SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xen Vendors:   Xen Project
Xen TLB Flushing Error Lets Local Users on the Guest Operating System Deny Service or Gain Elevated Privileges on the Host System
SecurityTracker Alert ID:  1029369
SecurityTracker URL:  http://securitytracker.com/id/1029369
CVE Reference:   CVE-2013-6375   (Links to External Site)
Updated:  May 1 2014
Original Entry Date:  Nov 20 2013
Impact:   Denial of service via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.x and after
Description:   A vulnerability was reported in Xen. A local user on the guest operating system can cause denial of service conditions on the target host system. A local user on the guest operating system can obtain elevated privileges on the target host system.

A local administrative user on the guest operating system can supply a specially crafted parameter value to trigger a Translation Lookaside Buffer (TLB) flushing error and access restricted memory.

This can be exploited to cause denial of service conditions on the host system or gain privileges on the host system.

Systems using Intel VT-d for PCI passthrough are affected.

Impact:   A local user on the guest operating system can cause denial of service conditions on the target host system.

A local user on the guest operating system can obtain elevated privileges on the target host system.

Solution:   The vendor has issued a fix (xsa78.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-78

           Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION
=================

An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry.  Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa78.patch        Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e  xsa78.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSjOx1AAoJEIP+FMlX6CvZiRgIAL1iKDQGOT+uULBy+pi8El/H
ptqI1qsEX1CKkrl0tTTueXlIWqvpDP5iHJR3tqj10OeNn/tSyV/PCCuJonFaPDUJ
aNucKbiiXvaHlfw4CNMOuWa2xaWUdoiTN8RM8OCWQgM9Ybk6weZtCNcp/dQk5gwL
NzMHl+aD2Av0NiLZM3K857nk3wikcJAr+Lhd/wOx3W0oqmvRq+tszj3p4qOgNJ7/
CpTQd1TifkBaE7y3BxX3jofkSPM451oxyIz5WcsripnbL+psQK1T9ASkqr5iI8O7
cWJheDS64MlRRF7SujcJz1MekVvubg6njw8Gg3HPxIqagQJMn4GEkQT+98Kelf0=
=wrTD
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa78.patch"
Content-Disposition: attachment; filename="xsa78.patch"
Content-Transfer-Encoding: base64

VlQtZDogZml4IFRMQiBmbHVzaGluZyBpbiBkbWFfcHRlX2NsZWFyX29uZSgp
CgpUaGUgdGhpcmQgcGFyYW1ldGVyIG9mIF9faW50ZWxfaW9tbXVfaW90bGJf
Zmx1c2goKSBpcyB0byBpbmRpY2F0ZQp3aGV0aGVyIHRoZSB0byBiZSBmbHVz
aGVkIGVudHJ5IHdhcyBhIHByZXNlbnQgb25lLiBBIGZldyBsaW5lcyBiZWZv
cmUsCndlIGJhaWxlZCBpZiAhZG1hX3B0ZV9wcmVzZW50KCpwdGUpLCBzbyB0
aGVyZSdzIG5vIG5lZWQgdG8gY2hlY2sgdGhlCmZsYWcgaGVyZSBhZ2FpbiAt
IHdlIGNhbiBzaW1wbHkgYWx3YXlzIHBhc3MgVFJVRSBoZXJlLgoKVGhpcyBp
cyBYU0EtNzguCgpTdWdnZXN0ZWQtYnk6IENoZW5nIFl1ZXFpYW5nIDx5cWNo
ZW5nLjIwMDhAcGhkaXMuc211LmVkdS5zZz4KU2lnbmVkLW9mZi1ieTogSmFu
IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2RyaXZl
cnMvcGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKKysrIGIveGVuL2RyaXZlcnMv
cGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKQEAgLTY0Niw3ICs2NDYsNyBAQCBz
dGF0aWMgdm9pZCBkbWFfcHRlX2NsZWFyX29uZShzdHJ1Y3QgZG9tCiAgICAg
aW9tbXVfZmx1c2hfY2FjaGVfZW50cnkocHRlLCBzaXplb2Yoc3RydWN0IGRt
YV9wdGUpKTsKIAogICAgIGlmICggIXRoaXNfY3B1KGlvbW11X2RvbnRfZmx1
c2hfaW90bGIpICkKLSAgICAgICAgX19pbnRlbF9pb21tdV9pb3RsYl9mbHVz
aChkb21haW4sIGFkZHIgPj4gUEFHRV9TSElGVF80SyAsIDAsIDEpOworICAg
ICAgICBfX2ludGVsX2lvbW11X2lvdGxiX2ZsdXNoKGRvbWFpbiwgYWRkciA+
PiBQQUdFX1NISUZUXzRLLCAxLCAxKTsKIAogICAgIHVubWFwX3Z0ZF9kb21h
aW5fcGFnZShwYWdlKTsKIAo=

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC