[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-announce] Xen Security Advisory 298 v3 (CVE-2019-18425) - missing descriptor table limit checking in x86 PV emulation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-18425 / XSA-298
                               version 3

      missing descriptor table limit checking in x86 PV emulation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When emulating certain PV guest operations, descriptor table accesses
are performed by the emulating code.  Such accesses should respect the
guest specified limits, unless otherwise guaranteed to fail in such a
case.  Without this, emulation of 32-bit guest user mode calls through
call gates would allow guest user mode to install and then use
descriptors of their choice, as long as the guest kernel did not
itself install an LDT.  (Most OSes don't install any LDT by default).

IMPACT
======

32-bit PV guest user mode can elevate its privileges to that of the
guest kernel.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are affected.

Only 32-bit PV guest user mode can leverage this vulnerability.

HVM, PVH, as well as 64-bit PV guests cannot leverage this
vulnerability.

Arm systems are unaffected.

MITIGATION
==========

Running only HVM, PVH, or 64-bit PV guests will avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa298.patch           xen-unstable, Xen 4.12.x
xsa298-4.11.patch      Xen 4.11.x
xsa298-4.10.patch      Xen 4.10.x
xsa298-4.9.patch       Xen 4.9.x, Xen 4.8.x, Xen 4.7.x

$ sha256sum xsa298*
82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce  xsa298.meta
3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3  xsa298.patch
da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c  
xsa298-4.9.patch
92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d  
xsa298-4.10.patch
d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71  
xsa298-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601AMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZk/AH/iLP9TpdOKNoW8fJDuOjlIQHsI0RPtU6KIdSc1a8
nzrcPfwpdP3/89GJQyEHwi5ZZdXAnNcXSK7BC+EEzqznV/VwHRDusCBH0enjUe0z
jDpOsxeI5RsuyJnSFojhI2E+y1khjKtVvnbNWbHzBfWMPD9Inc+nw9Q1KWfpSkk6
TTS8OwR9DwNiVXz9Na+BKuIBOVinFd1wA+HBNZKJl3JCz8N0Oa6RHDKFQQKJ4Uy2
KzBdzm5dWr0xP4stQmnYoU7JobGbcvKyMVMwwryS3cffLyhOLuzCWjDO+n7RkoRy
xWmGWVeQWAeIzqvvtb104NrHSVwVeFSOsen0cqFLvV82MRw=
=tmUK
-----END PGP SIGNATURE-----

Attachment: xsa298.meta
Description: Binary data

Attachment: xsa298.patch
Description: Binary data

Attachment: xsa298-4.9.patch
Description: Binary data

Attachment: xsa298-4.10.patch
Description: Binary data

Attachment: xsa298-4.11.patch
Description: Binary data

_______________________________________________
Xen-announce mailing list
Xen-announce@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-announce

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.