SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xen Vendors:   Xen Project
Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents
SecurityTracker Alert ID:  1030442
SecurityTracker URL:  http://securitytracker.com/id/1030442
CVE Reference:   CVE-2014-4021   (Links to External Site)
Date:  Jun 18 2014
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.2.x and later
Description:   A vulnerability was reported in Xen. A local user can obtain potentially sensitive information from other domains.

The system does not properly control access to memory pages during memory cleanup for dying guest systems. A local user on a guest system can access information from guest or hypervisor memory, potentially including guest CPU register state and hypercall arguments.

Versions 3.1.x and prior have not been evaluated to determine if they are affected.

Jan Beulich reported this vulnerability.

Impact:   A local user on a guest system can access information from guest or hypervisor memory in certain cases.
Solution:   The vendor has issued a fix (xsa100.patch; Advisory XSA-100).

[Editor's note: On systems with AMD IOMMU, an additional commit is necessary. See the advisory for more information.]

Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 17 2014 (Citrix Issues Fix for Citrix XenServer) Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents
Citrix has issued a fix for Citrix XenServer.
Jul 23 2014 (Red Hat Issues Fix for Linux Kernel) Xen Lets Local Guests Obtain Hypervisor Heap Memory Contents
Red Hat has issued a fix for Red Hat Enterprise Linux 5.



 Source Message Contents

Subject:  [oss-security] Xen Security Advisory 100 (CVE-2014-4021) - Hypervisor heap contents leaked to guests

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-4021 / XSA-100
                             version 3

              Hypervisor heap contents leaked to guests

UPDATES IN VERSION 3
====================

Public Release.  CVE assigned.

ISSUE DESCRIPTION
=================

While memory pages recovered from dying guests are being cleaned to avoid
leaking sensitive information to other guests, memory pages that were in
use by the hypervisor and are eligible to be allocated to guests weren't
being properly cleaned.  Such exposure of information would happen through
memory pages freshly allocated to or by the guest.

Normally the leaked data is administrative information of limited
value to an attacker.  However, scenarios exist where guest CPU
register state and hypercall arguments might be leaked.

IMPACT
======

A malicious guest might be able to read data relating to other guests
or the hypervisor itself.

Data at rest in guest memory or storage (filesystems) is not affected.
However, it is possible for an attacker to obtain modest amounts of
in-flight and in-use data, which might contain passwords or
cryptographic keys.

VULNERABLE SYSTEMS
==================

Xen 3.2.x and later are vulnerable.
Xen 3.1.x and earlier have not been inspected.

MITIGATION
==========

No comprehensive mitigation is available.

An attacker will find it easier obtain sensitive data from a victim
guest if the attacker is able to initiate domain management operations
and lifecycle events for that guest.  This includes a situation where
the attacker can cause the victim guest to crash.

Therefore the risk from this vulnerability can be somewhat reduced by
restricting management (such as migration or resource adjustment) to
fully trusted guest or host administrators, and by eliminating any
Denial of Service vulnerabilities against potential victim guests.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa100.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

Note that to avoid a regression on systems with AMD IOMMU, on 4.2.x and later
additionally commit 6b4d71d0 ("AMD IOMMU: don't free page table prematurely")
found at
http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=6b4d71d028f445cba7426a144751fddc8bfdd67b
will be required if not already in place in the respective tree.

$ sha256sum xsa100*.patch
2cbd3a52bb8d32d00a19e2ce48e3157034b484b4a7b7282cae0d108ffb4ddca0  xsa100.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJToCoFAAoJEIP+FMlX6CvZ8p0H/1RPfzKOIQVvjJrAPiOH8cDr
/QR8hAhKqIs97+fxSFO5LCsfBwKga/rLz6sjveQYlvJOq9qSc2vTWxpQLNrh7M1q
NagTSVJoxcxVn+LHgHAczfRfNwK5BWFHz5/R3k1SLSjLy15aBDr5rW42H/WjKXI3
0UnLfpLkaDfocpQOYAz1a4cTAxbK07omhSlnCdcvPmWLDPvWy03BF7jZvTDYdiO1
OjU/3HUwMv7Ii6By3QvjO3Z4h9qkest/iIeaeCTwNwSJa9rW+8KLZjzdJCMJOUeu
J608R94x4vyj7wc+JVPwD59K0XkXzmsASC8q0ivohXGDTloKcdN7vdmR37g4fJ0=
=WnYZ
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa100.patch"
Content-Disposition: attachment; filename="xsa100.patch"
Content-Transfer-Encoding: base64

cGFnZS1hbGxvYzogc2NydWIgcGFnZXMgdXNlZCBieSBoeXBlcnZpc29yIHVw
b24gZnJlZWluZwoKLi4uIHVubGVzcyB0aGV5J3JlIHBhcnQgb2YgYSBmdWxs
eSBzZXBhcmF0ZSBwb29sIChhbmQgaGVuY2UgY2FuJ3QgZXZlcgpiZSB1c2Vk
IGZvciBndWVzdCBhbGxvY2F0aW9ucykuCgpUaGlzIGlzIFhTQS0xMDAuCgpT
aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+
ClJldmlld2VkLWJ5OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRy
aXguY29tPgpBY2tlZC1ieTogS2VpciBGcmFzZXIgPGtlaXJAeGVuLm9yZz4K
Ci0tLSBhL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCisrKyBiL3hlbi9jb21t
b24vcGFnZV9hbGxvYy5jCkBAIC0xNDA5LDcgKzE0MDksMTAgQEAgdm9pZCBm
cmVlX3hlbmhlYXBfcGFnZXModm9pZCAqdiwgdW5zaWduZQogICAgIHBnID0g
dmlydF90b19wYWdlKHYpOwogCiAgICAgZm9yICggaSA9IDA7IGkgPCAoMXUg
PDwgb3JkZXIpOyBpKysgKQorICAgIHsKKyAgICAgICAgc2NydWJfb25lX3Bh
Z2UoJnBnW2ldKTsKICAgICAgICAgcGdbaV0uY291bnRfaW5mbyAmPSB+UEdD
X3hlbl9oZWFwOworICAgIH0KIAogICAgIGZyZWVfaGVhcF9wYWdlcyhwZywg
b3JkZXIpOwogfQpAQCAtMTU3OSw2ICsxNTgyLDggQEAgdm9pZCBmcmVlX2Rv
bWhlYXBfcGFnZXMoc3RydWN0IHBhZ2VfaW5mbwogICAgIGVsc2UKICAgICB7
CiAgICAgICAgIC8qIEZyZWVpbmcgYW5vbnltb3VzIGRvbWFpbi1oZWFwIHBh
Z2VzLiAqLworICAgICAgICBmb3IgKCBpID0gMDsgaSA8ICgxIDw8IG9yZGVy
KTsgaSsrICkKKyAgICAgICAgICAgIHNjcnViX29uZV9wYWdlKCZwZ1tpXSk7
CiAgICAgICAgIGZyZWVfaGVhcF9wYWdlcyhwZywgb3JkZXIpOwogICAgICAg
ICBkcm9wX2RvbV9yZWYgPSAwOwogICAgIH0K

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC