SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen Event Channel Tracking Pointer Bug Local Privilege Escalation
SecurityTracker Alert ID:  1028388
SecurityTracker URL:  http://securitytracker.com/id/1028388
CVE Reference:   CVE-2013-1920   (Links to External Site)
Date:  Apr 4 2013
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.2 and later
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can obtain elevated privileges on the target host system.

A local user with kernel level privileges on the guest operating system can exploit a memory pointer error when the hypervisor is under memory pressure and Xen Security Module (XSM) is enabled to execute arbitrary code on the target host system.

The vulnerability resides in the processing of operations when extending the per-domain event channel tracking table.

Impact:   A local user on the guest operating system can obtain elevated privileges on the target host system.
Solution:   The vendor has issued a fix (xsa47-4.1.patch, xsa47-4.2-unstable.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 04 Apr 2013 17:57:19 +0000
Subject:  [oss-security] Xen Security Advisory 47 (CVE-2013-1920) - Potential use of freed memory in event channel operations

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1920 / XSA-47

        Potential use of freed memory in event channel operations

ISSUE DESCRIPTION
=================

Wrong ordering of operations upon extending the per-domain event
channel tracking table can cause a pointer to freed memory to be left
in place, when the hypervisor is under memory pressure and XSM (Xen
Security Module) is enabled.

IMPACT
======

Malicious guest kernels could inject arbitrary events or corrupt other
hypervisor state, possibly leading to code execution.

VULNERABLE SYSTEMS
==================

All Xen versions from 3.2 onwards are vulnerable when making use of
XSM.  Configurations without XSM or with a dummy module are not
affected.

MITIGATION
==========

Running without XSM (which is the default) will avoid this
vulnerability, albeit doing so will likely lower overall security of
systems that would otherwise have XSM enabled.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa47-4.1.patch             Xen 4.1.x
xsa47-4.2-unstable.patch    Xen 4.2.x and xen-unstable

$ sha256sum xsa47*.patch
e49a03e0693de07ec1418eb16191854458e72088febd6948ea5bc1f900a1853a  xsa47-4.1.patch
c29b59492f9d7e3f74bfc41877a2c5cff70436d3738fd91066f396f969aab0a7  xsa47-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRXb5fAAoJEIP+FMlX6CvZ0RwH/AtcVQFvERB+16wSjN3GTguk
LnakHD3NCVeaDNbkF0G4b4ibR5oOCAGO/9CQwcB1QKj67mvYJm2kglDnGWUmZUQC
TKWZR5vA9D9YAQvll8mSwd3OdLBoN0IGYPp9AIVUi9zl34zF+ZzbtsC57dvmjQD6
/E0tMDgOoCsA8ARnuknjbgk+CbfsGi/dbxYGDla4/wMC9wbUhG1wcA9lqNa37azT
1lRIj8qI3TfWC4aMh1kZKPsljrHZLkfA2VxgkrTCjr7u2Usr7vgUsNT4F0rYouRI
h5mo1JszJOnM2EHuzVbQrvBmaXlPIFF/S5cRvD6RIavEsOUet5au49Hnhb/ENG4=
=/g6f
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa47-4.1.patch"
Content-Disposition: attachment; filename="xsa47-4.1.patch"
Content-Transfer-Encoding: base64

ZGVmZXIgZXZlbnQgY2hhbm5lbCBidWNrZXQgcG9pbnRlciBzdG9yZSB1bnRp
bCBhZnRlciBYU00gY2hlY2tzCgpPdGhlcndpc2UgYSBkYW5nbGluZyBwb2lu
dGVyIGNhbiBiZSBsZWZ0LCB3aGljaCB3b3VsZCBjYXVzZSBzdWJzZXF1ZW50
Cm1lbW9yeSBjb3JydXB0aW9uIGFzIHNvb24gYXMgdGhlIHNwYWNlIGdvdCBy
ZS1hbGxvY2F0ZWQgZm9yIHNvbWUgb3RoZXIKcHVycG9zZS4KClRoaXMgaXMg
Q1ZFLTIwMTMtMTkyMCAvIFhTQS00Ny4KClJlcG9ydGVkLWJ5OiBXZWkgTGl1
IDx3ZWkubGl1MkBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1
bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVl
Z2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9jb21tb24vZXZlbnRfY2hh
bm5lbC5jCisrKyBiL3hlbi9jb21tb24vZXZlbnRfY2hhbm5lbC5jCkBAIC0x
MDQsNyArMTA0LDYgQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0KHN0cnVj
dCBkb21haW4gKgogICAgIGlmICggdW5saWtlbHkoY2huID09IE5VTEwpICkK
ICAgICAgICAgcmV0dXJuIC1FTk9NRU07CiAgICAgbWVtc2V0KGNobiwgMCwg
RVZUQ0hOU19QRVJfQlVDS0VUICogc2l6ZW9mKCpjaG4pKTsKLSAgICBidWNr
ZXRfZnJvbV9wb3J0KGQsIHBvcnQpID0gY2huOwogCiAgICAgZm9yICggaSA9
IDA7IGkgPCBFVlRDSE5TX1BFUl9CVUNLRVQ7IGkrKyApCiAgICAgewpAQCAt
MTE3LDYgKzExNiw4IEBAIHN0YXRpYyBpbnQgZ2V0X2ZyZWVfcG9ydChzdHJ1
Y3QgZG9tYWluICoKICAgICAgICAgfQogICAgIH0KIAorICAgIGJ1Y2tldF9m
cm9tX3BvcnQoZCwgcG9ydCkgPSBjaG47CisKICAgICByZXR1cm4gcG9ydDsK
IH0KIAo=

--=separator
Content-Type: application/octet-stream; name="xsa47-4.2-unstable.patch"
Content-Disposition: attachment; filename="xsa47-4.2-unstable.patch"
Content-Transfer-Encoding: base64

ZGVmZXIgZXZlbnQgY2hhbm5lbCBidWNrZXQgcG9pbnRlciBzdG9yZSB1bnRp
bCBhZnRlciBYU00gY2hlY2tzCgpPdGhlcndpc2UgYSBkYW5nbGluZyBwb2lu
dGVyIGNhbiBiZSBsZWZ0LCB3aGljaCB3b3VsZCBjYXVzZSBzdWJzZXF1ZW50
Cm1lbW9yeSBjb3JydXB0aW9uIGFzIHNvb24gYXMgdGhlIHNwYWNlIGdvdCBy
ZS1hbGxvY2F0ZWQgZm9yIHNvbWUgb3RoZXIKcHVycG9zZS4KClRoaXMgaXMg
Q1ZFLTIwMTMtMTkyMCAvIFhTQS00Ny4KClJlcG9ydGVkLWJ5OiBXZWkgTGl1
IDx3ZWkubGl1MkBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1
bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5OiBUaW0gRGVl
Z2FuIDx0aW1AeGVuLm9yZz4KCi0tLSBhL3hlbi9jb21tb24vZXZlbnRfY2hh
bm5lbC5jCisrKyBiL3hlbi9jb21tb24vZXZlbnRfY2hhbm5lbC5jCkBAIC0x
NDAsNyArMTQwLDYgQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0KHN0cnVj
dCBkb21haW4gKgogICAgIGNobiA9IHh6YWxsb2NfYXJyYXkoc3RydWN0IGV2
dGNobiwgRVZUQ0hOU19QRVJfQlVDS0VUKTsKICAgICBpZiAoIHVubGlrZWx5
KGNobiA9PSBOVUxMKSApCiAgICAgICAgIHJldHVybiAtRU5PTUVNOwotICAg
IGJ1Y2tldF9mcm9tX3BvcnQoZCwgcG9ydCkgPSBjaG47CiAKICAgICBmb3Ig
KCBpID0gMDsgaSA8IEVWVENITlNfUEVSX0JVQ0tFVDsgaSsrICkKICAgICB7
CkBAIC0xNTMsNiArMTUyLDggQEAgc3RhdGljIGludCBnZXRfZnJlZV9wb3J0
KHN0cnVjdCBkb21haW4gKgogICAgICAgICB9CiAgICAgfQogCisgICAgYnVj
a2V0X2Zyb21fcG9ydChkLCBwb3J0KSA9IGNobjsKKwogICAgIHJldHVybiBw
b3J0OwogfQogCg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC