|
Message-Id: <E1YVIqd-00033H-Pd@xenbits.xen.org> Date: Tue, 10 Mar 2015 12:01:19 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 123 (CVE-2015-2151) - Hypervisor memory corruption due to x86 emulator flaw -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2151 / XSA-123 version 4 Hypervisor memory corruption due to x86 emulator flaw UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. IMPACT ====== A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded. VULNERABLE SYSTEMS ================== Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected. Only x86 systems are vulnerable. ARM systems are not vulnerable. MITIGATION ========== There is no mitigation available for this issue. CREDITS ======= This issue was discovered by Felix Wilhelm of ERNW GmbH. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa123.patch xen-unstable, Xen 4.5.x, Xen 4.4.x xsa123-4.3-4.2.patch Xen 4.3.x, Xen 4.2.x $ sha256sum xsa123*.patch e6da3a2c35b50e163b15100ef28a48dca429160104f346fc82be4711fe60f64f xsa123-4.3-4.2.patch 994cf1487ec5c455fce4877168901e03283f0002062dcff8895a17ca30e010df xsa123.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJU/tzZAAoJEIP+FMlX6CvZV64IAJOsaNqXoLZQ0sAdfJpE6lnv KtYzXixzTTrP87cWmkYfkLTcuQdMJKUNe00xRoEP2ES1I2XUC4dy9MrlaTpHOJ27 hZ1OpDkiOOk6B8Scf1PI6pvXZXzpnoQITPRhxUgPawIBrtPW/OP8pdUbTeGsw3MJ hUjixTBT+Ok2Geq1U/Ki+aNe+lnLOjkuivH2nkZGsWYrRAm7Uypmtn9obQzZ4piB OGDAsuHSXtOPGgmtztj+NW8PJ+6oURkBi0ITtc12lUwJodQV9OIOsvqD3d+HW6OC 4K1gkSor+coTS6jmoU2YU1UnPBMy4irgmg1XojwWZb+FC7lHQDD24wMSs1LVJ7c= =E2Oh -----END PGP SIGNATURE----- Download attachment "xsa123-4.3-4.2.patch" of type "application/octet-stream" (794 bytes) Download attachment "xsa123.patch" of type "application/octet-stream" (753 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.