-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4066
        missing descriptor table limit checking in x86 PV emulation
                              1 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-18425  

Reference:         ESB-2019.4056

Original Bulletin: 
   ttp://xenbits.xen.org/xsa/advisory-298.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-18425 / XSA-298
                               version 3

      missing descriptor table limit checking in x86 PV emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When emulating certain PV guest operations, descriptor table accesses
are performed by the emulating code.  Such accesses should respect the
guest specified limits, unless otherwise guaranteed to fail in such a
case.  Without this, emulation of 32-bit guest user mode calls through
call gates would allow guest user mode to install and then use
descriptors of their choice, as long as the guest kernel did not
itself install an LDT.  (Most OSes don't install any LDT by default).

IMPACT
======

32-bit PV guest user mode can elevate its privileges to that of the
guest kernel.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are affected.

Only 32-bit PV guest user mode can leverage this vulnerability.

HVM, PVH, as well as 64-bit PV guests cannot leverage this
vulnerability.

Arm systems are unaffected.

MITIGATION
==========

Running only HVM, PVH, or 64-bit PV guests will avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa298.patch           xen-unstable, Xen 4.12.x
xsa298-4.11.patch      Xen 4.11.x
xsa298-4.10.patch      Xen 4.10.x
xsa298-4.9.patch       Xen 4.9.x, Xen 4.8.x, Xen 4.7.x

$ sha256sum xsa298*
82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce  xsa298.meta
3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3  xsa298.patch
da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c  xsa298-4.9.patch
92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d  xsa298-4.10.patch
d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71  xsa298-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601AMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZk/AH/iLP9TpdOKNoW8fJDuOjlIQHsI0RPtU6KIdSc1a8
nzrcPfwpdP3/89GJQyEHwi5ZZdXAnNcXSK7BC+EEzqznV/VwHRDusCBH0enjUe0z
jDpOsxeI5RsuyJnSFojhI2E+y1khjKtVvnbNWbHzBfWMPD9Inc+nw9Q1KWfpSkk6
TTS8OwR9DwNiVXz9Na+BKuIBOVinFd1wA+HBNZKJl3JCz8N0Oa6RHDKFQQKJ4Uy2
KzBdzm5dWr0xP4stQmnYoU7JobGbcvKyMVMwwryS3cffLyhOLuzCWjDO+n7RkoRy
xWmGWVeQWAeIzqvvtb104NrHSVwVeFSOsen0cqFLvV82MRw=
=tmUK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXbuJImaOgq3Tt24GAQg+MBAAzVXUncLILBnQGuVDZ/qgXVJe7Dvn5m4D
zZ9bjx+8eJ1sxqObNi19xiQTvSE0j+RqQQwxFpiuQXKT2yC/ea9mb6qtOZtOMLhl
9xxo+0NQUxODQdC5z+sl6YjiRYYZVpY1N2QDIOjC/GrfHvGvBASW2Lh9NNElNmNt
CrSZvUn0h0JWOE+Gec1ODXT2lQnbXqLH26I5xoTJ37CfI/A72LXxtZbFAL7YEqlq
gumDrHAUQC1kR7tk9vdWABQ6SiM5BvCElo1EbqXGP+LLgR8q+0U3qaRh4pyef2Sa
aLleJwaXJvz4uzpHxUW+Wd6GBDfhYddtuZa0LS3226uFgd08Sxa2swcQM6EEBsJW
Ag22bk3GF+ufdDAjlz7LatpwbC/p+WnZtTVZxN+2e14FZJjgYPiGUDVhIVIUq78z
RCJuVrD7/rQYcS52Mw2zIYTXBr1fSq4ViLPu61+P9UNXJ/r9IX0+3KPH5ZsDbcEi
pvJE/lxyTN1B0IqobK/QdQRu+6DtELdvbJp2puSenKjTf4YTFddZOABCVe5BZD0G
48sWqz7QkxfxzQ7MahW9lI+l6zEvidNAHwWTI+yxfGnJGi3967gxkNv85hrloqMD
f0W6xH/9q6VMpJLi/BeaCbMn7IKp5moeLNxITZE/8v7/G9LW+rqylX5jE1QBijhA
XYoMx55KgHw=
=Fc3C
-----END PGP SIGNATURE-----