SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen physdev_get_free_pirq() Error Checking Bug Lets Local Guest Users Deny Service on the Host
SecurityTracker Alert ID:  1027480
SecurityTracker URL:  http://securitytracker.com/id/1027480
CVE Reference:   CVE-2012-3495   (Links to External Site)
Updated:  Sep 5 2012
Original Entry Date:  Sep 5 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can cause denial of service conditions on the host operating system.

The physdev_get_free_pirq() function does not properly validate a function call and may use the error code as an array index. A local user on the guest operating system may be able to cause the target host operating system to crash.

The vendor notes that privilege escalation is unlikely but may be possible.

Matthew Daley reported this vulnerability.

Impact:   A local user on the guest operating system can cause the target host operating system to crash.
Solution:   The vendor has issued a fix (xsa13-xen-4.1.patch).

The vendor's advisory is available at:

http://wiki.xen.org/wiki/Security_Announcements#XSA-13_hypercall_physdev_get_free_pirq_vulnerability

Vendor URL:  wiki.xen.org/wiki/Security_Announcements#XSA-13_hypercall_physdev_get_free_pirq_vulnerability (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 6 2012 (Citrix Issues Fix for XenServer) Xen physdev_get_free_pirq() Error Checking Bug Lets Local Guest Users Deny Service on the Host
Citrix has issued a hotfix for Citrix XenServer.
Oct 2 2012 (Citrix Issues Fix for NetScaler SDX) Xen physdev_get_free_pirq() Error Checking Bug Lets Local Guest Users Deny Service on the Host
Citrix has issued a fix for Citrix NetScaler SDX.



 Source Message Contents

Date:  Wed, 5 Sep 2012 11:13:31 +0100
Subject:  [oss-security] Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3495 / XSA-13
                             version 3

           hypercall physdev_get_free_pirq vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

ISSUE DESCRIPTION
=================

PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.

IMPACT
======

A malicious guest might be able to cause the host to crash, leading to
a DoS, depending on the exact memory layout.  Privilege escalation is
a theoretical possibility which cannot be ruled out, but is considered
unlikely.

VULNERABLE SYSTEMS
==================

All Xen systems.

Xen 4.1 is vulnerable.  Other versions of Xen are not vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy and avoiding situations where something might
repeatedly cause the attempted allocation of a physical irq.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

  Xen 4.1, 4.1.x                           xsa13-xen-4.1.patch

$ sha256sum xsa13-*.patch
ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239  xsa13-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd
5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE
Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b
0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm
YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM
bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY=
=s7wG
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa13-xen-4.1.patch"
Content-Disposition: attachment; filename="xsa13-xen-4.1.patch"
Content-Transfer-Encoding: base64

eGVuOiBoYW5kbGUgb3V0LW9mLXBpcnEgY29uZGl0aW9uIGNvcnJlY3RseSBp
biBQSFlTREVWT1BfZ2V0X2ZyZWVfcGlycQoKVGhpcyBpcyBYU0EtMTMgLyBD
VkUtMjAxMi0zNDk1CgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2FtcGJlbGwgPGlh
bi5jYW1wYmVsbEBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1
bGljaCA8SkJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC1yIDEyMjVhZmYwNWRk
MiB4ZW4vYXJjaC94ODYvcGh5c2Rldi5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9w
aHlzZGV2LmMJVGh1IEF1ZyAwOSAxNjo0ODowNyAyMDEyICswMTAwCisrKyBi
L3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMJVGh1IEF1ZyAxNiAxMTowNzozNiAy
MDEyICswMTAwCkBAIC01ODcsMTEgKzU4NywxNiBAQCByZXRfdCBkb19waHlz
ZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9ICiAgICAgICAgICAgICBicmVh
azsKIAogICAgICAgICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwotICAg
ICAgICBvdXQucGlycSA9IGdldF9mcmVlX3BpcnEoZCwgb3V0LnR5cGUsIDAp
OwotICAgICAgICBkLT5hcmNoLnBpcnFfaXJxW291dC5waXJxXSA9IFBJUlFf
QUxMT0NBVEVEOworICAgICAgICByZXQgPSBnZXRfZnJlZV9waXJxKGQsIG91
dC50eXBlLCAwKTsKKyAgICAgICAgaWYgKCByZXQgPj0gMCApCisgICAgICAg
ICAgICBkLT5hcmNoLnBpcnFfaXJxW3JldF0gPSBQSVJRX0FMTE9DQVRFRDsK
ICAgICAgICAgc3Bpbl91bmxvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAg
ICAgIHJldCA9IGNvcHlfdG9fZ3Vlc3QoYXJnLCAmb3V0LCAxKSA/IC1FRkFV
TFQgOiAwOworICAgICAgICBpZiAoIHJldCA+PSAwICkKKyAgICAgICAgewor
ICAgICAgICAgICAgb3V0LnBpcnEgPSByZXQ7CisgICAgICAgICAgICByZXQg
PSBjb3B5X3RvX2d1ZXN0KGFyZywgJm91dCwgMSkgPyAtRUZBVUxUIDogMDsK
KyAgICAgICAgfQogCiAgICAgICAgIHJjdV91bmxvY2tfZG9tYWluKGQpOwog
ICAgICAgICBicmVhazsK

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC