Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1bS15c-0004H5-KP@xenbits.xenproject.org>
Date: Tue, 26 Jul 2016 12:04:00 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 182 (CVE-2016-6258) - x86: Privilege
 escalation in PV guests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2016-6258 / XSA-182
                              version 3

                x86: Privilege escalation in PV guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The PV pagetable code has fast-paths for making updates to pre-existing
pagetable entries, to skip expensive re-validation in safe cases
(e.g. clearing only Access/Dirty bits).  The bits considered safe were too
broad, and not actually safe.

IMPACT
======

A malicous PV guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

The vulnerability is only exposed to PV guests on x86 hardware.

The vulnerability is not exposed to x86 HVM guests, or ARM guests.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Jérémie Boutoille of Quarkslab.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa182.patch           xen-unstable, Xen 4.7.x
xsa182-4.6.patch       Xen 4.6.x
xsa182-4.5.patch       Xen 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa182*
303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792  xsa182-unstable.patch
2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2  xsa182-4.5.patch
f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813  xsa182-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXl0M8AAoJEIP+FMlX6CvZvsUIAKeTcuCNrXAkCMsa1jcTOJEB
zo1sZB6DeUZjAjYm+vVTv3bcr8E9e+B02Cyg6Y97TByrpwsarvOyYZzds/wf3TO+
3hm6cKPRBhUdQBgXLi6DqgsBIb+BvMEqT6jXpmNmLWqlJtuJPrCn74e2K0hXFgt2
RDELGjg6qsTW7hJtwNfkEI6/nj2/lBsNVHkp1F7olxT17euC4nJoLEzeDRc8UN/+
pf9UT1yoEVOddPA+iIjC7PeSYyWhJFyNR0m4BN7MshKEoy+tiIQJDZzyLJLh46uf
c28vUByyu6fCersz63ZkpF9MHWR0+8cChOvmY3Tuyy/yitUMbcJoygu/35QV2tc=
=u+6O
-----END PGP SIGNATURE-----

Download attachment "xsa182-unstable.patch" of type "application/octet-stream" (4336 bytes)

Download attachment "xsa182-4.5.patch" of type "application/octet-stream" (4265 bytes)

Download attachment "xsa182-4.6.patch" of type "application/octet-stream" (4291 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.