Xen project Mailing List

[Xen-announce] Xen Security Advisory 86 - libvchan failure handling malicious ring indexes

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Thu, 06 Feb 2014 12:39:17 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Thu, 06 Feb 2014 12:40:12 +0000

List-id: "Xen announcements $low volume$" <xen-announce.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-86 version 2 libvchan failure handling malicious ring indexes UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT ====== libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation. There are no such services provided in the upstream Xen Project codebase. VULNERABLE SYSTEMS ================== All versions of libvchan are vulnerable. Only installations which use libvchan for communication involving untrusted domains are vulnerable. libvirt, xapi, xend, libxl and xl do not use libvchan. If your installation contains other Xen-related software components it is possible that they use libvchan and might be vulnerable. Xen versions 4.1 and earlier do not contain libvchan. MITIGATION ========== Disabling libvchan-based facilities could be used to mitigate the vulnerability. CREDITS ======= This issue was discovered by Marek Marczykowski-GÃrecki of Invisible Things Lab. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. After the patch is applied to the Xen tree and built, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect. xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable $ sha256sum xsa86*.patch cd2df017e42717dd2a1b6f2fdd3ad30a38d3c0fbdd9d08b5f56ee0a01cd87b51 xsa86.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS84JeAAoJEIP+FMlX6CvZsvYH/3HbxPvs42Al1gncMsc4uh+R V+j48ENTQzSNhVTtXQq9bUgNk5Dp/kok7RpZbxCWIBl79UUP/fpPUT/FjD5egMOX NU8FslhmalOkkpmyeX0Kt1SvhQt6FvaozTTOdR47wHerfd+mKkYchFRrkCBvllBU /UIVItU6fA5xyXSsFy8quT66g2a88OTlv30YTsg3jhDo48FxO7A54ay4xVAIyOFK 4Wl+hpEgTSE47VRSIGriAvjOMSSQjiMFPjR/DSbUMj8FaVhwVSitIEG9cRhn+3HE I6HqPFzy2jP+Lzj/WFkkZrt/k12GL4cZafg7th3/YcmABfR23QMN5SwfYDLKqqw= =XbpF -----END PGP SIGNATURE-----

Attachment: xsa86.patch
Description: Binary data

_______________________________________________ Xen-announce mailing list Xen-announce@xxxxxxxxxxxxx http://lists.xen.org/xen-announce

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.