[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 55 - Multiple vulnerabilities in libelf PV kernel handling



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     Xen Security Advisory XSA-55
                             version 2

           Multiple vulnerabilities in libelf PV kernel handling

UPDATES IN VERSION 2
====================

Updated information regarding the status of the fix.

STATUS OF THE FIX
=================

Due to the unintended early release of these patches they have not
received as much review or testing as we would have liked.

As discussed on xen-devel, the patches distributed with version 2 of
the advisory are known to introduce regressions and also additional
issues in the same have been discovered.  An updated patch series is
in preparation.  Technical assistance with review of the drafts would
be greatly appreciated.

Under the circumstances, we are sending version of this advisory out
without any attached patches.

We have not yet been assigned a CVE number for this issue.

ISSUE DESCRIPTION
=================

The ELF parser used by the Xen tools to read domains' kernels and
construct domains has multiple integer overflows, pointer dereferences
based on calculations from unchecked input values, and other problems.

IMPACT
======

A malicious PV domain administrator who can specify their own kernel
can escalate their privilege to that of the domain construction tools
(i.e., normally, to control of the host).

Additionally a malicious HVM domain administrator who is able to
supply their own firmware ("hvmloader") can do likewise; however we
think this would be very unusual and it is unlikely that such
configurations exist in production systems.

VULNERABLE SYSTEMS
==================

All Xen versions are affected.

Installations which only allow the use of trustworthy kernels for PV
domains are not affected.

MITIGATION
==========

Ensuring that PV guests use only trustworthy kernels will avoid this
problem.

RESOLUTION
==========

The patch series to properly resolve this issue is under development.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRshDXAAoJEIP+FMlX6CvZfjEIAICD3oeHvE8DsECuI2hEc7ZY
KebriUO5XccEzqXF4oCyhkhj54MuZvZI5+n9ha/rbucvBfMzA90EMFOu9TUQr8eR
NANbVn52X7an+a8cfTBQJHmzUbP9SSO3/8abArmQFm9W7dzPWfMZY2LJ9NE2zUG1
vHPgx5vZTVVKPf2UtWxQnAEggCoemWk7qn9p9Sy7z72JjwLFzShflSXZZju4bgcW
ncl9Ww0QCsNC0JxnunhvmO/3Xg5j45+nNxqEpUZ5f+KToFs/n9hQTkm2fSHTOOsW
9ojSG05sUR/6/DyAc3vRwDTBTmYRHM+CQIL2n3FFUh1yT/Y+lW1qJvZMRz/1ph0=
=fELy
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.