Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0910 Xen Security Advisory CVE-2014-3969 / XSA-98 version 3 10 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Xen Publisher: Xen Operating System: UNIX variants (UNIX, Linux, OSX) Xen Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-3969 Original Bulletin: http://xenbits.xen.org/xsa/advisory-98.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2014-3969 / XSA-98 version 3 insufficient permissions checks accessing guest memory on ARM UPDATES IN VERSION 3 ==================== CVE assigned. ISSUE DESCRIPTION ================= When accessing guest memory Xen does not correctly perform permissions checks on the (possibly guest provided) virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it should only be able to read. A guest running on a vulnerable system is able to write to memory which should be read-only. This includes supposedly read only foreign mappings established using the grant table mechanism. Such read-only mappings are commonly used as part of the paravirtualised I/O drivers (such as guest disk write and network transmit). In order to exploit this vulnerability the guest must have a mapping of the memory; it does not allow access to arbitrary addresses. In the event that a guest executes code from a page which has been shared read-only with another guest it would be possible to mount a take over attack on that guest. IMPACT ====== A domain which is deliberately exchanging data with another, malicious, domain, may be vulnerable to privilege escalation. The vulnerability depends on the precise behaviour of the victim domain. In a typical configuration this means that, depending on the behaviour of the toolstack or device driver domain, a malicious guest administrator might be able to escalate their privilege to that of the whole host. VULNERABLE SYSTEMS ================== Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward. MITIGATION ========== None. CREDITS ======= This issue was discovered by Julien Grall. RESOLUTION ========== Applying the appropriate pair of attached patches resolves this issue. xsa98-unstable-{01,02}.patch xen-unstable xsa98-4.4-{01,02}.patch Xen 4.4.x $ sha256sum xsa98*.patch 6f63bc2e0a0a39bbd9137513a5d130ae2c78d1fd2ebf9172bf49456f73f0a67b xsa98-4.4-01.patch b338472ecce3c31a55d1a936eebbd4e46cb3ad989b91a64d4b8c5d3ca80d875d xsa98-4.4-02.patch b8535aad5ae969675d59781a81ce0b24491f1abc01aaf36c3620fd7fb6cc84eb xsa98-unstable-01.patch f5e8a93525a8905653da6377097f77681ff8121b973063ff6081e27547ceaa67 xsa98-unstable-02.patch $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTj0N1AAoJEIP+FMlX6CvZYRsH/3PPF+SBphp/IOcJmcoUBI0Y SZumMMtaH3jU49/0V/azYOpKET2VtCHBilBajUAB7kNx+EGHv5NZf6Vn7FMBDCVl gk7Hq39tR0axBTpp4FhK8MJQIEsMUvsohokRFiMsDmhKtWOEKPfmNrgLz6cEvo5H ci46UH0JzPhMVY4tXhd7jo9Vuyae8df+b0yYFZ2QyVdWN3AShlrp62JAXb1lJT8E LO/67uDud7bhuODA+CWmL0jHq7xsJoRitp5gJph9QmSNbkXGJfPy6Sow4qzatnsR Vb9lgJq5MHRodkaie9z4UeANysAJ1J+USvARyMx+xnQ64ETzFIm6pUotzySZWEU= =vyB+ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU5ZTwBLndAQH1ShLAQKBXRAAmkbuSZ7A8f5e4cCZnkLEysI6VS2bT41n pAukNsb8Shf8YrcaR4h/JxcDaDMfF8rR5lyZoozHlNWdk9MAQ4bCCJXoRRNVoC+R FkvdnJDsFDgXyprauhrzc9EV7EGp/xyEs9OBF7hFzIqo+alG14Uz7e6Z4iBSygnl H5MxhzPDQYb1u5+aYz4jsGibbOF58KPpHS36MUY//zPv40OZ9BWvEuEtorPPSavz UEieLj/93IHPngLUA7pvKDbwO4/cBoXPxsrpMhzCprRs4zxY1VB+2hWF7y3/6I5w p+ELvrqeg2ziR03OpjSzZn6llxBXdFmKYdch5bYgoZjdffbAsEpTqMcPGLG5pXD+ H0TWpFGXuBq6+pHGFagkWWZvIhnMBgjwwj8pvcuiehhj5GCgPObdc67Cv91SmFoW Czkulbr9ECuhoNii35yNwATjU646ApGBXyGM2OKavM+IBZU28tm9By/IehoFN4xA 9w6Cy6t/FK+BC0RiF6qwegWamvhtd9UM7E7IMIRkUvQVFQbGjoGrVRseGAggcypC F+At+n0gYqwBOjmT2CjihaOIzFWElGTWdwRknOwOLXXAXEi4C2P0w1kFKHlg4BMA tFFf1/rHtlV5RLX+tgXPMh2SysV1+niDrFh+BwhhfshprnBY5+u0G7bmwvLEIKj/ 4RAkh5EWK88= =VIL+ -----END PGP SIGNATURE-----