[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 4 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 4 ==================== Supply an additional patch for arm64. The original patches had the permissions check backwards, meaning that a guest could read a write-only mapping and vice versa, rendering the original fix ineffective an inparticular not closing down the ability for a guest to write to a readonly page via the hypervisor. This issue was discussed on a public IRC channel and therefore it has been agreed with the discoverer that it should not subject to a new embargo. 32-bit ARM systems are not affected by this mistake; the original fix remains correct for 32-bit. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches along with the additional update resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x xsa98-update.patch Additional update for both unstable and 4.4 $ sha256sum xsa98*.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch 8bb4a23174c0c9b1a23a41d4669900877483fd526d331d0c377c32845feb2eb8 xsa98-update.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVAswXAAoJEIP+FMlX6CvZHBQIAJGGvIhPc7ZKa1uVGvY/wpbX C3mjzLksdFVtIYfmMxTctuZytpA+s4DwrIRg2qfL1KA+2Qz/jjJP6HtzPM9Er8JJ zEz9UUFreccDNHVxZW2vmHxKJ4T3SIPlmx/E3dsr9kiHLGalW3XvKwCgRJ5ZceID nvasZuCPYK1zlTYnIQERQDjXVmUd2mipHBFI69o81dyZkLEtlB9OGXC+OZKPVE0A GdvkEXhca6GYSvdD3t1nEoDrpsqMwpi1bYpd0dPoQbSW6cY7DomzcT5f4zmOJRxB L/SYOqsl4SomH/FO0tYw1IrFQ1VVShmFlIre3EIeXWGa8LwAQUVt+qdYgvSPncc= =slo3 -----END PGP SIGNATURE----- Attachment:
xsa98-unstable-01.patch Attachment:
xsa98-unstable-02.patch Attachment:
xsa98-4.4-01.patch Attachment:
xsa98-4.4-02.patch Attachment:
xsa98-update.patch _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |