Xen project Mailing List

[Xen-announce] Xen Security Advisory 98 (CVE-2014-3969) - insufficient permissions checks accessing guest memory on ARM

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Wed, 04 Jun 2014 16:04:18 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Wed, 04 Jun 2014 16:06:06 +0000

List-id: "Xen announcements $low volume$" <xen-announce.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 3 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTj0N1AAoJEIP+FMlX6CvZYRsH/3PPF+SBphp/IOcJmcoUBI0Y SZumMMtaH3jU49/0V/azYOpKET2VtCHBilBajUAB7kNx+EGHv5NZf6Vn7FMBDCVl gk7Hq39tR0axBTpp4FhK8MJQIEsMUvsohokRFiMsDmhKtWOEKPfmNrgLz6cEvo5H ci46UH0JzPhMVY4tXhd7jo9Vuyae8df+b0yYFZ2QyVdWN3AShlrp62JAXb1lJT8E LO/67uDud7bhuODA+CWmL0jHq7xsJoRitp5gJph9QmSNbkXGJfPy6Sow4qzatnsR Vb9lgJq5MHRodkaie9z4UeANysAJ1J+USvARyMx+xnQ64ETzFIm6pUotzySZWEU= =vyB+ -----END PGP SIGNATURE-----

Attachment: xsa98-4.4-01.patch
Description: Binary data

Attachment: xsa98-4.4-02.patch
Description: Binary data

Attachment: xsa98-unstable-01.patch
Description: Binary data

Attachment: xsa98-unstable-02.patch
Description: Binary data

_______________________________________________ Xen-announce mailing list Xen-announce@xxxxxxxxxxxxx http://lists.xen.org/xen-announce

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.