[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to privilege rings 1 and 2 of HVM guests



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-4554 / XSA-76
                              version 3

      Hypercalls exposed to privilege rings 1 and 2 of HVM guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The privilege check applied to hypercall attempts by a HVM guest only refused
access from ring 3; rings 1 and 2 were allowed through.

IMPACT
======

Code running in the intermediate privilege rings of HVM guest OSes may be able
to elevate its privileges inside the guest by careful hypercall use.

VULNERABLE SYSTEMS
==================

Xen 3.0.3 and later are vulnerable.
Xen 3.0.2 and earlier are not vulnerable.

MITIGATION
==========

Running only PV guests, or running HVM guests known to not make use of
protection rings 1 and 2 will avoid this issue. As far as we are aware no
mainstream OS (Linux, Windows, BSD) make use of these rings.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa76.patch        xen-unstable, Xen 4.3.x, Xen 4.2.x, Xen 4.1.x

$ sha256sum xsa76*.patch
8c4d460c71e8e8dffa32ce24f57ce872ccd8623ab72fd38be432f0a2b097e7c1  xsa76.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSlNMiAAoJEIP+FMlX6CvZn4kH/38vSCRckKM2JuQJfIJb8WtT
hz7XFDLhDBgeei7J3G3HiZIdaVGVYvThKDl6Dk0Kfc7V7vqIOEYN6OGAOqsJY5GL
Yqqxqol4ncyM0okLn3mvgeX1FlpLi1rlkwWkR7on7KMahxITjeGpWs00z9o9fpxy
21hIEw3vtXxg+C22QK2GS2fHKrkU23Fi7OPC09aU179nWjQWom+7qNsRvJlw+dRq
NZs5EvvGofqXN7KaLAirJkNUmxDOS0+XxNcF/1zLpXa/bIXjKCju6LoLb86UZOsM
JkSSfFYiz3UxAqjZtr4x4cbUl/0LeGUETVygIOOtx/56TKMxzgbaXHDevCiu3bw=
=oChf
-----END PGP SIGNATURE-----

Attachment: xsa76.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.