SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xen Vendors:   Xen Project
Xen VT-d Hardware Interrupt Remapping Bug Lets Local Users Deny Service
SecurityTracker Alert ID:  1027965
SecurityTracker URL:  http://securitytracker.com/id/1027965
CVE Reference:   CVE-2012-5634   (Links to External Site)
Date:  Jan 9 2013
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0 and later
Description:   A vulnerability was reported in Xen. A local user can cause denial of service conditions.

On systems where a device that is behind a legacy PCI Bridge is passed through to a guest, the system does not properly configure the VT-d hardware. As a result, incorrect interrupts may be passed to other guest systems that also have passthrough devices.

A local user on a guest system with access to a PCI device behind a legacy PCI bridge can cause denial of service conditions on other guests on the target system.

Only systems using Intel VT-d for PCI passthrough are affected.

Impact:   A local user on a guest system with access to a PCI device behind a legacy PCI bridge can cause denial of service conditions on other guests on the target system.
Solution:   The vendor has issued a fix (xsa33-4.1.patch, xsa33-4.2-unstable.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5634 / XSA-33
                             version 2

	   VT-d interrupt remapping source validation flaw

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
passthrough devices.

In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.

IMPACT
======

A malicious domain, given access to a device which is behind a legacy
PCI bridge, can mount a denial of service attack affecting the whole
system.

VULNERABLE SYSTEMS
==================

Xen version 4.0 onwards is vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

Any domain which is given access to a PCI device that is behind a
legacy PCI bridge can take advantage of this vulnerability.

Domains which are given access to PCIe devices only are not able to
take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices which are
behind a legacy PCI bridge to untrusted guests.

NOTE REGARDING EMBARGO TIMELINE
===============================

After discussion with the discloser we have decided to set a longer
than usual embargo in order to avoid public disclosure during the
holiday period.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa33-4.2-unstable.patch          Xen 4.2.x, xen-unstable
xsa33-4.1.patch                   Xen 4.1.x

$ sha256sum xsa33*.patch
b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d  xsa33-4.1.patch
ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c  xsa33-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk
lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm
NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee
8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW
YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk
guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog=
=+i2W
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa33-4.1.patch"
Content-Disposition: attachment; filename="xsa33-4.1.patch"
Content-Transfer-Encoding: base64

VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp
b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT
VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl
IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl
YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt
b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g
YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg
Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt
NDk5LDcgKzQ5OSw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk
KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp
cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS
SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz
ZSBpZiAoIHBkZXZfdHlwZShidXMsIGRldmZuKSA9PSBERVZfVFlQRV9MRUdB
Q1lfUENJX0JSSURHRSApCi0gICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQo
aXJlLCBTVlRfVkVSSUZZX0JVUywgU1FfQUxMXzE2LAorICAgICAgICAgICAg
ICAgIHNldF9pcmVfc2lkKGlyZSwgU1ZUX1ZFUklGWV9CVVNfU1EsIFNRX0FM
TF8xNiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ0lfQkRGMihi
dXMsIGRldmZuKSk7CiAgICAgICAgIH0KICAgICAgICAgYnJlYWs7Cg==

--=separator
Content-Type: application/octet-stream; name="xsa33-4.2-unstable.patch"
Content-Disposition: attachment; filename="xsa33-4.2-unstable.patch"
Content-Transfer-Encoding: base64

VlQtZDogZml4IGludGVycnVwdCByZW1hcHBpbmcgc291cmNlIHZhbGlkYXRp
b24gZm9yIGRldmljZXMgYmVoaW5kCmxlZ2FjeSBicmlkZ2VzCgpVc2luZyBT
VlRfVkVSSUZZX0JVUyBoZXJlIGRvZXNuJ3QgbWFrZSBzZW5zZTsgbmF0aXZl
IExpbnV4IGFsc28KdXNlcyBTVlRfVkVSSUZZX1NJRF9TUSBoZXJlIGluc3Rl
YWQuCgpUaGlzIGlzIFhTQS0zMyAvIENWRS0yMDEyLTU2MzQuCgpTaWduZWQt
b2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+CgotLS0g
YS94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYworKysg
Yi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC92dGQvaW50cmVtYXAuYwpAQCAt
NDY2LDcgKzQ2Niw3IEBAIHN0YXRpYyB2b2lkIHNldF9tc2lfc291cmNlX2lk
KHN0cnVjdCBwY2lfZGV2ICpwZGV2LCBzdHJ1Y3QgaXJlbWFwX2VudHJ5ICpp
cmUpCiAgICAgICAgICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVS
SUZZX0JVUywgU1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIChidXMgPDwgOCkgfCBwZGV2LT5idXMpOwogICAgICAgICAgICAgZWxz
ZSBpZiAoIHBkZXZfdHlwZShzZWcsIGJ1cywgZGV2Zm4pID09IERFVl9UWVBF
X0xFR0FDWV9QQ0lfQlJJREdFICkKLSAgICAgICAgICAgICAgICBzZXRfaXJl
X3NpZChpcmUsIFNWVF9WRVJJRllfQlVTLCBTUV9BTExfMTYsCisgICAgICAg
ICAgICAgICAgc2V0X2lyZV9zaWQoaXJlLCBTVlRfVkVSSUZZX1NJRF9TUSwg
U1FfQUxMXzE2LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDSV9C
REYyKGJ1cywgZGV2Zm4pKTsKICAgICAgICAgfQogICAgICAgICBicmVhazsK

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC