SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen PHYSDEVOP_map_pirq() Index Validation Flaw Lets Local Guest Operating Systems Cause Denial of Service Conditions on the Host Operating System
SecurityTracker Alert ID:  1027483
SecurityTracker URL:  http://securitytracker.com/id/1027483
CVE Reference:   CVE-2012-3498   (Links to External Site)
Date:  Sep 5 2012
Impact:   Denial of service via local system, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1, 4.2 RCs
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can cause denial of service conditions on the host operating system.

A local user on the guest operating system can exploit a flaw in PHYSDEVOP_map_pirq() to cause the target host operating system to crash.

A local user on the guest operating system may also be able to read hypervisor or guest operating system memory contents.

Systems running HVM guests are affected. Systems running PV guests are not affected.

Matthew Daley reported this vulnerability.

Impact:   A local user on the guest operating system can cause the target host operating system to crash.

A local user on the guest operating system may also be able to read hypervisor or guest operating system memory contents.

Solution:   The vendor has issued a fix (xsa16-unstable.patch, xsa16-xen-4.1.patch).

The vendor's advisory is available at:

http://wiki.xen.org/wiki/Security_Announcements#XSA-16_PHYSDEVOP_map_pirq_index_vulnerability

Vendor URL:  wiki.xen.org/wiki/Security_Announcements#XSA-16_PHYSDEVOP_map_pirq_index_vulnerability (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 6 2012 (Citrix Issues Fix for XenServer) Xen PHYSDEVOP_map_pirq() Index Validation Flaw Lets Local Guest Operating Systems Cause Denial of Service Conditions on the Host Operating System
Citrix has issued a hotfix for Citrix XenServer.
Oct 2 2012 (Citrix Issues Fix for NetScaler SDX) Xen PHYSDEVOP_map_pirq() Index Validation Flaw Lets Local Guest Operating Systems Cause Denial of Service Conditions on the Host Operating System
Citrix has issued a fix for Citrix NetScaler SDX.



 Source Message Contents

Date:  Wed, 05 Sep 2012 11:12:43 +0000
Subject:  [oss-security] Xen Security Advisory 16 (CVE-2012-3498) - PHYSDEVOP_map_pirq index vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2012-3498 / XSA-16
                             version 3

               PHYSDEVOP_map_pirq index vulnerability

UPDATES IN VERSION 3
====================

Public release.  Credit Matthew Daley.

ISSUE DESCRIPTION
=================

PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check
map->index.

IMPACT
======

A malicious HVM guest kernel can crash the host.  It might also be
able to read hypervisor or guest memory.

VULNERABLE SYSTEMS
==================

All Xen systems running HVM guests.  PV guests are not vulnerable.

The vulnerability dates back to Xen 4.1.  Xen 4.0 is not vulnerable.
4.1, the 4.2 RCs, and xen-unstable.hg are vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring that the guest kernel is
trustworthy, or by running only PV guests.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

CREDIT
======

Thanks to Matthew Daley for finding this vulnerability (and that in
XSA-12) and notifying the Xen.org security team.

PATCH INFORMATION
=================

The attached patches resolve this issue

  Xen unstable                                  xsa16-unstable.patch
  Xen 4.1, 4.1.x                                xsa16-xen-4.1.patch

$ sha256sum xsa16-*.patch
f8db42898620112c8e77bf116645d650b3671d4ccc49adcad09c7b4591d55cab  xsa16-unstable.patch
4b76d554b23977443209e45d3a2404d63695eb3020ff87a8e16e5e25cbddff31  xsa16-xen-4.1.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQRyVFAAoJEIP+FMlX6CvZkqkH/2k5sdGWVThawtjkpTfx8L3T
d0QnlJYstbvGxNkRvaafj32jApGkHWwr/Rd4w1MPxXXJOU6bmXjKKXAugVj0wl5Z
PZeVtek46S3sSNCavLH7kL1SVZoCikEH2+kv9edGhKOXxO3C+8FkM+HvoZU7tQco
ppUhEfINP9WidXlWSEmK2nhZdvrLW7KeqHTQmwx6AC1mUE0YdaF2oTZRPyOgRwIx
quYJ3hLiQiQD3eUV56iqNO19/D4jpPibBG33yurdzahRivuLTb7XD+QfKfEDZ1WC
SVqIRJha84QBjHLTtPIgmjyF8ysUXnPLol1NTxpIBFX98OCw9Ery0Zic/poFjcc=
=7hrh
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa16-unstable.patch"
Content-Disposition: attachment; filename="xsa16-unstable.patch"
Content-Transfer-Encoding: base64

eDg2L3B2aHZtOiBwcm9wZXJseSByYW5nZS1jaGVjayBQSFlTREVWT1BfbWFw
X3BpcnEvTUFQX1BJUlFfVFlQRV9HU0kKClRoaXMgaXMgYmVpbmcgdXNlZCBh
cyBhIGFycmF5IGluZGV4LCBhbmQgaGVuY2UgbXVzdCBiZSB2YWxpZGF0ZWQg
YmVmb3JlCnVzZS4KClRoaXMgaXMgWFNBLTE2IC8gQ1ZFLTIwMTItMzQ5OC4K
ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv
bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKKysrIGIveGVuL2Fy
Y2gveDg2L3BoeXNkZXYuYwpAQCAtNDMsMTEgKzQzLDE4IEBAIHN0YXRpYyBp
bnQgcGh5c2Rldl9odm1fbWFwX3BpcnEoCiAgICAgICAgIHN0cnVjdCBodm1f
Z2lycV9kcGNpX21hcHBpbmcgKmdpcnE7CiAgICAgICAgIHVpbnQzMl90IG1h
Y2hpbmVfZ3NpID0gMDsKIAorICAgICAgICBpZiAoICppbmRleCA8IDAgfHwg
KmluZGV4ID49IE5SX0hWTV9JUlFTICkKKyAgICAgICAgeworICAgICAgICAg
ICAgcmV0ID0gLUVJTlZBTDsKKyAgICAgICAgICAgIGJyZWFrOworICAgICAg
ICB9CisKICAgICAgICAgLyogZmluZCB0aGUgbWFjaGluZSBnc2kgY29ycmVz
cG9uZGluZyB0byB0aGUKICAgICAgICAgICogZW11bGF0ZWQgZ3NpICovCiAg
ICAgICAgIGh2bV9pcnFfZHBjaSA9IGRvbWFpbl9nZXRfaXJxX2RwY2koZCk7
CiAgICAgICAgIGlmICggaHZtX2lycV9kcGNpICkKICAgICAgICAgeworICAg
ICAgICAgICAgQlVJTERfQlVHX09OKEFSUkFZX1NJWkUoaHZtX2lycV9kcGNp
LT5naXJxKSA8IE5SX0hWTV9JUlFTKTsKICAgICAgICAgICAgIGxpc3RfZm9y
X2VhY2hfZW50cnkgKCBnaXJxLAogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICZodm1faXJxX2RwY2ktPmdpcnFbKmluZGV4XSwKICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkK

--=separator
Content-Type: application/octet-stream; name="xsa16-xen-4.1.patch"
Content-Disposition: attachment; filename="xsa16-xen-4.1.patch"
Content-Transfer-Encoding: base64

eDg2L3B2aHZtOiBwcm9wZXJseSByYW5nZS1jaGVjayBQSFlTREVWT1BfbWFw
X3BpcnEvTUFQX1BJUlFfVFlQRV9HU0kKClRoaXMgaXMgYmVpbmcgdXNlZCBh
cyBhIGFycmF5IGluZGV4LCBhbmQgaGVuY2UgbXVzdCBiZSB2YWxpZGF0ZWQg
YmVmb3JlCnVzZS4KClRoaXMgaXMgWFNBLTE2IC8gQ1ZFLTIwMTItMzQ5OC4K
ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv
bT4KCmRpZmYgLXIgMTIyNWFmZjA1ZGQyIHhlbi9hcmNoL3g4Ni9waHlzZGV2
LmMKLS0tIGEveGVuL2FyY2gveDg2L3BoeXNkZXYuYwlUaHUgQXVnIDA5IDE2
OjQ4OjA3IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L3BoeXNkZXYu
YwlUaHUgQXVnIDE2IDEzOjAzOjM2IDIwMTIgKzAxMDAKQEAgLTQwLDExICs0
MCwxOCBAQCBzdGF0aWMgaW50IHBoeXNkZXZfaHZtX21hcF9waXJxKAogICAg
ICAgICBzdHJ1Y3QgaHZtX2dpcnFfZHBjaV9tYXBwaW5nICpnaXJxOwogICAg
ICAgICB1aW50MzJfdCBtYWNoaW5lX2dzaSA9IDA7CiAKKyAgICAgICAgaWYg
KCBtYXAtPmluZGV4IDwgMCB8fCBtYXAtPmluZGV4ID49IE5SX0hWTV9JUlFT
ICkKKyAgICAgICAgeworICAgICAgICAgICAgcmV0ID0gLUVJTlZBTDsKKyAg
ICAgICAgICAgIGJyZWFrOworICAgICAgICB9CisKICAgICAgICAgLyogZmlu
ZCB0aGUgbWFjaGluZSBnc2kgY29ycmVzcG9uZGluZyB0byB0aGUKICAgICAg
ICAgICogZW11bGF0ZWQgZ3NpICovCiAgICAgICAgIGh2bV9pcnFfZHBjaSA9
IGRvbWFpbl9nZXRfaXJxX2RwY2koZCk7CiAgICAgICAgIGlmICggaHZtX2ly
cV9kcGNpICkKICAgICAgICAgeworICAgICAgICAgICAgQlVJTERfQlVHX09O
KEFSUkFZX1NJWkUoaHZtX2lycV9kcGNpLT5naXJxKSA8IE5SX0hWTV9JUlFT
KTsKICAgICAgICAgICAgIGxpc3RfZm9yX2VhY2hfZW50cnkgKCBnaXJxLAog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZodm1faXJxX2Rw
Y2ktPmdpcnFbbWFwLT5pbmRleF0sCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgbGlzdCApCg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC