|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-3969 / XSA-98
version 4
insufficient permissions checks accessing guest memory on ARM
UPDATES IN VERSION 4
====================
Supply an additional patch for arm64. The original patches had the
permissions check backwards, meaning that a guest could read a
write-only mapping and vice versa, rendering the original fix
ineffective an inparticular not closing down the ability for a guest
to write to a readonly page via the hypervisor.
This issue was discussed on a public IRC channel and therefore it has
been agreed with the discoverer that it should not subject to a new
embargo.
32-bit ARM systems are not affected by this mistake; the original fix
remains correct for 32-bit.
ISSUE DESCRIPTION
=================
When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest. This allows a guest to write to memory which
it should only be able to read.
A guest running on a vulnerable system is able to write to memory
which should be read-only. This includes supposedly read only foreign
mappings established using the grant table mechanism. Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).
In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.
In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.
IMPACT
======
A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation. The
vulnerability depends on the precise behaviour of the victim domain.
In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.
VULNERABLE SYSTEMS
==================
Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.
MITIGATION
==========
None.
CREDITS
=======
This issue was discovered by Julien Grall.
RESOLUTION
==========
Applying the appropriate pair of attached patches along with the
additional update resolves this issue.
xsa98-unstable-{01,02}.patch xen-unstable
xsa98-4.4-{01,02}.patch Xen 4.4.x
xsa98-update.patch Additional update for both unstable and 4.4
$ sha256sum xsa98*.patch
b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb
xsa98-unstable-01.patch
f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67
xsa98-unstable-02.patch
6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b
xsa98-4.4-01.patch
b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d
xsa98-4.4-02.patch
8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8
xsa98-update.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJVAswXAAoJEIP+FMlX6CvZHBQIAJGGvIhPc7ZKa1uVGvY/wpbX
C3mjzLksdFVtIYfmMxTctuZytpA+s4DwrIRg2qfL1KA+2Qz/jjJP6HtzPM9Er8JJ
zEz9UUFreccDNHVxZW2vmHxKJ4T3SIPlmx/E3dsr9kiHLGalW3XvKwCgRJ5ZceID
nvasZuCPYK1zlTYnIQERQDjXVmUd2mipHBFI69o81dyZkLEtlB9OGXC+OZKPVE0A
GdvkEXhca6GYSvdD3t1nEoDrpsqMwpi1bYpd0dPoQbSW6cY7DomzcT5f4zmOJRxB
L/SYOqsl4SomH/FO0tYw1IrFQ1VVShmFlIre3EIeXWGa8LwAQUVt+qdYgvSPncc=
=slo3
-----END PGP SIGNATURE-----
Attachment:
xsa98-unstable-01.patch Attachment:
xsa98-unstable-02.patch Attachment:
xsa98-4.4-01.patch Attachment:
xsa98-4.4-02.patch Attachment:
xsa98-update.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |