Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0769 Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 version 3 20 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: UNIX variants (UNIX, Linux, OSX) Xen Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-3717 CVE-2014-3716 CVE-2014-3715 CVE-2014-3714 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 version 3 input handling vulnerabilities loading guest kernel on ARM UPDATES IN VERSION 3 ==================== Several CVE numbers, CVE-2014-{3714,3715,3716,3717} have been assigned to the issues described here. References have been added to the issue description. ISSUE DESCRIPTION ================= When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714). Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716). When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717). IMPACT ====== An attacker who can control the kernel used to boot a guest can exploit these issues. Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest's memory, constituting an information leak. Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service. VULNERABLE SYSTEMS ================== ARM systems are vulnerable from Xen 4.4 onwards. MITIGATION ========== Ensuring that guests use only trustworthy kernels will avoid this problem. CREDITS ======= This issue was discovered by Thomas Leonard. RESOLUTION ========== Applying the attached patch resolves this issue. xsa95.patch xen-unstable, Xen 4.4.x $ sha256sum xsa95*.patch 1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTdenGAAoJEIP+FMlX6CvZHbAIAI581kr07vf1KNlGVIyfOoJN y8iqAS4n4D8JM7HJgoC+4Yf8HXA+KljR2Pg31ciY1eryWFibvZiBt1aykZVS7y+c nVMHNoOVv0HmA/RycMT06iNy8BRThat4QY5/Eov8voRESU0yCPXTgoNg1iBLt5Eb ZG31pI2Nk+xOmC4+wtJ8BLv+k2dV6vLNNaZB60OrXL7VOFlQlyCRrUSy3wy86y+h FkhelkAWnRBpYOBn0ZSJayVlMH1fRtZWSYQOhDQHt14laJE/UJVQ5gNnSJDCQevS io2i30xT38SfdoBPfiTj6yfgmmT3YmJRZvJ7QnSqBDWL1r4xcTCtHB7Uyy94X4w= =ivP8 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU3rimRLndAQH1ShLAQK6FRAAlLeFVQlX1/WHPJL3z/OPUGVjGc7Ioytd sIXxXHmer+KmPX+dr4e5aRosD1i90CQWeSQT3/Pj0MGScfDPbPhtlGwXRjVdzz8S GpnrJxYGSYfyXks3uTRXiqPZ6CCGAGubx0IAObNiuTRgKSy+AMJIkpkR6M7fl9jy hKgGXw0+qK1fb03ekc0UGgVcOTmqcKkDLuyRIsLDWzgZY89Pcs9jO6w6qpBUMEhD Lf+wjdhVQhsCnvmWaTN4sYAowSzerXLQgVexiAOQgO9MiUPy7qlHQdE6PJ9o933H y7k/oyobVThR6HEODTFOTYRK2w69fLVO4Dyxn6muH1XfeeRWNAeMN9TXGy1hgQZ9 h8gIwz5ZvuN/S24gpfJofvNq547RLJcKvwfcSmzyX75GwMM8Xa3f2k2HZJgiZYwc Y/p9/fv40DpqijTmZiEGw2+h7KM1z/ciNWlLFpXyoZqwunYDi2SjY3/vEcC/qk5s dUoLc1QtpH7bu3LbCXusnIw21YR14OBJKAchS3u+jvtKj+CTMbWp11ZivdWWLPGl VzXinSghHrvA8VamFm7vwPV1syx0PCcrsIm3LtRQD1yV6rdwWn304kUY2qC5r//z fxeS4ZICXbs6c02Q83CuycisQipcVPntVoY9mkD8LgqUYEhmmOecj6aw0DrMbTua X0KdaOccNbE= =melg -----END PGP SIGNATURE-----