SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xen Vendors:   Xen Project
Xen IOMMU TLB Flush Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1029468
SecurityTracker URL:  http://securitytracker.com/id/1029468
CVE Reference:   CVE-2013-6400   (Links to External Site)
Date:  Dec 11 2013
Impact:   Denial of service via local system, Disclosure of system information, Disclosure of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.x and later
Description:   A vulnerability was reported in Xen. A local guest user may be able to access host memory.

The system does not properly flush IOMMU TLB buffer memory. A local administrative user on the guest operating system may be able to access memory on the host system, cause denial of service conditions on the host system, or gain privileges on the host system.

Only guests that have been assigned PCI devices are affected.

Only systems using Intel VT-d are affected.

Jan Beulich reported this vulnerability.

Impact:   A local administrative user on the guest operating system may be able to access memory on the host system, cause denial of service conditions on the host system, or gain privileges on the host system.
Solution:   The vendor has issued a fix (xsa80.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] Xen Security Advisory 80 (CVE-2013-6400) - IOMMU TLB flushing may be inadvertently suppressed

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-6400 / XSA-80
                              version 3

          IOMMU TLB flushing may be inadvertently suppressed

UPDATES IN VERSION 3
====================

Public release.

Corrected explanatory text to refer to the correct patch filename.

ISSUE DESCRIPTION
=================

An internal flag is used to temporarily suppress IOMMU TLB flushes, in
order to consolidate multiple single page flushes into one wider
flush.  This flag is not cleared again, on certain error paths.  This
can result in TLB flushes not happening when they are needed.
Retaining stale TLB entries could allow guests access to memory that
ought to have been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial of
service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Only VMs which have been assigned PCI devices can exploit the bug.

Only systems using Intel VT-d are vulnerable, since the bug is in the
VT-d specific code in Xen.

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa80.patch                Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa80*.patch
d15e627c59dd48e1cacb2fbcd5e2148975daa426df1f693b991d69201c048e77  xsa80.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSpw/SAAoJEIP+FMlX6CvZu48IAIsJz4NRVXqCYl9hjtFhgfhL
/V2J9T9Xp0/iNTmfP6FMu2wIZohAcosMOaZ5NXouIb50bta2mpeQhA0K0RZLEin5
2QH9rcfYYchAeQjPt72QVPH3iMTWdPXXV3HDuqXI+G+II64bonHvArtAwYxeJpWM
ZwegEnxsEk2YsYk+TYGMzQws2sXygx06JxEJsE9/Q6BOJG9jnwvtRsleVDuMuBMR
6U1DdaxZohk5k1xqS5Y6udyXpJQgob7fMdwAoLWxxlb7vB3kOgzMoorVrzRZ0LcZ
LmqBYxdCQRV+Tn19eE9xo1LjBr9qBS13nGDQbyIADoF85N/SmZoMycRsqunUQ2U=
=rB23
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa80.patch"
Content-Disposition: attachment; filename="xsa80.patch"
Content-Transfer-Encoding: base64

SU9NTVU6IGNsZWFyICJkb24ndCBmbHVzaCIgb3ZlcnJpZGUgb24gZXJyb3Ig
cGF0aHMKCkJvdGggeGVubWVtX2FkZF90b19waHlzbWFwKCkgYW5kIGlvbW11
X3BvcHVsYXRlX3BhZ2VfdGFibGUoKSBlYWNoIGhhdmUKYW4gZXJyb3IgcGF0
aCB0aGF0IGZhaWxzIHRvIGNsZWFyIHRoYXQgZmxhZywgdGh1cyBzdXBwcmVz
c2luZyBmdXJ0aGVyCmZsdXNoZXMgb24gdGhlIHJlc3BlY3RpdmUgcENQVS4K
CkluIGlvbW11X3BvcHVsYXRlX3BhZ2VfdGFibGUoKSBhbHNvIHNsaWdodGx5
IHJlLWFycmFuZ2UgY29kZSB0byBhdm9pZAp0aGUgZmFsc2UgaW1wcmVzc2lv
biBvZiB0aGUgZmxhZyBpbiBxdWVzdGlvbiBiZWluZyBndWFyZGVkIGJ5IGEK
ZG9tYWluJ3MgcGFnZV9hbGxvY19sb2NrLgoKVGhpcyBpcyBDVkUtMjAxMy02
NDAwIC8gWFNBLTgwLgoKU2lnbmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpi
ZXVsaWNoQHN1c2UuY29tPgpBY2tlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4u
Y2FtcGJlbGxAY2l0cml4LmNvbT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9tbS5j
CisrKyBiL3hlbi9hcmNoL3g4Ni9tbS5jCkBAIC00NjQ4LDcgKzQ2NDgsNyBA
QCBzdGF0aWMgaW50IHhlbm1lbV9hZGRfdG9fcGh5c21hcChzdHJ1Y3QgCiAg
ICAgICAgIHsKICAgICAgICAgICAgIHJjID0geGVubWVtX2FkZF90b19waHlz
bWFwX29uY2UoZCwgeGF0cCk7CiAgICAgICAgICAgICBpZiAoIHJjIDwgMCAp
Ci0gICAgICAgICAgICAgICAgcmV0dXJuIHJjOworICAgICAgICAgICAgICAg
IGJyZWFrOwogCiAgICAgICAgICAgICB4YXRwLT5pZHgrKzsKICAgICAgICAg
ICAgIHhhdHAtPmdwZm4rKzsKLS0tIGEveGVuL2RyaXZlcnMvcGFzc3Rocm91
Z2gvaW9tbXUuYworKysgYi94ZW4vZHJpdmVycy9wYXNzdGhyb3VnaC9pb21t
dS5jCkBAIC0zMDYsMTEgKzMwNiwxMSBAQCBzdGF0aWMgaW50IGlvbW11X3Bv
cHVsYXRlX3BhZ2VfdGFibGUoc3RyCiB7CiAgICAgc3RydWN0IGh2bV9pb21t
dSAqaGQgPSBkb21haW5faHZtX2lvbW11KGQpOwogICAgIHN0cnVjdCBwYWdl
X2luZm8gKnBhZ2U7Ci0gICAgaW50IHJjOworICAgIGludCByYyA9IDA7CiAK
KyAgICB0aGlzX2NwdShpb21tdV9kb250X2ZsdXNoX2lvdGxiKSA9IDE7CiAg
ICAgc3Bpbl9sb2NrKCZkLT5wYWdlX2FsbG9jX2xvY2spOwogCi0gICAgdGhp
c19jcHUoaW9tbXVfZG9udF9mbHVzaF9pb3RsYikgPSAxOwogICAgIHBhZ2Vf
bGlzdF9mb3JfZWFjaCAoIHBhZ2UsICZkLT5wYWdlX2xpc3QgKQogICAgIHsK
ICAgICAgICAgaWYgKCBpc19odm1fZG9tYWluKGQpIHx8CkBAIC0zMjAsMTgg
KzMyMCwyMCBAQCBzdGF0aWMgaW50IGlvbW11X3BvcHVsYXRlX3BhZ2VfdGFi
bGUoc3RyCiAgICAgICAgICAgICByYyA9IGhkLT5wbGF0Zm9ybV9vcHMtPm1h
cF9wYWdlKAogICAgICAgICAgICAgICAgIGQsIG1mbl90b19nbWZuKGQsIHBh
Z2VfdG9fbWZuKHBhZ2UpKSwgcGFnZV90b19tZm4ocGFnZSksCiAgICAgICAg
ICAgICAgICAgSU9NTVVGX3JlYWRhYmxlfElPTU1VRl93cml0YWJsZSk7Ci0g
ICAgICAgICAgICBpZiAocmMpCi0gICAgICAgICAgICB7Ci0gICAgICAgICAg
ICAgICAgc3Bpbl91bmxvY2soJmQtPnBhZ2VfYWxsb2NfbG9jayk7Ci0gICAg
ICAgICAgICAgICAgaGQtPnBsYXRmb3JtX29wcy0+dGVhcmRvd24oZCk7Ci0g
ICAgICAgICAgICAgICAgcmV0dXJuIHJjOwotICAgICAgICAgICAgfQorICAg
ICAgICAgICAgaWYgKCByYyApCisgICAgICAgICAgICAgICAgYnJlYWs7CiAg
ICAgICAgIH0KICAgICB9Ci0gICAgdGhpc19jcHUoaW9tbXVfZG9udF9mbHVz
aF9pb3RsYikgPSAwOwotICAgIGlvbW11X2lvdGxiX2ZsdXNoX2FsbChkKTsK
KwogICAgIHNwaW5fdW5sb2NrKCZkLT5wYWdlX2FsbG9jX2xvY2spOwotICAg
IHJldHVybiAwOworICAgIHRoaXNfY3B1KGlvbW11X2RvbnRfZmx1c2hfaW90
bGIpID0gMDsKKworICAgIGlmICggIXJjICkKKyAgICAgICAgaW9tbXVfaW90
bGJfZmx1c2hfYWxsKGQpOworICAgIGVsc2UKKyAgICAgICAgaGQtPnBsYXRm
b3JtX29wcy0+dGVhcmRvd24oZCk7CisKKyAgICByZXR1cm4gcmM7CiB9CiAK
IAo=

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC