copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0910 - [UNIX/Linux][Virtual] Xen: Execute arbitrary code/commands - Existing account

Date: 10 June 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0910
          Xen Security Advisory CVE-2014-3969 / XSA-98 version 3
                               10 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Xen
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3969  

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-98.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-3969 / XSA-98
                            version 3

       insufficient permissions checks accessing guest memory on ARM

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest.  This allows a guest to write to memory which
it should only be able to read.

A guest running on a vulnerable system is able to write to memory
which should be read-only.  This includes supposedly read only foreign
mappings established using the grant table mechanism.  Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.

In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.

IMPACT
======

A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation.  The
vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

xsa98-unstable-{01,02}.patch        xen-unstable
xsa98-4.4-{01,02}.patch             Xen 4.4.x

$ sha256sum xsa98*.patch
6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b  xsa98-4.4-01.patch
b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d  xsa98-4.4-02.patch
b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb  xsa98-unstable-01.patch
f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67  xsa98-unstable-02.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTj0N1AAoJEIP+FMlX6CvZYRsH/3PPF+SBphp/IOcJmcoUBI0Y
SZumMMtaH3jU49/0V/azYOpKET2VtCHBilBajUAB7kNx+EGHv5NZf6Vn7FMBDCVl
gk7Hq39tR0axBTpp4FhK8MJQIEsMUvsohokRFiMsDmhKtWOEKPfmNrgLz6cEvo5H
ci46UH0JzPhMVY4tXhd7jo9Vuyae8df+b0yYFZ2QyVdWN3AShlrp62JAXb1lJT8E
LO/67uDud7bhuODA+CWmL0jHq7xsJoRitp5gJph9QmSNbkXGJfPy6Sow4qzatnsR
Vb9lgJq5MHRodkaie9z4UeANysAJ1J+USvARyMx+xnQ64ETzFIm6pUotzySZWEU=
=vyB+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU5ZTwBLndAQH1ShLAQKBXRAAmkbuSZ7A8f5e4cCZnkLEysI6VS2bT41n
pAukNsb8Shf8YrcaR4h/JxcDaDMfF8rR5lyZoozHlNWdk9MAQ4bCCJXoRRNVoC+R
FkvdnJDsFDgXyprauhrzc9EV7EGp/xyEs9OBF7hFzIqo+alG14Uz7e6Z4iBSygnl
H5MxhzPDQYb1u5+aYz4jsGibbOF58KPpHS36MUY//zPv40OZ9BWvEuEtorPPSavz
UEieLj/93IHPngLUA7pvKDbwO4/cBoXPxsrpMhzCprRs4zxY1VB+2hWF7y3/6I5w
p+ELvrqeg2ziR03OpjSzZn6llxBXdFmKYdch5bYgoZjdffbAsEpTqMcPGLG5pXD+
H0TWpFGXuBq6+pHGFagkWWZvIhnMBgjwwj8pvcuiehhj5GCgPObdc67Cv91SmFoW
Czkulbr9ECuhoNii35yNwATjU646ApGBXyGM2OKavM+IBZU28tm9By/IehoFN4xA
9w6Cy6t/FK+BC0RiF6qwegWamvhtd9UM7E7IMIRkUvQVFQbGjoGrVRseGAggcypC
F+At+n0gYqwBOjmT2CjihaOIzFWElGTWdwRknOwOLXXAXEi4C2P0w1kFKHlg4BMA
tFFf1/rHtlV5RLX+tgXPMh2SysV1+niDrFh+BwhhfshprnBY5+u0G7bmwvLEIKj/
4RAkh5EWK88=
=VIL+
-----END PGP SIGNATURE-----