[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] Xen Security Advisory 110 (CVE-2014-8595) - Missing privilege level checks in x86 emulation of far branches
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-8595 / XSA-110 version 3 Missing privilege level checks in x86 emulation of far branches UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks. However these instructions are not usually handled by the emulator. Exceptions to this are - - when a memory operand lives in (emulated or passed through) memory mapped IO space, - - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones, - - when the guest is in real mode (in which case there are no privilege checks anyway). IMPACT ====== Malicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest. VULNERABLE SYSTEMS ================== Xen 3.2.1 and onward are vulnerable on x86 systems. ARM systems are not vulnerable. Only user processes in x86 HVM guests can take advantage of this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. There is no mitigation available for HVM guests. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa110-unstable.patch xen-unstable, Xen 4.4.x xsa110-4.3-and-4.2.patch Xen 4.3.x, Xen 4.2.x $ sha256sum xsa110*.patch a114ba586d18125b368112527a077abfe309826ad47aca8cc80ba4549c5f9ae2 xsa110-4.3-and-4.2.patch eac4691848dcd093903e0a0f5fd7ab15be15d0f10b98575379911e91e5dcbd70 xsa110.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJUazojAAoJEIP+FMlX6CvZF18H/1/G49MGk6/Fq6CtpvoEvQsl u7Q0UHoMuwqN119fRKJOorAh+MPKWDaPBjZoNmfJxIKEHD5tpA1Kr97y67Ye/dtz UfXxQPiIYpOe/Z59E3erKGDyzC5TLlPfa7fZBvZdeStIWsC+d2pUWDTRBioDHBGZ IeNnXkrLuhLrjGOs9a4ZNdP/jTFkJQ7vKJXF8nFhcEpK8XZx9D8e2xExTWZ2BJ/N u6KbWgMAf01M10hcQze99Wm3Fuva/HkVhiza8Rj5cgsV9SD4ZrQMhH9Mm86/YG52 AEwT6j8KWd83zZz8WZjFS30edZ4/eIXW+2e3KuaUFKBiei88tlF6CYWq6upS/5U= =u7Zi -----END PGP SIGNATURE----- Attachment:
xsa110-4.3-and-4.2.patch Attachment:
xsa110.patch _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |