SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen Timer Overflow Lets Local Guest Administrative Users Deny Service on the Host System
SecurityTracker Alert ID:  1027759
SecurityTracker URL:  http://securitytracker.com/id/1027759
CVE Reference:   CVE-2012-4535   (Links to External Site)
Date:  Nov 14 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.4 and later
Description:   A vulnerability was reported in Xen. A local administrative user on the guest operating system can cause denial of service conditions on the target host system.

A local user with administrative privileges on the guest operating system can set a specially crafted VCPU timer value to cause the target system physical CPU to enter an infinite loop.

On systems were the Xen watchdog is enabled, the target system will crash.

Impact:   A local guest administrative user can cause the target host system to hang.
Solution:   The vendor has issued a fix (xsa20.patch).
Vendor URL:  xen.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 14 2012 (Citrix Issues Fix for XenServer) Xen Timer Overflow Lets Local Guest Administrative Users Deny Service on the Host System
Citrix has issued a fix for Citrix XenServer.



 Source Message Contents

Date:  Tue, 13 Nov 2012 12:56:06 +0000
Subject:  [oss-security] Xen Security Advisory 20 (CVE-2012-4535) - Timer overflow DoS vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4535 / XSA-20
                                version 2

                       Timer overflow DoS vulnerability

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

A guest which sets a VCPU with an inappropriate deadline can cause an
infinite loop in Xen, blocking the affected physical CPU
indefinitely.

IMPACT
======

A malicious guest administrator can trigger the bug.  If the Xen
watchdog is enabled, the whole system will crash.  Otherwise the guest
can cause the system to become completely unresponsive.

VULNERABLE SYSTEMS
==================

All versions of Xen from at least 3.4 onwards are vulnerable, to every
kind of guest.

Systems with only trusted guest kernels are not vulnerable.

MITIGATION
==========

There is no mitigation available other than to use a trusted guest
kernel.

RESOLUTION
==========

The attached patch resolves this issue.  The same patch is applicable
to all affected versions.

$ sha256sum xsa20.patch
954f43a3b912d551b6534d3962d0bab3db820222a3bff211b545e526f9161c71  xsa20.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGkAAoJEIP+FMlX6CvZzB0H/2H7Z/zxYOQtC2QLT77voNvI
/dCGnO+tUxcn9zsPOTkQjTmd7XrSaCdV9IoKmssZCwTBlHzRiwvFWQBinqrU8SZb
8UCv4O1zxg4Ygv/9nlJVxI8Xq9+uyxc/RaMeKlMCsW2rSKut9zmHI9HU+FT5kqG9
0vEXhZW4/MwOFbH+03LoHgjXqW8LOLNZtBg9u5rF5iCDLnltdAC//3kFXA5UG391
JAzAdBUOOaf2OAnL4tEpEV6ksmeaxjckg63P5T61MUqiFJo/5AL5tu0kEKGHF7jH
X4tDkSoV7Rbma4kNN3SbYjAkYGtsrGDeVS7HlhPbyZpKQVUJN+bSMYto3r8lVMM=
=nj9Z
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa20.patch"
Content-Disposition: attachment; filename="xsa20.patch"
Content-Transfer-Encoding: base64

VkNQVS90aW1lcnM6IFByZXZlbnQgb3ZlcmZsb3cgaW4gY2FsY3VsYXRpb25z
LCBsZWFkaW5nIHRvIERvUyB2dWxuZXJhYmlsaXR5CgpUaGUgdGltZXIgYWN0
aW9uIGZvciBhIHZjcHUgcGVyaW9kaWMgdGltZXIgaXMgdG8gY2FsY3VsYXRl
IHRoZSBuZXh0CmV4cGlyeSB0aW1lLCBhbmQgdG8gcmVpbnNlcnQgaXRzZWxm
IGludG8gdGhlIHRpbWVyIHF1ZXVlLiAgSWYgdGhlCmRlYWRsaW5lIGVuZHMg
dXAgaW4gdGhlIHBhc3QsIFhlbiBuZXZlciBsZWF2ZXMgX19kb19zb2Z0aXJx
KCkuICBUaGUKYWZmZWN0ZWQgUENQVSB3aWxsIHN0YXkgaW4gYW4gaW5maW5p
dGUgbG9vcCB1bnRpbCBYZW4gaXMga2lsbGVkIGJ5IHRoZQp3YXRjaGRvZyAo
aWYgZW5hYmxlZCkuCgpUaGlzIGlzIGEgc2VjdXJpdHkgcHJvYmxlbSwgWFNB
LTIwIC8gQ1ZFLTIwMTItNDUzNS4KClNpZ25lZC1vZmYtYnk6IEFuZHJldyBD
b29wZXIgPGFuZHJldy5jb29wZXIzQGNpdHJpeC5jb20+CkFja2VkLWJ5OiBJ
YW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoKZGlmZiAt
ciA0NzhiYTNmMTQ2ZGYgeGVuL2NvbW1vbi9kb21haW4uYwotLS0gYS94ZW4v
Y29tbW9uL2RvbWFpbi5jCisrKyBiL3hlbi9jb21tb24vZG9tYWluLmMKQEAg
LTkwMyw2ICs5MDMsOSBAQCBsb25nIGRvX3ZjcHVfb3AoaW50IGNtZCwgaW50
IHZjcHVpZCwgWEVOCiAgICAgICAgIGlmICggc2V0LnBlcmlvZF9ucyA8IE1J
TExJU0VDUygxKSApCiAgICAgICAgICAgICByZXR1cm4gLUVJTlZBTDsKIAor
ICAgICAgICBpZiAoIHNldC5wZXJpb2RfbnMgPiBTVElNRV9ERUxUQV9NQVgg
KQorICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CisKICAgICAgICAgdi0+
cGVyaW9kaWNfcGVyaW9kID0gc2V0LnBlcmlvZF9uczsKICAgICAgICAgdmNw
dV9mb3JjZV9yZXNjaGVkdWxlKHYpOwogCmRpZmYgLXIgNDc4YmEzZjE0NmRm
IHhlbi9pbmNsdWRlL3hlbi90aW1lLmgKLS0tIGEveGVuL2luY2x1ZGUveGVu
L3RpbWUuaAorKysgYi94ZW4vaW5jbHVkZS94ZW4vdGltZS5oCkBAIC01NSw2
ICs1NSw4IEBAIHN0cnVjdCB0bSBnbXRpbWUodW5zaWduZWQgbG9uZyB0KTsK
ICNkZWZpbmUgTUlMTElTRUNTKF9tcykgICgoc190aW1lX3QpKChfbXMpICog
MTAwMDAwMFVMTCkpCiAjZGVmaW5lIE1JQ1JPU0VDUyhfdXMpICAoKHNfdGlt
ZV90KSgoX3VzKSAqIDEwMDBVTEwpKQogI2RlZmluZSBTVElNRV9NQVggKChz
X3RpbWVfdCkoKHVpbnQ2NF90KX4wdWxsPj4xKSkKKy8qIENob3NlbiBzbyAo
Tk9XKCkgKyBkZWx0YSkgd29udCBvdmVyZmxvdyB3aXRob3V0IGFuIHVwdGlt
ZSBvZiAyMDAgeWVhcnMgKi8KKyNkZWZpbmUgU1RJTUVfREVMVEFfTUFYICgo
c190aW1lX3QpKCh1aW50NjRfdCl+MHVsbD4+MikpCiAKIGV4dGVybiB2b2lk
IHVwZGF0ZV92Y3B1X3N5c3RlbV90aW1lKHN0cnVjdCB2Y3B1ICp2KTsKIGV4
dGVybiB2b2lkIHVwZGF0ZV9kb21haW5fd2FsbGNsb2NrX3RpbWUoc3RydWN0
IGRvbWFpbiAqZCk7Cg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC