6CvZhWgH/AmojPzrSnLIPmP+kyphQeYk
Yg00TDSm+rV8cmG6CE66r1WMibi1S/19yEkE6fJ1bgJtSBgcIqGls8NULPD+JvnH
6WmjktyH85LWcVbqNsjaPYAqyYOQJMMfmLDmW+ksc/SQgEH0zV4xAiA1iLIGJYRT
oEjIXg/m76hjsq9u/njprxHNIJH81K84Jh4wZkR7LIdZUxJgdIRHFcNIPhjNAEfP
k9jsfscuudU1bH7qJc/bJBbZFEnd6mw2zqn+M8UsLwow7A70x2JCAjCbplU1Zbxf
pe1P+E9upNFrsWXQ8O365ve6owaQP/CCcEDS9o2V+Fxc8ZjJ0nYJo3WWKIxQgqk=
=jAmO
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa35-4.2-with-xsa34.patch"
Content-Disposition: attachment; filename="xsa35-4.2-with-xsa34.patch"
Content-Transfer-Encoding: base64

eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN
IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh
bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g
T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN
IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln
bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4
LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9odm0vaHZtLmMKKysrIGIveGVuL2Fy
Y2gveDg2L2h2bS9odm0uYwpAQCAtMzg2Miw2ICszODYyLDExIEBAIGxvbmcg
ZG9faHZtX29wKHVuc2lnbmVkIGxvbmcgb3AsIFhFTl9HVUVTVF9IQU5ETEUo
dm9pZCkgYXJnKQogICAgICAgICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7
CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlIEhW
TV9QQVJBTV9ORVNURURIVk06CisgICAgICAgICAgICAgICAgaWYgKCAhSVNf
UFJJVihjdXJyZW50LT5kb21haW4pICkKKyAgICAgICAgICAgICAgICB7Cisg
ICAgICAgICAgICAgICAgICAgIHJjID0gLUVQRVJNOworICAgICAgICAgICAg
ICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICB9CiAjaWZkZWYgX19p
Mzg2X18KICAgICAgICAgICAgICAgICBpZiAoIGEudmFsdWUgKQogICAgICAg
ICAgICAgICAgICAgICByYyA9IC1FSU5WQUw7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa35.patch"
Content-Disposition: attachment; filename="xsa35.patch"
Content-Transfer-Encoding: base64

eGVuOiBEbyBub3QgYWxsb3cgZ3Vlc3RzIHRvIGVuYWJsZSBuZXN0ZWQgSFZN
IG9uIHRoZW1zZWx2ZXMKClRoZXJlIGlzIG5vIHJlYXNvbiBmb3IgdGhpcyBh
bmQgZG9pbmcgc28gZXhwb3NlcyBhIG1lbW9yeSBsZWFrIHRvCmd1ZXN0cy4g
T25seSB0b29sc3RhY2tzIG5lZWQgd3JpdGUgYWNjZXNzIHRvIHRoaXMgSFZN
IHBhcmFtLgoKVGhpcyBpcyBYU0EtMzUgLyBDVkUtMjAxMy0wMTUyLgoKU2ln
bmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxAY2l0cml4
LmNvbT4KQWNrZWQtYnk6IEphbiBCZXVsaWNoIDxKQmV1bGljaEBzdXNlLmNv
bT4KCmRpZmYgLS1naXQgYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jIGIveGVu
L2FyY2gveDg2L2h2bS9odm0uYwppbmRleCA0MGMxYWIyLi44MjY0ZGE3IDEw
MDY0NAotLS0gYS94ZW4vYXJjaC94ODYvaHZtL2h2bS5jCisrKyBiL3hlbi9h
cmNoL3g4Ni9odm0vaHZtLmMKQEAgLTM4NzEsNiArMzg3MSwxMSBAQCBsb25n
IGRvX2h2bV9vcCh1bnNpZ25lZCBsb25nIG9wLCBYRU5fR1VFU1RfSEFORExF
X1BBUkFNKHZvaWQpIGFyZykKICAgICAgICAgICAgICAgICAgICAgcmMgPSAt
RUlOVkFMOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAg
Y2FzZSBIVk1fUEFSQU1fTkVTVEVESFZNOgorICAgICAgICAgICAgICAgIGlm
ICggIUlTX1BSSVYoY3VycmVudC0+ZG9tYWluKSApCisgICAgICAgICAgICAg
ICAgeworICAgICAgICAgICAgICAgICAgICByYyA9IC1FUEVSTTsKKyAgICAg
ICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICAgICAgfQogICAg
ICAgICAgICAgICAgIGlmICggYS52YWx1ZSA+IDEgKQogICAgICAgICAgICAg
ICAgICAgICByYyA9IC1FSU5WQUw7CiAgICAgICAgICAgICAgICAgaWYgKCAh
aXNfaHZtX2RvbWFpbihkKSApCg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC