SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen oxenstored Message Processing Flaw Lets Local Users on a Guest Domain Cause Denial of Service Conditions
SecurityTracker Alert ID:  1029264
SecurityTracker URL:  http://securitytracker.com/id/1029264
CVE Reference:   CVE-2013-4416   (Links to External Site)
Date:  Oct 29 2013
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.0 and later
Description:   A vulnerability was reported in Xen. A local user on a guest operating system can cause denial of service conditions.

The Ocaml xenstored implementation ('oxenstored') does not properly process message replies larger than XENSTORE_PAYLOAD_SIZE when communicating with a client domain via the shared ring mechanism. A local client can create a directory containing specially crafted entries that, when listed by the target domain, will cause the connection to the client domain to be shutdown.

Clients in the same domain as xenstored using the Unix domain socket mechanism are not affected.

Thomas Sanders at Citrix reported this vulnerability.

Impact:   A local user on a guest operating system can cause the target domain to shutdown.
Solution:   The vendor has issued a fix (xsa72.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 22 2014 (Citrix Issues Fix for Citrix XenClient XT) Xen oxenstored Message Processing Flaw Lets Local Users on a Guest Domain Cause Denial of Service Conditions
Citrix has issued a fix for Citrix XenClient XT.



 Source Message Contents

Date:  Tue, 29 Oct 2013 15:39:10 +0000
Subject:  [oss-security] Xen Security Advisory 72 (CVE-2013-4416) - ocaml xenstored mishandles oversized message replies

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-4416 / XSA-72
                             version 3

         ocaml xenstored mishandles oversized message replies

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The Ocaml xenstored implementation ("oxenstored") cannot correctly handle
a message reply larger than XENSTORE_PAYLOAD_SIZE when communicating
with a client domain via the shared ring mechanism.

When this situation occurs the connection to the client domain will be
shutdown and cannot be restarted leading to a denial of service to
that domain.

Clients in the same domain as xenstored which are using the Unix
domain socket mechanism are not vulnerable.

IMPACT
======

A malicious domain can create a directory containing a large number of
entries in the hopes that a victim domain will attempt to list the
contents of that directory. If this happens then the victim domain's
xenstore connection will be shutdown leading to a denial of service
against that domain.

If the victim domain is a toolstack or control domain then this can
lead to a denial of service against the whole system.

VULNERABLE SYSTEMS
==================

All systems using oxenstored are potentially vulnerable.

oxenstored was added in Xen 4.1.0. From Xen 4.2.0 onward it is used by
default if an ocaml toolstack was present at build time.

In its default configuration the C xenstored implementation is not
vulnerable.  By default this implementation imposes a quota on the
maximum directory size which is less than XENSTORE_PAYLOAD_SIZE.  If
you have adjusted the quota using the --entry-size / -S option to a
value larger than XENSTORE_PAYLOAD_SIZE (4096 bytes) then you may be
vulnerable.

Systems where the toolstack and oxenstored live in the same domain
will default to using Unix domain socket based communications and
therefore are not vulnerable to the host wide denial of service by
default.  In such a configuration guest domains which do not list
xenstore paths belonging to untrusted foreign domains will not be
vulnerable to the DoS.  (In the common case guests will not have
permission to do so in any case.)

MITIGATION
==========

Switching to the C xenstored (in its default configuration), will
eliminate this vulnerability.

CREDITS
=======

This issue was discovered by Thomas Sanders at Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves both the ocaml xenstore and C
xenstore issues.

xsa72.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa72*.patch
66e11513fc512173140f3ca12568f8ef79415e9a7884254a700991b3f1afd125  xsa72.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSb9aMAAoJEIP+FMlX6CvZU6MH/2Racg6r+JLka2jqPO3X+BCh
+Dvkp2s85lQ/i7lUDq7V/1Badc+GpqCAoysgjh0bMSyXpPwaz3N+JhcgSEzWbXoU
IlQQUWGA86jO7x0g1HBIfvmf6o+ALWKkoyLiOZ3ZgpibO/vkl+8qU6yiD+r0XDaM
TTcsuRrosw6wbVsPkL7wGpTsQD1JA/FSKd7BpsQRMjxUeMtTeBtPN1o+zsvGf7he
A8MYe55XXYZbHv/S9yuBCHXtCU+QRtuGJGODIPACOqsaqWETIf013sxCORAmqg3x
bNEm3R0EJl3pO8Hdd2kTzIjRHgLn9LEKTIQU4+IYj0jOqXsMYjalFIL2RFC2lzI=
=vgDt
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa72.patch"
Content-Disposition: attachment; filename="xsa72.patch"
Content-Transfer-Encoding: base64

dG9vbHM6IHhlbnN0b3JlZDogaWYgdGhlIHJlcGx5IGlzIHRvbyBiaWcgdGhl
biBzZW5kIEUyQklHIGVycm9yCgpUaGlzIGZpeGVzIHRoZSBpc3N1ZSBmb3Ig
Ym90aCBDIGFuZCBvY2FtbCB4ZW5zdG9yZWQsIGhvd2V2ZXIgb25seSB0aGUg
b2NhbWwKeGVuc3RvcmVkIGlzIHZ1bG5lcmFibGUgaW4gaXRzIGRlZmF1bHQg
Y29uZmlndXJhdGlvbi4KCkFkZGluZyBhIG5ldyBlcnJvciBhcHBlYXJzIHRv
IGJlIHNhZmUsIHNpbmNlIGJpdCBsaWJ4ZW5zdG9yZSBhbmQgdGhlIExpbnV4
CmRyaXZlciBhdCBsZWFzdCB0cmVhdCBhbiB1bmtub3duIGVycm9yIGNvZGUg
YXMgRUlOVkFMLgoKVGhpcyBpcyBYU0EtNzIKCk9yaWdpbmFsIG9jYW1sIHBh
dGNoIGJ5IEplcm9tZSBNYWxvYmVydGkgPGplcm9tZS5tYWxvYmVydGlAY2l0
cml4LmNvbT4KU2lnbmVkLW9mZi1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2Ft
cGJlbGxAY2l0cml4LmNvbT4KU2lnbmVkLW9mZi1ieTogVGhvbWFzIFNhbmRl
cnMgPHRob21hcy5zYW5kZXJzQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEv
dG9vbHMvb2NhbWwveGVuc3RvcmVkL2Nvbm5lY3Rpb24ubWwgYi90b29scy9v
Y2FtbC94ZW5zdG9yZWQvY29ubmVjdGlvbi5tbAppbmRleCAyNzNmZTRkLi40
NzY5NWY4IDEwMDY0NAotLS0gYS90b29scy9vY2FtbC94ZW5zdG9yZWQvY29u
bmVjdGlvbi5tbAorKysgYi90b29scy9vY2FtbC94ZW5zdG9yZWQvY29ubmVj
dGlvbi5tbApAQCAtMTgsNiArMTgsOCBAQCBleGNlcHRpb24gRW5kX29mX2Zp
bGUKIAogb3BlbiBTdGRleHQKIAorbGV0IHhlbnN0b3JlX3BheWxvYWRfbWF4
ID0gNDA5NiAoKiB4ZW4vaW5jbHVkZS9wdWJsaWMvaW8veHNfd2lyZS5oICop
CisKIHR5cGUgd2F0Y2ggPSB7CiAJY29uOiB0OwogCXRva2VuOiBzdHJpbmc7
CkBAIC0xMTIsOCArMTE0LDE1IEBAIGxldCByZXN0cmljdCBjb24gZG9taWQg
PQogbGV0IHNldF90YXJnZXQgY29uIHRhcmdldF9kb21pZCA9CiAJY29uLnBl
cm0gPC0gUGVybXMuQ29ubmVjdGlvbi5zZXRfdGFyZ2V0IChnZXRfcGVybSBj
b24pIH5wZXJtczpbUGVybXMuUkVBRDsgUGVybXMuV1JJVEVdIHRhcmdldF9k
b21pZAogCitsZXQgaXNfYmFja2VuZF9tbWFwIGNvbiA9IG1hdGNoIGNvbi54
Yi5YZW5idXMuWGIuYmFja2VuZCB3aXRoCisJfCBYZW5idXMuWGIuWGVubW1h
cCBfIC0+IHRydWUKKwl8IF8gLT4gZmFsc2UKKwogbGV0IHNlbmRfcmVwbHkg
Y29uIHRpZCByaWQgdHkgZGF0YSA9Ci0JWGVuYnVzLlhiLnF1ZXVlIGNvbi54
YiAoWGVuYnVzLlhiLlBhY2tldC5jcmVhdGUgdGlkIHJpZCB0eSBkYXRhKQor
CWlmIChTdHJpbmcubGVuZ3RoIGRhdGEpID4geGVuc3RvcmVfcGF5bG9hZF9t
YXggJiYgKGlzX2JhY2tlbmRfbW1hcCBjb24pIHRoZW4KKwkJWGVuYnVzLlhi
LnF1ZXVlIGNvbi54YiAoWGVuYnVzLlhiLlBhY2tldC5jcmVhdGUgdGlkIHJp
ZCBYZW5idXMuWGIuT3AuRXJyb3IgIkUyQklHXDAwMCIpCisJZWxzZQorCQlY
ZW5idXMuWGIucXVldWUgY29uLnhiIChYZW5idXMuWGIuUGFja2V0LmNyZWF0
ZSB0aWQgcmlkIHR5IGRhdGEpCiAKIGxldCBzZW5kX2Vycm9yIGNvbiB0aWQg
cmlkIGVyciA9IHNlbmRfcmVwbHkgY29uIHRpZCByaWQgWGVuYnVzLlhiLk9w
LkVycm9yIChlcnIgXiAiXDAwMCIpCiBsZXQgc2VuZF9hY2sgY29uIHRpZCBy
aWQgdHkgPSBzZW5kX3JlcGx5IGNvbiB0aWQgcmlkIHR5ICJPS1wwMDAiCmRp
ZmYgLS1naXQgYS90b29scy94ZW5zdG9yZS94ZW5zdG9yZWRfY29yZS5jIGIv
dG9vbHMveGVuc3RvcmUveGVuc3RvcmVkX2NvcmUuYwppbmRleCAwZjhiYTY0
Li5jY2ZkYWEzIDEwMDY0NAotLS0gYS90b29scy94ZW5zdG9yZS94ZW5zdG9y
ZWRfY29yZS5jCisrKyBiL3Rvb2xzL3hlbnN0b3JlL3hlbnN0b3JlZF9jb3Jl
LmMKQEAgLTYyOSw2ICs2MjksMTEgQEAgdm9pZCBzZW5kX3JlcGx5KHN0cnVj
dCBjb25uZWN0aW9uICpjb25uLCBlbnVtIHhzZF9zb2NrbXNnX3R5cGUgdHlw
ZSwKIHsKIAlzdHJ1Y3QgYnVmZmVyZWRfZGF0YSAqYmRhdGE7CiAKKwlpZiAo
IGxlbiA+IFhFTlNUT1JFX1BBWUxPQURfTUFYICkgeworCQlzZW5kX2Vycm9y
KGNvbm4sIEUyQklHKTsKKwkJcmV0dXJuOworCX0KKwogCS8qIE1lc3NhZ2Ug
aXMgYSBjaGlsZCBvZiB0aGUgY29ubmVjdGlvbiBjb250ZXh0IGZvciBhdXRv
LWNsZWFudXAuICovCiAJYmRhdGEgPSBuZXdfYnVmZmVyKGNvbm4pOwogCWJk
YXRhLT5idWZmZXIgPSB0YWxsb2NfYXJyYXkoYmRhdGEsIGNoYXIsIGxlbik7
CmRpZmYgLS1naXQgYS94ZW4vaW5jbHVkZS9wdWJsaWMvaW8veHNfd2lyZS5o
IGIveGVuL2luY2x1ZGUvcHVibGljL2lvL3hzX3dpcmUuaAppbmRleCA5OWQy
NGUzLi41ODVmMGM4IDEwMDY0NAotLS0gYS94ZW4vaW5jbHVkZS9wdWJsaWMv
aW8veHNfd2lyZS5oCisrKyBiL3hlbi9pbmNsdWRlL3B1YmxpYy9pby94c193
aXJlLmgKQEAgLTgzLDcgKzgzLDggQEAgX19hdHRyaWJ1dGVfXygodW51c2Vk
KSkKICAgICBYU0RfRVJST1IoRVJPRlMpLAogICAgIFhTRF9FUlJPUihFQlVT
WSksCiAgICAgWFNEX0VSUk9SKEVBR0FJTiksCi0gICAgWFNEX0VSUk9SKEVJ
U0NPTk4pCisgICAgWFNEX0VSUk9SKEVJU0NPTk4pLAorICAgIFhTRF9FUlJP
UihFMkJJRykKIH07CiAjZW5kaWYKIAo=

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC