[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-3969 / XSA-98
                            version 3

       insufficient permissions checks accessing guest memory on ARM

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest.  This allows a guest to write to memory which
it should only be able to read.

A guest running on a vulnerable system is able to write to memory
which should be read-only.  This includes supposedly read only foreign
mappings established using the grant table mechanism.  Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.

In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.

IMPACT
======

A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation.  The
vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

xsa98-unstable-{01,02}.patch        xen-unstable
xsa98-4.4-{01,02}.patch             Xen 4.4.x

$ sha256sum xsa98*.patch
6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b  
xsa98-4.4-01.patch
b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d  
xsa98-4.4-02.patch
b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb  
xsa98-unstable-01.patch
f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67  
xsa98-unstable-02.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTj0N1AAoJEIP+FMlX6CvZYRsH/3PPF+SBphp/IOcJmcoUBI0Y
SZumMMtaH3jU49/0V/azYOpKET2VtCHBilBajUAB7kNx+EGHv5NZf6Vn7FMBDCVl
gk7Hq39tR0axBTpp4FhK8MJQIEsMUvsohokRFiMsDmhKtWOEKPfmNrgLz6cEvo5H
ci46UH0JzPhMVY4tXhd7jo9Vuyae8df+b0yYFZ2QyVdWN3AShlrp62JAXb1lJT8E
LO/67uDud7bhuODA+CWmL0jHq7xsJoRitp5gJph9QmSNbkXGJfPy6Sow4qzatnsR
Vb9lgJq5MHRodkaie9z4UeANysAJ1J+USvARyMx+xnQ64ETzFIm6pUotzySZWEU=
=vyB+
-----END PGP SIGNATURE-----

Attachment: xsa98-4.4-01.patch
Description: Binary data

Attachment: xsa98-4.4-02.patch
Description: Binary data

Attachment: xsa98-unstable-01.patch
Description: Binary data

Attachment: xsa98-unstable-02.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.