SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen XENMEM_populate_physmap() Input Validation Flaw Lets Local Users on the Guest Operating System Deny Service on the Host
SecurityTracker Alert ID:  1027481
SecurityTracker URL:  http://securitytracker.com/id/1027481
CVE Reference:   CVE-2012-3496   (Links to External Site)
Date:  Sep 5 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0, 4.1, 4.2RCs
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can cause denial of service conditions on the host operating system.

A local user on the guest operating system can call the XENMEM_populate_physmap() function with invalid flags (e.g., MEMF_populate_on_demand flag) to cause the target host operating system to crash.

Matthew Daley reported this vulnerability.

Impact:   A local user on the guest operating system can cause the target host operating system to crash.
Solution:   The vendor has issued a fix (xsa14-unstable.patch, xsa14-xen-3.4-and-4.x.patch).

The vendor's advisory is available at:

http://wiki.xen.org/wiki/Security_Announcements#XSA-14_XENMEM_populate_physmap_DoS_vulnerability

Vendor URL:  wiki.xen.org/wiki/Security_Announcements#XSA-14_XENMEM_populate_physmap_DoS_vulnerability (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 6 2012 (Citrix Issues Fix for XenServer) Xen XENMEM_populate_physmap() Input Validation Flaw Lets Local Users on the Guest Operating System Deny Service on the Host
Citrix has issued a hotfix for Citrix XenServer.
Oct 2 2012 (Citrix Issues Fix for NetScaler SDX) Xen XENMEM_populate_physmap() Input Validation Flaw Lets Local Users on the Guest Operating System Deny Service on the Host
Citrix has issued a fix for Citrix NetScaler SDX.



 Source Message Contents

Date:  Wed, 05 Sep 2012 10:38:47 +0000
Subject:  [oss-security] Xen Security Advisory 14 (CVE-2012-3496) - XENMEM_populate_physmap DoS vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3496 / XSA-14
                             version 3

           XENMEM_populate_physmap DoS vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

ISSUE DESCRIPTION
=================

XENMEM_populate_physmap can be called with invalid flags.  By calling
it with MEMF_populate_on_demand flag set, a BUG can be triggered if a
translating paging mode is not being used.

IMPACT
======

A malicious guest kernel can crash the host.

VULNERABLE SYSTEMS
==================

All Xen systems running PV guests.  Systems running only HVM guests
are not vulnerable.

The vulnerability dates back to at least Xen 4.0.  4.0, 4.1, the 4.2
RCs, and xen-unstable.hg are all vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring that the guest kernel is
trustworthy or by running only HVM guests.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

 xen-unstable                                xsa14-unstable.patch
 Xen 4.1, 4.1.x, 4.0, 4.0.x, 3.4 and 3.4.x   xsa14-xen-3.4-and-4.x.patch

$ sha256sum xsa14-*.patch
7a2e119b114708420c3484ecc338c7a198097f40e0d38854756dfa69c4c859a8  xsa14-unstable.patch
41a1ee1da7e990dc93b75fad0d46b66a2bda472e9aa288c91d1dc5d15d2c2012  xsa14-xen-3.4-and-4.x.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRyVAAAoJEIP+FMlX6CvZF0IH/RV88Xqc9SdwrDZ7w6uwsRt+
2keNPNyDBYxoYeqEqP9q/zICmxEqHMk/1zvSksimuIoiblliYQPHcJjhYhiBA8aX
tarL2byKK+AE/1xvgh1BZiizCR6UV33Zi2PNdB3aaLizh82+70Lbx4ZtDg3zCpEo
cvXGyMrNwzxMS+7ORuBAC9gtMke3sBeLua4KvGMhuByDIbW+9/7124YSGo30vFa3
VHmZ8995ishkSQyzgvZVLMQ+y2G1GofUqa4gPRcNoMCULKGGkqJCyHPZfuAOY+w+
0Cy/WDIE1HZd6DIn+09IoHe+StkyPgqYkai+QYwxS+JW/vpns82fpsAtmOF64tg=
=EONA
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa14-unstable.patch"
Content-Disposition: attachment; filename="xsa14-unstable.patch"
Content-Transfer-Encoding: base64

eGVuOiBEb24ndCBCVUdfT04oKSBQb0Qgb3BlcmF0aW9ucyBvbiBhIG5vbi10
cmFuc2xhdGVkIGd1ZXN0LgoKVGhpcyBpcyBYU0EtMTQgLyBDVkUtMjAxMi0z
NDk2CgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K
UmV2aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJp
eC5jb20+ClRlc3RlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxA
Y2l0cml4LmNvbT4KCmRpZmYgLXIgMzUzYmMwODAxYjExIHhlbi9hcmNoL3g4
Ni9tbS9wMm0tcG9kLmMKLS0tIGEveGVuL2FyY2gveDg2L21tL3AybS1wb2Qu
YwlNb24gQXVnIDA2IDEyOjI4OjAzIDIwMTIgKzAxMDAKKysrIGIveGVuL2Fy
Y2gveDg2L21tL3AybS1wb2QuYwlXZWQgQXVnIDE1IDEyOjA2OjQzIDIwMTIg
KzAxMDAKQEAgLTExMTcsNyArMTExNyw4IEBAIGd1ZXN0X3BoeXNtYXBfbWFy
a19wb3B1bGF0ZV9vbl9kZW1hbmQoc3QKICAgICBtZm5fdCBvbWZuOwogICAg
IGludCByYyA9IDA7CiAKLSAgICBCVUdfT04oIXBhZ2luZ19tb2RlX3RyYW5z
bGF0ZShkKSk7CisgICAgaWYgKCAhcGFnaW5nX21vZGVfdHJhbnNsYXRlKGQp
ICkKKyAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICByYyA9IHAybV9n
Zm5fY2hlY2tfbGltaXQoZCwgZ2ZuLCBvcmRlcik7CiAgICAgaWYgKCByYyAh
PSAwICkK

--=separator
Content-Type: application/octet-stream; name="xsa14-xen-3.4-and-4.x.patch"
Content-Disposition: attachment; filename="xsa14-xen-3.4-and-4.x.patch"
Content-Transfer-Encoding: base64

eGVuOiBEb24ndCBCVUdfT04oKSBQb0Qgb3BlcmF0aW9ucyBvbiBhIG5vbi10
cmFuc2xhdGVkIGd1ZXN0LgoKVGhpcyBpcyBYU0EtMTQgLyBDVkUtMjAxMi0z
NDk2CgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K
UmV2aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJp
eC5jb20+ClRlc3RlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxA
Y2l0cml4LmNvbT4KCmRpZmYgLXIgMTIyNWFmZjA1ZGQyIHhlbi9hcmNoL3g4
Ni9tbS9wMm0uYwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMJVGh1IEF1
ZyAwOSAxNjo0ODowNyAyMDEyICswMTAwCisrKyBiL3hlbi9hcmNoL3g4Ni9t
bS9wMm0uYwlXZWQgQXVnIDE1IDEyOjEwOjMzIDIwMTIgKzAxMDAKQEAgLTI0
MTQsNyArMjQxNCw4IEBAIGd1ZXN0X3BoeXNtYXBfbWFya19wb3B1bGF0ZV9v
bl9kZW1hbmQoc3QKICAgICBpbnQgcG9kX2NvdW50ID0gMDsKICAgICBpbnQg
cmMgPSAwOwogCi0gICAgQlVHX09OKCFwYWdpbmdfbW9kZV90cmFuc2xhdGUo
ZCkpOworICAgIGlmICggIXBhZ2luZ19tb2RlX3RyYW5zbGF0ZShkKSApCisg
ICAgICAgIHJldHVybiAtRUlOVkFMOwogCiAgICAgcmMgPSBnZm5fY2hlY2tf
bGltaXQoZCwgZ2ZuLCBvcmRlcik7CiAgICAgaWYgKCByYyAhPSAwICkK

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC