Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4066 missing descriptor table limit checking in x86 PV emulation 1 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: Xen Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-18425 Reference: ESB-2019.4056 Original Bulletin: ttp://xenbits.xen.org/xsa/advisory-298.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2019-18425 / XSA-298 version 3 missing descriptor table limit checking in x86 PV emulation UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). IMPACT ====== 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. VULNERABLE SYSTEMS ================== Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected. MITIGATION ========== Running only HVM, PVH, or 64-bit PV guests will avoid this vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa298.patch xen-unstable, Xen 4.12.x xsa298-4.11.patch Xen 4.11.x xsa298-4.10.patch Xen 4.10.x xsa298-4.9.patch Xen 4.9.x, Xen 4.8.x, Xen 4.7.x $ sha256sum xsa298* 82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce xsa298.meta 3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3 xsa298.patch da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c xsa298-4.9.patch 92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d xsa298-4.10.patch d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71 xsa298-4.11.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html - -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601AMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZk/AH/iLP9TpdOKNoW8fJDuOjlIQHsI0RPtU6KIdSc1a8 nzrcPfwpdP3/89GJQyEHwi5ZZdXAnNcXSK7BC+EEzqznV/VwHRDusCBH0enjUe0z jDpOsxeI5RsuyJnSFojhI2E+y1khjKtVvnbNWbHzBfWMPD9Inc+nw9Q1KWfpSkk6 TTS8OwR9DwNiVXz9Na+BKuIBOVinFd1wA+HBNZKJl3JCz8N0Oa6RHDKFQQKJ4Uy2 KzBdzm5dWr0xP4stQmnYoU7JobGbcvKyMVMwwryS3cffLyhOLuzCWjDO+n7RkoRy xWmGWVeQWAeIzqvvtb104NrHSVwVeFSOsen0cqFLvV82MRw= =tmUK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbuJImaOgq3Tt24GAQg+MBAAzVXUncLILBnQGuVDZ/qgXVJe7Dvn5m4D zZ9bjx+8eJ1sxqObNi19xiQTvSE0j+RqQQwxFpiuQXKT2yC/ea9mb6qtOZtOMLhl 9xxo+0NQUxODQdC5z+sl6YjiRYYZVpY1N2QDIOjC/GrfHvGvBASW2Lh9NNElNmNt CrSZvUn0h0JWOE+Gec1ODXT2lQnbXqLH26I5xoTJ37CfI/A72LXxtZbFAL7YEqlq gumDrHAUQC1kR7tk9vdWABQ6SiM5BvCElo1EbqXGP+LLgR8q+0U3qaRh4pyef2Sa aLleJwaXJvz4uzpHxUW+Wd6GBDfhYddtuZa0LS3226uFgd08Sxa2swcQM6EEBsJW Ag22bk3GF+ufdDAjlz7LatpwbC/p+WnZtTVZxN+2e14FZJjgYPiGUDVhIVIUq78z RCJuVrD7/rQYcS52Mw2zIYTXBr1fSq4ViLPu61+P9UNXJ/r9IX0+3KPH5ZsDbcEi pvJE/lxyTN1B0IqobK/QdQRu+6DtELdvbJp2puSenKjTf4YTFddZOABCVe5BZD0G 48sWqz7QkxfxzQ7MahW9lI+l6zEvidNAHwWTI+yxfGnJGi3967gxkNv85hrloqMD f0W6xH/9q6VMpJLi/BeaCbMn7IKp5moeLNxITZE/8v7/G9LW+rqylX5jE1QBijhA XYoMx55KgHw= =Fc3C -----END PGP SIGNATURE-----