Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1VlM2o-0002ZM-PL@xenbits.xen.org>
Date: Tue, 26 Nov 2013 17:03:26 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to
 privilege rings 1 and 2 of HVM guests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-4554 / XSA-76
                              version 3

      Hypercalls exposed to privilege rings 1 and 2 of HVM guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The privilege check applied to hypercall attempts by a HVM guest only refused
access from ring 3; rings 1 and 2 were allowed through.

IMPACT
======

Code running in the intermediate privilege rings of HVM guest OSes may be able
to elevate its privileges inside the guest by careful hypercall use.

VULNERABLE SYSTEMS
==================

Xen 3.0.3 and later are vulnerable.
Xen 3.0.2 and earlier are not vulnerable.

MITIGATION
==========

Running only PV guests, or running HVM guests known to not make use of
protection rings 1 and 2 will avoid this issue. As far as we are aware no
mainstream OS (Linux, Windows, BSD) make use of these rings.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa76.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

$ sha256sum xsa76*.patch
8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1  xsa76.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSlNMiAAoJEIP+FMlX6CvZn4kH/38vSCRckKM2JuQJfIJb8WtT
hz7XFDLhDBgeei7J3G3HiZIdaVGVYvThKDl6Dk0Kfc7V7vqIOEYN6OGAOqsJY5GL
Yqqxqol4ncyM0okLn3mvgeX1FlpLi1rlkwWkR7on7KMahxITjeGpWs00z9o9fpxy
21hIEw3vtXxg+C22QK2GS2fHKrkU23Fi7OPC09aU179nWjQWom+7qNsRvJlw+dRq
NZs5EvvGofqXN7KaLAirJkNUmxDOS0+XxNcF/1zLpXa/bIXjKCju6LoLb86UZOsM
JkSSfFYiz3UxAqjZtr4x4cbUl/0LeGUETVygIOOtx/56TKMxzgbaXHDevCiu3bw=
=oChf
-----END PGP SIGNATURE-----

Download attachment "xsa76.patch" of type "application/octet-stream" (556 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.