SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen priq Range Check Flaw Lets Local Guest Administrative Users Deny Service on the Host Operating System
SecurityTracker Alert ID:  1027760
SecurityTracker URL:  http://securitytracker.com/id/1027760
CVE Reference:   CVE-2012-4536   (Links to External Site)
Date:  Nov 14 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1
Description:   A vulnerability was reported in Xen. A local administrative user on the guest operating system can cause denial of service conditions on the target host system.

A local user with administrative privileges on the guest operating system can supply a specially crafted pirq value to trigger an out-of-bounds array read and cause Xen to crash.

Systems running HVM guests are affected.

Systems running only PV guests are not affected.

Impact:   A local administrative user on the guest operating system can cause Xen to crash.
Solution:   The vendor has issued a fix (xsa21.patch).
Vendor URL:  xen.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 14 2012 (Citrix Issues Fix for XenServer) Xen priq Range Check Flaw Lets Local Guest Administrative Users Deny Service on the Host Operating System
Citrix has issued a fix for Citrix XenServer.



 Source Message Contents

Date:  Tue, 13 Nov 2012 12:56:10 +0000
Subject:  [oss-security] Xen Security Advisory 21 (CVE-2012-4536) - pirq range check DoS vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4536 / XSA-21
                                version 2

                    pirq range check DoS vulnerability

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

domain_pirq_to_emuirq() uses the guest provided pirq value before
range checking it, and physdev_unmap_pirq uses domain_pirq_to_emuirq
without checking the pirq value either.  Invalid pirq values can cause
Xen to read out of array bounds, usually resulting in a fatal page
fault.

IMPACT
======

A malicious guest administrator can cause Xen to crash.  If the out of
array bounds access does not crash, the arbitrary value read will be
ignored due to later error checking, so there is no privilege
escalation and no exploitable information leak.

VULNERABLE SYSTEMS
==================

Only Xen version 4.1 is vulnerable.  Other released versions, and
xen-unstable, are not vulnerable.

The vulnerability is only exposed to HVM guests.

MITIGATION
==========

Running only PV guests, or ensuring that HVM guests only use trusted
kernels, will avoid this vulnerability.

RESOLUTION
==========

The attached patch resolves this issue.

$ sha256sum xsa21.patch
34c4bef71d0ad08ee7c337c77af47aa77bb19081a13fc13beaff7d4b37b6b35a  xsa21.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGnAAoJEIP+FMlX6CvZ1lQH/jdovmPuphnocdrkWGR8FE3+
OqM3JIpOZTDPFfLO7pen/P5e/0fCBs7cF7FGvM1Uua54/M0HrVS93E1m9baornkh
vEIV5c9TRTfUR3IGmVFs1l+ddJcfULOuhfE2IOrbcYaWBL89D9sQYrL/A1j4LTEh
umsz6fh4XgINkt/tpneEcE4ckYd0YkkOm3zUK3HaGshNXoOGVyGeaNqKr/YuhEfc
XWOkCUoZTxKz50Tg12pdtjX8CX0njJaKeAs0MLkyTL1cj+Sf89YzNuXLwx5ffpMu
//VEe2tbyRzPj2JYzUOrV8E5W1fPZmfCSgMvJEtwmMbMXMb7sIUPMBh3yBcXQQU=
=yPnD
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa21.patch"
Content-Disposition: attachment; filename="xsa21.patch"
Content-Transfer-Encoding: base64

eDg2L3BoeXNkZXY6IFJhbmdlIGNoZWNrIHBpcnEgcGFyYW1ldGVyIGZyb20g
Z3Vlc3RzCgpPdGhlcndpc2UgWGVuIHdpbGwgcmVhZCBiZXlvbmQgZWl0aGVy
IGVuZCBvZiB0aGUgc3RydWN0CmRvbWFpbi5hcmNoLnBpcnFfZW11aXJxIGFy
cmF5LCB1c3VhbGx5IHJlc3VsdGluZyBpbiBhIGZhdGFsIHBhZ2UgZmF1bHQu
CgpUaGlzIHZ1bG5lcmFiaWxpdHkgd2FzIGludHJvZHVjZWQgYnkgYy9zIDIz
MjQxOmQyMTEwMGYxZDAwZSwgd2hpY2ggYWRkcwphIGNhbGwgdG8gZG9tYWlu
X3BpcnFfdG9fZW11aXJxKCkgd2hpY2ggdXNlcyB0aGUgZ3Vlc3QgcHJvdmlk
ZWQgcGlycQp2YWx1ZSBiZWZvcmUgcmFuZ2UgY2hlY2tpbmcgaXQsIGFuZCB3
YXMgZml4ZWQgYnkgYy9zIDIzNTczOjU4NGMyZTVlMDNkOQp3aGljaCBjaGFu
Z2VkIHRoZSBiZWhhdmlvdXIgb2YgdGhlIGRvbWFpbl9waXJxX3RvX2VtdWly
cSgpIG1hY3JvIHRvIHVzZQpyYWRpeCB0cmVlcyBpbnN0ZWFkIG9mIGEgZmxh
dCBhcnJheS4KClRoaXMgaXMgWFNBLTIxIC8gQ1ZFLTIwMTItNDUzNi4KClNp
Z25lZC1vZmYtYnk6IEFuZHJldyBDb29wZXIgPGFuZHJldy5jb29wZXIzQGNp
dHJpeC5jb20+CkFja2VkLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3Vz
ZS5jb20+CkFja2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBj
aXRyaXguY29tPgoKZGlmZiAtciA3YTQwMWE3M2Q4NmQgeGVuL2FyY2gveDg2
L3BoeXNkZXYuYwotLS0gYS94ZW4vYXJjaC94ODYvcGh5c2Rldi5jCisrKyBi
L3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKQEAgLTIzNCw2ICsyMzQsMTAgQEAg
c3RhdGljIGludCBwaHlzZGV2X3VubWFwX3BpcnEoc3RydWN0IHBoeQogICAg
IGlmICggcmV0ICkKICAgICAgICAgcmV0dXJuIHJldDsKIAorICAgIHJldCA9
IC1FSU5WQUw7CisgICAgaWYgKCB1bm1hcC0+cGlycSA8IDAgfHwgdW5tYXAt
PnBpcnEgPj0gZC0+bnJfcGlycXMgKQorICAgICAgICBnb3RvIGZyZWVfZG9t
YWluOworCiAgICAgaWYgKCBpc19odm1fZG9tYWluKGQpICkKICAgICB7CiAg
ICAgICAgIHNwaW5fbG9jaygmZC0+ZXZlbnRfbG9jayk7Cg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC