SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen Grant Table Hypercall Infinite Loop Lets Local Guest Administrative Users Deny Service
SecurityTracker Alert ID:  1027763
SecurityTracker URL:  http://securitytracker.com/id/1027763
CVE Reference:   CVE-2012-4539   (Links to External Site)
Date:  Nov 14 2012
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Xen. A local administrative user on the guest operating system can cause denial of service conditions on the target host operating system.

A local user with administrative privileges on the guest operating system can cause infinite loop in the compat hypercall handler.

On systems with the Xen watchdog enabled, the target system will crash.

Only systems with 32-bit x86 PV guests running on 64-bit Xen hypervisors are affected.

Impact:   A local administrative user on the guest operating system can cause Xen to enter an infinite loop.
Solution:   The vendor has issued a fix (xsa24.patch).
Vendor URL:  xen.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 14 2012 (Citrix Issues Fix for XenServer) Xen Grant Table Hypercall Infinite Loop Lets Local Guest Administrative Users Deny Service
Citrix has issued a fix for Citrix XenServer.



 Source Message Contents

Date:  Tue, 13 Nov 2012 12:56:20 +0000
Subject:  [oss-security] Xen Security Advisory 24 (CVE-2012-4539) - Grant table hypercall infinite loop DoS vulnerability

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4539 / XSA-24
                                version 2

              Grant table hypercall infinite loop DoS vulnerability

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Due to inappropriate duplicate use of the same loop control variable,
passing bad arguments to GNTTABOP_get_status_frames can cause an
infinite loop in the compat hypercall handler.

IMPACT
======

A malicious guest administrator can trigger the bug.  If the Xen
watchdog is enabled, the whole system will crash.  Otherwise the guest
can cause the system to become completely unresponsive.

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and onwards are vulnerable.  Earlier released Xen
versions are not vulnerable.

Only 32-bit x86 PV guests, running on 64-bit Xen hypervisors,
introduce the vulnerability.

MITIGATION
==========

Running only 64-bit guests, or (in previous Xen versions) running a
32-bit hypervisor (which supports only 32-bit guests), will avoid this
vulnerability.

Note however that if in a 64-bit Xen system the guest kernel image
file is under the control of the guest administrator, the guest
administrator will normally be able to control whether the guest is
32-bit or 64-bit by supplying a different kernel image.

Running only HVM guests will avoid this vulnerability.

RESOLUTION
==========

The attached patch resolves this issue.  The same patch is applicable
to all affected versions.

$ sha256sum xsa24.patch
2963dff4dbc08aab4278215d74c2cce365972f213453bb7c513d097a838de196  xsa24.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGvAAoJEIP+FMlX6CvZ0HAH/jy7Id9Ai1ZJSou6xu6USdQP
QyaT6BnWzIA8ziatcnRzq5YHW+Occ4g4+9fU92zHpVsFGF5mAN9/aq83xLHoFHkb
TPH/+xNCRz50zfQ21VTejr6jFlfiO6S1y/4bxVYfohtoevijo5tpRo+OYdFZXMM8
psagcYXHgOsUy95pFsPBbwg6bh0S/ffDfZnyK3LZCP3J/Xx82kj7Du/HgKcM9lDx
gk/q0VjFM6M/utxyn2gQlFGbX8YFfoytb9WzcrQdcPf4Ubu/jGUykm1BS/+IrXHs
C9BtBa6w+k2T6dZgRmseeOjy0PgiEYKrqYhwAG1VC8F+RMLpAmtNGJS3gatwFHE=
=IoWx
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa24.patch"
Content-Disposition: attachment; filename="xsa24.patch"
Content-Transfer-Encoding: base64

Y29tcGF0L2dudHRhYjogUHJldmVudCBpbmZpbml0ZSBsb29wIGluIGNvbXBh
dCBjb2RlCgpjL3MgMjAyODE6OTVlYTIwNTJiNDFiLCB3aGljaCBpbnRyb2R1
Y2VzIEdyYW50IFRhYmxlIHZlcnNpb24gMgpoeXBlcmNhbGxzIGludHJvZHVj
ZXMgYSB2dWxuZXJhYmlsaXR5IHdoZXJlYnkgdGhlIGNvbXBhdCBoeXBlcmNh
bGwKaGFuZGxlciBjYW4gZmFsbCBpbnRvIGFuIGluZmluaXRlIGxvb3AuCgpJ
ZiB0aGUgd2F0Y2hkb2cgaXMgZW5hYmxlZCwgWGVuIHdpbGwgZGllIGFmdGVy
IHRoZSB0aW1lb3V0LgoKVGhpcyBpcyBhIHNlY3VyaXR5IHByb2JsZW0sIFhT
QS0yNCAvIENWRS0yMDEyLTQ1MzkuCgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXcg
Q29vcGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPgpBY2tlZC1ieTog
SmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFu
IEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+CgpkaWZmIC1y
IGJhYzg4M2NmODA1YSB4ZW4vY29tbW9uL2NvbXBhdC9ncmFudF90YWJsZS5j
Ci0tLSBhL3hlbi9jb21tb24vY29tcGF0L2dyYW50X3RhYmxlLmMKKysrIGIv
eGVuL2NvbW1vbi9jb21wYXQvZ3JhbnRfdGFibGUuYwpAQCAtMzE4LDYgKzMx
OCw4IEBAIGludCBjb21wYXRfZ3JhbnRfdGFibGVfb3AodW5zaWduZWQgaW50
IGMKICN1bmRlZiBYTEFUX2dudHRhYl9nZXRfc3RhdHVzX2ZyYW1lc19ITkRM
X2ZyYW1lX2xpc3QKICAgICAgICAgICAgICAgICBpZiAoIHVubGlrZWx5KF9f
Y29weV90b19ndWVzdChjbXBfdW9wLCAmY21wLmdldF9zdGF0dXMsIDEpKSAp
CiAgICAgICAgICAgICAgICAgICAgIHJjID0gLUVGQVVMVDsKKyAgICAgICAg
ICAgICAgICBlbHNlCisgICAgICAgICAgICAgICAgICAgIGkgPSAxOwogICAg
ICAgICAgICAgfQogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIH0K

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC