SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen HVMOP_pagetable_dying() Bug Lets Local Users Deny Service
SecurityTracker Alert ID:  1027762
SecurityTracker URL:  http://securitytracker.com/id/1027762
CVE Reference:   CVE-2012-4538   (Links to External Site)
Date:  Nov 14 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.x, 4.1.x, 4.2.x
Description:   A vulnerability was reported in Xen. A local user can cause denial of service conditions on the target system.

The HVMOP_pagetable_dying() hypercall does not properly check the caller's pagetable state. A local user can cause denial of service conditions on the target system.

Systems running HVM guests on shadow pagetables (not HAP) are affected.

Impact:   A local user can cause the target hypervisor to crash.
Solution:   The vendor has issued a fix (xsa23-4.2-unstable.patch, xsa23-4.0-4.1.patch).
Vendor URL:  xen.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 14 2012 (Citrix Issues Fix for XenServer) Xen HVMOP_pagetable_dying() Bug Lets Local Users Deny Service
Citrix has issued a fix for Citrix XenServer.



 Source Message Contents

Date:  Tue, 13 Nov 2012 12:56:16 +0000
Subject:  [oss-security] Xen Security Advisory 23 (CVE-2012-4538) - Unhooking empty PAE entries DoS vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4538 / XSA-23
                                version 2

                Unhooking empty PAE entries DoS vulnerability

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The HVMOP_pagetable_dying hypercall does not correctly check the
caller's pagetable state, leading to a hypervisor crash.

IMPACT
======

An HVM guest running on shadow pagetables (that is, not HAP) can
cause the hypervisor to crash.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.0 onwards are vulnerable, except that:
 - systems that run only PV guests are not vulnerable
 - systems that run all HVM guests using HAP (which is the default on
   hardware that supports it) are not vulnerable.

MITIGATION
==========

This issue can be avoided by running only PV guests or by running
all HVM guests using hardware-assisited paging (HAP, also called
NPT, RVI and EPT).

Xen will run guests using HAP by default on hardware that
supports it, unless it is disbled by putting 'hap=0' either on
the xen hypervisor command-line or in the VM's configuration.

You can check whether a particular machine supports HAP by looking at
xen's boot messages.  On Xen 4.1, 4.2 and unstable, Xen will print
"HVM: Hardware Assisted Paging (HAP) detected" during boot; on xen 4.0
the message is "HVM: Hardware Assisted Paging detected".

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa23-4.0-4.1.patch         Xen 4.0.x, 4.1.x
xsa23-4.2-unstable.patch    Xen 4.2.x, xen-unstable

$ sha256sum xsa23*.patch
f696d597481595b14ac9577d1dad05fc97da68568f52db74d62f2e3dcb2c7a6e  xsa23-4.0-4.1.patch
70ffea07e58e4a747bf3ec103f656ba2cd0d8986722e6a72023c57d802c65964  xsa23-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGsAAoJEIP+FMlX6CvZTagH/iyB7+Y5Ug2+3o0minW/xYe5
sVoRIxYhOuKIoRZFVHn3WvXc2PkL/sVCg8PoQnxCs1v4etALl6TTwE9CuJYVgbR7
9OiN6l/NAg2Qbcg3W1j5Har0syOFL5ZkrvIZ3xvER1lsSINKFJ/HBYf9Oe3KUAaD
ffzgRupB/AcETIClv9qwhmSVgjDyNWEae4TS5MzvdUM5dDcCObg/OpyvCGx2MbA8
SF/s9bSwmUcEboy1wOm4wkTWfEJUCsE/ftpQRsEZPESOOXG5u2QB+EI1pbZ1SObx
yhbDGE1Ex3T9u88t+7bSiFn2CwNS7eWQwg7nKQ6P/8PlSwm8BFg7KBC+HUxHNW4=
=stq6
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa23-4.0-4.1.patch"
Content-Disposition: attachment; filename="xsa23-4.0-4.1.patch"
Content-Transfer-Encoding: base64

eGVuL21tL3NoYWRvdzogY2hlY2sgdG9wbGV2ZWwgcGFnZXRhYmxlcyBhcmUg
cHJlc2VudCBiZWZvcmUgdW5ob29raW5nIHRoZW0uCgpJZiB0aGUgZ3Vlc3Qg
aGFzIG5vdCBmdWxseSBwb3B1bGF0ZWQgaXRzIHRvcC1sZXZlbCBQQUUgZW50
cmllcyB3aGVuIGl0IGNhbGxzCkhWTU9QX3BhZ2V0YWJsZV9keWluZywgdGhl
IHNoYWRvdyBjb2RlIGNvdWxkIHRyeSB0byB1bmhvb2sgZW50cmllcyBmcm9t
Ck1GTiAwLiAgQWRkIGEgY2hlY2sgdG8gYXZvaWQgdGhhdCBjYXNlLgoKVGhp
cyBpc3N1ZSB3YXMgaW50cm9kdWNlZCBieSBjL3MgMjEyMzk6YjlkMmRiMTA5
Y2Y1LgoKVGhpcyBpcyBhIHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMyAvIENW
RS0yMDEyLTQ1MzguCgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A
eGVuLm9yZz4KVGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v
cGVyM0BjaXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u
Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLXIgYmZkMjJkNDBkYjA2IHhl
bi9hcmNoL3g4Ni9tbS9zaGFkb3cvbXVsdGkuYwotLS0gYS94ZW4vYXJjaC94
ODYvbW0vc2hhZG93L211bHRpLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3No
YWRvdy9tdWx0aS5jCkBAIC00NzM3LDggKzQ3MzcsMTIgQEAgc3RhdGljIHZv
aWQgc2hfcGFnZXRhYmxlX2R5aW5nKHN0cnVjdCB2YwogICAgIH0KICAgICBm
b3IgKCBpID0gMDsgaSA8IDQ7IGkrKyApCiAgICAgewotICAgICAgICBpZiAo
IGZhc3RfcGF0aCApCi0gICAgICAgICAgICBzbWZuID0gX21mbihwYWdldGFi
bGVfZ2V0X3Bmbih2LT5hcmNoLnNoYWRvd190YWJsZVtpXSkpOworICAgICAg
ICBpZiAoIGZhc3RfcGF0aCApIHsKKyAgICAgICAgICAgIGlmICggcGFnZXRh
YmxlX2lzX251bGwodi0+YXJjaC5zaGFkb3dfdGFibGVbaV0pICkKKyAgICAg
ICAgICAgICAgICBzbWZuID0gX21mbihJTlZBTElEX01GTik7CisgICAgICAg
ICAgICBlbHNlCisgICAgICAgICAgICAgICAgc21mbiA9IF9tZm4ocGFnZXRh
YmxlX2dldF9wZm4odi0+YXJjaC5zaGFkb3dfdGFibGVbaV0pKTsKKyAgICAg
ICAgfQogICAgICAgICBlbHNlCiAgICAgICAgIHsKICAgICAgICAgICAgIC8q
IHJldHJpZXZpbmcgdGhlIGwycyAqLwo=

--=separator
Content-Type: application/octet-stream; name="xsa23-4.2-unstable.patch"
Content-Disposition: attachment; filename="xsa23-4.2-unstable.patch"
Content-Transfer-Encoding: base64

eGVuL21tL3NoYWRvdzogY2hlY2sgdG9wbGV2ZWwgcGFnZXRhYmxlcyBhcmUg
cHJlc2VudCBiZWZvcmUgdW5ob29raW5nIHRoZW0uCgpJZiB0aGUgZ3Vlc3Qg
aGFzIG5vdCBmdWxseSBwb3B1bGF0ZWQgaXRzIHRvcC1sZXZlbCBQQUUgZW50
cmllcyB3aGVuIGl0IGNhbGxzCkhWTU9QX3BhZ2V0YWJsZV9keWluZywgdGhl
IHNoYWRvdyBjb2RlIGNvdWxkIHRyeSB0byB1bmhvb2sgZW50cmllcyBmcm9t
Ck1GTiAwLiAgQWRkIGEgY2hlY2sgdG8gYXZvaWQgdGhhdCBjYXNlLgoKVGhp
cyBpc3N1ZSB3YXMgaW50cm9kdWNlZCBieSBjL3MgMjEyMzk6YjlkMmRiMTA5
Y2Y1LgoKVGhpcyBpcyBhIHNlY3VyaXR5IHByb2JsZW0sIFhTQS0yMyAvIENW
RS0yMDEyLTQ1MzguCgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1A
eGVuLm9yZz4KVGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcuY29v
cGVyM0BjaXRyaXguY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u
Y2FtcGJlbGxAY2l0cml4LmNvbT4KCmRpZmYgLXIgY2M1NmMwMzk0ZGI3IHhl
bi9hcmNoL3g4Ni9tbS9zaGFkb3cvbXVsdGkuYwotLS0gYS94ZW4vYXJjaC94
ODYvbW0vc2hhZG93L211bHRpLmMKKysrIGIveGVuL2FyY2gveDg2L21tL3No
YWRvdy9tdWx0aS5jCkBAIC00NzM0LDggKzQ3MzQsMTIgQEAgc3RhdGljIHZv
aWQgc2hfcGFnZXRhYmxlX2R5aW5nKHN0cnVjdCB2YwogICAgICAgICB1bnNp
Z25lZCBsb25nIGdmbjsKICAgICAgICAgbWZuX3Qgc21mbiwgZ21mbjsKIAot
ICAgICAgICBpZiAoIGZhc3RfcGF0aCApCi0gICAgICAgICAgICBzbWZuID0g
X21mbihwYWdldGFibGVfZ2V0X3Bmbih2LT5hcmNoLnNoYWRvd190YWJsZVtp
XSkpOworICAgICAgICBpZiAoIGZhc3RfcGF0aCApIHsKKyAgICAgICAgICAg
IGlmICggcGFnZXRhYmxlX2lzX251bGwodi0+YXJjaC5zaGFkb3dfdGFibGVb
aV0pICkKKyAgICAgICAgICAgICAgICBzbWZuID0gX21mbihJTlZBTElEX01G
Tik7CisgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAgICAgc21mbiA9
IF9tZm4ocGFnZXRhYmxlX2dldF9wZm4odi0+YXJjaC5zaGFkb3dfdGFibGVb
aV0pKTsKKyAgICAgICAgfQogICAgICAgICBlbHNlCiAgICAgICAgIHsKICAg
ICAgICAgICAgIC8qIHJldHJpZXZpbmcgdGhlIGwycyAqLwo=

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC