SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen PHYSDEVOP_{prepare,release}_msix Access Control Flaw Lets Local Guest Users Deny Service on the Host
SecurityTracker Alert ID:  1029684
SecurityTracker URL:  http://securitytracker.com/id/1029684
CVE Reference:   CVE-2014-1666   (Links to External Site)
Date:  Jan 25 2014
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.5, 4.1.6.1, 4.2.x, 4.3.x
Description:   A vulnerability was reported in Xen. A local guest user can cause denial of service conditions on the host.

A local user on a guest operating system can access PHYSDEVOP_{prepare,release}_msix operations to cause denial of service conditions on other guests or on the host system.

Only PV guests are affected.

Impact:   A local user can cause denial of service conditions on the target system.
Solution:   The vendor has issued a fix (xsa87-4.1.patch, xsa87-4.2.patch, xsa87-unstable-4.3.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 24 Jan 2014 15:38:18 +0000
Subject:  [oss-security] Xen Security Advisory 87 (CVE-2014-1666) - PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-1666 / XSA-87
                              version 2

     PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available
to privileged guests (domain 0 in non-disaggregated setups) only, but the
necessary privilege check was missing.

IMPACT
======

Malicious or misbehaving unprivileged guests can cause the host or other
guests to malfunction. This can result in host-wide denial of service.
Privilege escalation, while seeming to be unlikely, cannot be excluded.

VULNERABLE SYSTEMS
==================

Xen 4.1.5 and 4.1.6.1 as well as 4.2.2 and later are vulnerable.
Xen 4.2.1 and 4.2.0 as well as 4.1.4 and earlier are not vulnerable.

Only PV guests can take advantage of this vulnerability.

MITIGATION
==========

Running only HVM guests will avoid this issue.

There is no mitigation available for PV guests.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa87-unstable-4.3.patch    xen-unstable, Xen 4.3.x
xsa87-4.2.patch             Xen 4.2.x
xsa87-4.1.patch             Xen 4.1.x

$ sha256sum xsa87*.patch
45e5cc892626293067cc088a671a6bbdc18b018f54ff09b6a1cbb1fabbdf114d  xsa87-4.1.patch
df9c1507d7bb0e5266a2fadd992d1e6ed0f7bf5be7466b8a93ed3bd8e3ab8e8d  xsa87-4.2.patch
a13ce270b177d33537d627b85471abaa01215cd458541f4c6524914d7c81eb38  xsa87-unstable-4.3.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS4ojJAAoJEIP+FMlX6CvZKpsH/3lVDKRMvFVkaHVPt1uRhqQo
HxBDflm//lR5M8j8364rRSknSv8X2m/JfKJ7DCbX0WQWPrIU/i8MzTHM9fQqLvAR
QYEhXYZC+ctkqk/sUvQaxOkyu8bNszuIOlWM9GuH2OnFN68zSl7kXiX7KZ5dHoYQ
eNAjQeCXNaXTiSo3X3ZIFwZOlpkUj+NxJnZlZx5Hb/m5WH86FeqBNMi/jZB/i53F
LFu7rhJ4rq25jbfuLp1ISBs5GA+71pNRvhukHijQHks1fApKhqmUiDhrBYX21l/Y
5GJLG6L3sYdScjoeHu+QH0akwTC5L+BauMLMWljJOTKvL0p2yU/vDc2JMjXXnzk=
=morx
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa87-4.1.patch"
Content-Disposition: attachment; filename="xsa87-4.1.patch"
Content-Transfer-Encoding: base64

eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp
dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp
cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl
dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j
CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTU1NCw3ICs1NTQs
OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I
CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg
IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm
ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp
ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g
LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk
ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg
ICAgICAgZWxzZSBpZiAoIGRldi5zZWcgKQogICAgICAgICAgICAgcmV0ID0g
LUVPUE5PVFNVUFA7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa87-4.2.patch"
Content-Disposition: attachment; filename="xsa87-4.2.patch"
Content-Transfer-Encoding: base64

eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp
dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp
cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl
dWxpY2hAc3VzZS5jb20+CgotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5j
CisrKyBiL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTYxMiw3ICs2MTIs
OSBAQCByZXRfdCBkb19waHlzZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9I
CiAgICAgY2FzZSBQSFlTREVWT1BfcmVsZWFzZV9tc2l4OiB7CiAgICAgICAg
IHN0cnVjdCBwaHlzZGV2X3BjaV9kZXZpY2UgZGV2OwogCi0gICAgICAgIGlm
ICggY29weV9mcm9tX2d1ZXN0KCZkZXYsIGFyZywgMSkgKQorICAgICAgICBp
ZiAoICFJU19QUklWKHYtPmRvbWFpbikgKQorICAgICAgICAgICAgcmV0ID0g
LUVQRVJNOworICAgICAgICBlbHNlIGlmICggY29weV9mcm9tX2d1ZXN0KCZk
ZXYsIGFyZywgMSkgKQogICAgICAgICAgICAgcmV0ID0gLUVGQVVMVDsKICAg
ICAgICAgZWxzZQogICAgICAgICAgICAgcmV0ID0gcGNpX3ByZXBhcmVfbXNp
eChkZXYuc2VnLCBkZXYuYnVzLCBkZXYuZGV2Zm4sCg==

--=separator
Content-Type: application/octet-stream; name="xsa87-unstable-4.3.patch"
Content-Disposition: attachment; filename="xsa87-unstable-4.3.patch"
Content-Transfer-Encoding: base64

eDg2OiBQSFlTREVWT1Bfe3ByZXBhcmUscmVsZWFzZX1fbXNpeCBhcmUgcHJp
dmlsZWdlZAoKWWV0IHRoaXMgd2Fzbid0IGJlaW5nIGVuZm9yY2VkLgoKVGhp
cyBpcyBYU0EtODcuCgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJl
dWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBBbmRyZXcgQ29vcGVyIDxh
bmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgoKLS0tIDIwMTQtMDEtMTQub3Jp
Zy94ZW4vYXJjaC94ODYvcGh5c2Rldi5jCTIwMTMtMTEtMTggMTE6MDM6Mzcu
MDAwMDAwMDAwICswMTAwCisrKyAyMDE0LTAxLTE0L3hlbi9hcmNoL3g4Ni9w
aHlzZGV2LmMJMjAxNC0wMS0yMiAxMjo0Nzo0Ny4wMDAwMDAwMDAgKzAxMDAK
QEAgLTY0MCw3ICs2NDAsMTAgQEAgcmV0X3QgZG9fcGh5c2Rldl9vcChpbnQg
Y21kLCBYRU5fR1VFU1RfSAogICAgICAgICBpZiAoIGNvcHlfZnJvbV9ndWVz
dCgmZGV2LCBhcmcsIDEpICkKICAgICAgICAgICAgIHJldCA9IC1FRkFVTFQ7
CiAgICAgICAgIGVsc2UKLSAgICAgICAgICAgIHJldCA9IHBjaV9wcmVwYXJl
X21zaXgoZGV2LnNlZywgZGV2LmJ1cywgZGV2LmRldmZuLAorICAgICAgICAg
ICAgcmV0ID0geHNtX3Jlc291cmNlX3NldHVwX3BjaShYU01fUFJJViwKKyAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGRldi5z
ZWcgPDwgMTYpIHwgKGRldi5idXMgPDwgOCkgfAorICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICBkZXYuZGV2Zm4pID86CisgICAg
ICAgICAgICAgICAgICBwY2lfcHJlcGFyZV9tc2l4KGRldi5zZWcsIGRldi5i
dXMsIGRldi5kZXZmbiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgY21kICE9IFBIWVNERVZPUF9wcmVwYXJlX21zaXgpOwogICAgICAg
ICBicmVhazsKICAgICB9Cg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC