SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen set_debugreg() Hypercall Lets Local Guest Operating Systems Cause Denial of Service Conditions on the Host Operating System
SecurityTracker Alert ID:  1027479
SecurityTracker URL:  http://securitytracker.com/id/1027479
CVE Reference:   CVE-2012-3494   (Links to External Site)
Date:  Sep 5 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0, 4.1, 4.2RCs
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can cause denial of service conditions on the host operating system.

A local user on the guest operating system can invoke set_debugreg() and write to reserved bits of the DR7 debug control register on x86 64-bit systems to cause the host operating system to crash.

Matthew Daley reported this vulnerability.

Impact:   A local user on the guest operating system can cause the target host operating system to crash.
Solution:   The vendor has issued a fix (xsa12-all.patch).

The vendor's advisory is available at:

http://wiki.xen.org/wiki/Security_Announcements#XSA-12_hypercall_set_debugreg_vulnerability

Vendor URL:  wiki.xen.org/wiki/Security_Announcements#XSA-12_hypercall_set_debugreg_vulnerability (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 6 2012 (Citrix Issues Fix for XenServer) Xen set_debugreg() Hypercall Lets Local Guest Operating Systems Cause Denial of Service Conditions on the Host Operating System
Citrix has issued a hotfix for Citrix XenServer.
Oct 2 2012 (Citrix Issues Fix for NetScaler SDX) Xen set_debugreg() Hypercall Lets Local Guest Operating Systems Cause Denial of Service Conditions on the Host Operating System
Citrix has issued a fix for Citrix NetScaler SDX.



 Source Message Contents

Date:  Wed, 5 Sep 2012 10:38:44 +0100
Subject:  [oss-security] Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3494 / XSA-12
                             version 3

	      hypercall set_debugreg vulnerability

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

set_debugreg allows writes to reserved bits of the DR7 debug control
register on x86-64.

IMPACT
======

A malicious guest can cause the host to crash, leading to a DoS.

If the vulnerable hypervisor is run on future hardware, the impact of
the vulnerability might be widened depending on the future assignment
of the currently-reserved debug register bits.

VULNERABLE SYSTEMS
==================

All systems running 64-bit paravirtualised guests.

The vulnerability dates back to at least Xen 4.0.  4.0, 4.1, the 4.2
RCs, and xen-unstable.hg are all vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy, or by running only 32-bit or HVM guests.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

PATCH INFORMATION
=================

The attached patch resolves this issue:

 Xen unstable, 4.1 and 4.0		xsa12-all.patch

$ sha256sum xsa12-all.patch
2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13  xsa12-all.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRx0+AAoJEIP+FMlX6CvZnMAH/0fcm9nfiChokydCyqXgdKtJ
U2NqeqKzEP6emwLE+cvc+2EBP40fiBXsNATVdXc6Vx15eyzSMfJD3ndYF9OaKMVH
MVP6KU/tyK1G/9WgQK9PHBj/Kzp8hwrY0Qw45od7z+R7XMGieLH9l1O1xwkNCYDw
R8Xy2GI9IqsXLNpwy3BFYSyGYIX9o8/aBx4ZxHCV8H0OYUWv5hDGZZVXPDqGm11c
N+qmUaPV2QlW8Aoww1SiwW5E+/CpyJT5+awEMgZ4IOHPbCBXJfyXbw4aMM2q5Soe
mStqvPKL4H10SahaygdjxO+e4NqCHao0rYUXXpUr+aikIXvEearukp3FezR5IUE=
=/LmZ
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa12-all.patch"
Content-Disposition: attachment; filename="xsa12-all.patch"
Content-Transfer-Encoding: base64

eGVuOiBwcmV2ZW50IGEgNjQgYml0IGd1ZXN0IHNldHRpbmcgcmVzZXJ2ZWQg
Yml0cyBpbiBEUjcKClRoZSB1cHBlciAzMiBiaXRzIG9mIHRoaXMgcmVnaXN0
ZXIgYXJlIHJlc2VydmVkIGFuZCBzaG91bGQgYmUgd3JpdHRlbiBhcwp6ZXJv
LgoKVGhpcyBpcyBYU0EtMTIgLyBDVkUtMjAxMi0zNDk0CgpTaWduZWQtb2Zm
LWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2Vk
LWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoK
ZGlmZiAtciAzNTNiYzA4MDFiMTEgeGVuL2luY2x1ZGUvYXNtLXg4Ni9kZWJ1
Z3JlZy5oCi0tLSBhL3hlbi9pbmNsdWRlL2FzbS14ODYvZGVidWdyZWcuaAlN
b24gQXVnIDA2IDEyOjI4OjAzIDIwMTIgKzAxMDAKKysrIGIveGVuL2luY2x1
ZGUvYXNtLXg4Ni9kZWJ1Z3JlZy5oCVdlZCBBdWcgMTUgMTI6MDA6MjEgMjAx
MiArMDEwMApAQCAtNTgsNyArNTgsNyBAQAogICAgV2UgY2FuIHNsb3cgdGhl
IGluc3RydWN0aW9uIHBpcGVsaW5lIGZvciBpbnN0cnVjdGlvbnMgY29taW5n
IHZpYSB0aGUKICAgIGdkdCBvciB0aGUgbGR0IGlmIHdlIHdhbnQgdG8uICBJ
IGFtIG5vdCBzdXJlIHdoeSB0aGlzIGlzIGFuIGFkdmFudGFnZSAqLwogCi0j
ZGVmaW5lIERSX0NPTlRST0xfUkVTRVJWRURfWkVSTyAoMHgwMDAwZDgwMHVs
KSAvKiBSZXNlcnZlZCwgcmVhZCBhcyB6ZXJvICovCisjZGVmaW5lIERSX0NP
TlRST0xfUkVTRVJWRURfWkVSTyAofjB4ZmZmZjI3ZmZ1bCkgLyogUmVzZXJ2
ZWQsIHJlYWQgYXMgemVybyAqLwogI2RlZmluZSBEUl9DT05UUk9MX1JFU0VS
VkVEX09ORSAgKDB4MDAwMDA0MDB1bCkgLyogUmVzZXJ2ZWQsIHJlYWQgYXMg
b25lICovCiAjZGVmaW5lIERSX0xPQ0FMX0VYQUNUX0VOQUJMRSAgICAoMHgw
MDAwMDEwMHVsKSAvKiBMb2NhbCBleGFjdCBlbmFibGUgKi8KICNkZWZpbmUg
RFJfR0xPQkFMX0VYQUNUX0VOQUJMRSAgICgweDAwMDAwMjAwdWwpIC8qIEds
b2JhbCBleGFjdCBlbmFibGUgKi8K

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC