Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0769
Xen Security Advisory
CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 /
XSA-95 version 3
20 May 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Xen
Publisher: Xen
Operating System: UNIX variants (UNIX, Linux, OSX)
Xen
Impact/Access: Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3717 CVE-2014-3716 CVE-2014-3715
CVE-2014-3714
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95
version 3
input handling vulnerabilities loading guest kernel on ARM
UPDATES IN VERSION 3
====================
Several CVE numbers, CVE-2014-{3714,3715,3716,3717} have been assigned
to the issues described here. References have been added to the issue
description.
ISSUE DESCRIPTION
=================
When loading a 32-bit ARM guest kernel the Xen tools did not correctly
validate the length of the kernel against the actual image size. This
would then lead to an overrun on the input buffer when loading the
kernel into guest RAM (CVE-2014-3714).
Furthermore when checking a 32-bit guest kernel for an appended DTB,
the Xen tools were prone to additional overruns also leading to an
overrun on the input buffer when loading the kernel into guest RAM
(CVE-2014-3715). Also, the tools would access a field in the putative
DTB header without checking for its alignment (CVE-2014-3716).
When loading a 64-bit ARM guest kernel the tools similarly did not
fully validate the requested load addresses, possibly leading to an
overrun on the input buffer when loading the kernel into guest RAM
(CVE-2014-3717).
IMPACT
======
An attacker who can control the kernel used to boot a guest can
exploit these issues.
Exploiting the overflow issues allows information which follows the
guest kernel in the toolstack address space to be copied into the
guest's memory, constituting an information leak.
Alternatively either the overflow or alignment issues could be used to
crash the toolstack process, leading to a denial of service.
VULNERABLE SYSTEMS
==================
ARM systems are vulnerable from Xen 4.4 onwards.
MITIGATION
==========
Ensuring that guests use only trustworthy kernels will avoid this
problem.
CREDITS
=======
This issue was discovered by Thomas Leonard.
RESOLUTION
==========
Applying the attached patch resolves this issue.
xsa95.patch xen-unstable, Xen 4.4.x
$ sha256sum xsa95*.patch
1ab63ff126b92e752e88b240838dd66b66415604eaa3e49e373cb50ad3cdd0af xsa95.patch
$
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTdenGAAoJEIP+FMlX6CvZHbAIAI581kr07vf1KNlGVIyfOoJN
y8iqAS4n4D8JM7HJgoC+4Yf8HXA+KljR2Pg31ciY1eryWFibvZiBt1aykZVS7y+c
nVMHNoOVv0HmA/RycMT06iNy8BRThat4QY5/Eov8voRESU0yCPXTgoNg1iBLt5Eb
ZG31pI2Nk+xOmC4+wtJ8BLv+k2dV6vLNNaZB60OrXL7VOFlQlyCRrUSy3wy86y+h
FkhelkAWnRBpYOBn0ZSJayVlMH1fRtZWSYQOhDQHt14laJE/UJVQ5gNnSJDCQevS
io2i30xT38SfdoBPfiTj6yfgmmT3YmJRZvJ7QnSqBDWL1r4xcTCtHB7Uyy94X4w=
=ivP8
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU3rimRLndAQH1ShLAQK6FRAAlLeFVQlX1/WHPJL3z/OPUGVjGc7Ioytd
sIXxXHmer+KmPX+dr4e5aRosD1i90CQWeSQT3/Pj0MGScfDPbPhtlGwXRjVdzz8S
GpnrJxYGSYfyXks3uTRXiqPZ6CCGAGubx0IAObNiuTRgKSy+AMJIkpkR6M7fl9jy
hKgGXw0+qK1fb03ekc0UGgVcOTmqcKkDLuyRIsLDWzgZY89Pcs9jO6w6qpBUMEhD
Lf+wjdhVQhsCnvmWaTN4sYAowSzerXLQgVexiAOQgO9MiUPy7qlHQdE6PJ9o933H
y7k/oyobVThR6HEODTFOTYRK2w69fLVO4Dyxn6muH1XfeeRWNAeMN9TXGy1hgQZ9
h8gIwz5ZvuN/S24gpfJofvNq547RLJcKvwfcSmzyX75GwMM8Xa3f2k2HZJgiZYwc
Y/p9/fv40DpqijTmZiEGw2+h7KM1z/ciNWlLFpXyoZqwunYDi2SjY3/vEcC/qk5s
dUoLc1QtpH7bu3LbCXusnIw21YR14OBJKAchS3u+jvtKj+CTMbWp11ZivdWWLPGl
VzXinSghHrvA8VamFm7vwPV1syx0PCcrsIm3LtRQD1yV6rdwWn304kUY2qC5r//z
fxeS4ZICXbs6c02Q83CuycisQipcVPntVoY9mkD8LgqUYEhmmOecj6aw0DrMbTua
X0KdaOccNbE=
=melg
-----END PGP SIGNATURE-----