SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen IRQ Setup Use-After-Free Lets Local Guest Users Gain Elevated Privileges on the Host System
SecurityTracker Alert ID:  1029679
SecurityTracker URL:  http://securitytracker.com/id/1029679
CVE Reference:   CVE-2014-1642   (Links to External Site)
Date:  Jan 23 2014
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.x, 4.3.x
Description:   A vulnerability was reported in Xen. A local user on the guest system can obtain elevated privileges on the target host system.

A local administrative user on the guest system can trigger a flaw when setting up the IRQ for a passed-through physical device to cause a use-after-free memory error and potentially execute arbitrary code on the hypervisor.

Only systems using device passthrough are affected.

Only systems with a 64-bit hypervisor configured to support more than 128 CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are affected.

The vulnerability was detected using Coverity Scan.

Impact:   A local user on the guest system can obtain elevated privileges on the target host system.
Solution:   The vendor has issued a fix (xsa83.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 23 Jan 2014 14:27:20 +0000
Subject:  [oss-security] Xen Security Advisory 83 (CVE-2014-1642) - Out-of-memory condition yielding memory corruption during IRQ setup

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

               Xen Security Advisory CVE-2014-1642 / XSA-83
                              version 3

       Out-of-memory condition yielding memory corruption during IRQ setup

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When setting up the IRQ for a passed through physical device, a flaw
in the error handling could result in a memory allocation being used
after it is freed, and then freed a second time.  This would typically
result in memory corruption.

IMPACT
======

Malicious guest administrators can trigger a use-after-free error, resulting
in hypervisor memory corruption.  The effects of memory corruption could be
anything, including a host-wide denial of service, or privilege escalation.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems making use of device passthrough are vulnerable.

Only systems with a 64-bit hypervisor configured to support more than 128
CPUs or with a 32-bit hypervisor configured to support more than 64 CPUs are
vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d or AMD Vi.

CREDITS
=======

This issue was discovered by Coverity Scan, prompted by modelling
improvements contributed by Andrew Coooper.  The issue was diagnosed
by Matthew Daley and Andrew Coooper.  The patch was prepared by Andrew
Cooper.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa83.patch                 Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa83*.patch
71ba62c024ed867f99f335ed63d7e04a7981d348cc29a3718e5c48f15a1e0fb1  xsa83.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS4SaHAAoJEIP+FMlX6CvZ4GEH/1iRjPPj+FedKNsROJ4XZDYQ
rhu5evDxGjFKC1YD5aDexDPMKYn1lLtOy2YnsW4nqPJdHCpBpPIhzTFisaNUqMzE
XQwQwBSVYhxZAV2J9v3e7nsz0wswVdAHkbFf2df1eUvmiGsKQPHuCqlCZEbQjW/w
7F9MC2Qo9nlg/1GtNE5J4U4jB9EtEhI5Kbvh3WFoOLz7vtJDKlsYQlcTZLJVdDjN
OFoptImqig7Yin0/ix4AKYt5+trnkpvKjR3dfIeM3WUxG3Nc4qKxy5C5cbVfgKnr
/sidbCO4K4G56fvl3aBg49594x8aFh8MYZF42CDCEnojXCaiXidwBiWUV9KHN5g=
=5A46
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa83.patch"
Content-Disposition: attachment; filename="xsa83.patch"
Content-Transfer-Encoding: base64

eDg2L2lycTogYXZvaWQgdXNlLWFmdGVyLWZyZWUgb24gZXJyb3IgcGF0aCBp
biBwaXJxX2d1ZXN0X2JpbmQoKQoKVGhpcyBpcyBYU0EtODMuCgpDb3Zlcml0
eS1JRDogMTE0Njk1MgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcgQ29vcGVyIDxh
bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogSmFuIEJl
dWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2FyY2gveDg2
L2lycS5jCisrKyBiL3hlbi9hcmNoL3g4Ni9pcnEuYwpAQCAtMTU5MCw4ICsx
NTkwLDcgQEAgaW50IHBpcnFfZ3Vlc3RfYmluZChzdHJ1Y3QgdmNwdSAqdiwg
c3RydQogICAgICAgICAgICAgcHJpbnRrKFhFTkxPR19HX0lORk8KICAgICAg
ICAgICAgICAgICAgICAiQ2Fubm90IGJpbmQgSVJRJWQgdG8gZG9tJWQuIE91
dCBvZiBtZW1vcnkuXG4iLAogICAgICAgICAgICAgICAgICAgIHBpcnEtPnBp
cnEsIHYtPmRvbWFpbi0+ZG9tYWluX2lkKTsKLSAgICAgICAgICAgIHJjID0g
LUVOT01FTTsKLSAgICAgICAgICAgIGdvdG8gb3V0OworICAgICAgICAgICAg
cmV0dXJuIC1FTk9NRU07CiAgICAgICAgIH0KIAogICAgICAgICBhY3Rpb24g
PSBuZXdhY3Rpb247Cg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC