Xen.org security team
2013-May-17 15:45 UTC
Xen Security Advisory 56 (CVE-2013-2072) - Buffer overflow in xencontrol Python bindings affecting xend
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-2072 / XSA-56 version 2 Buffer overflow in xencontrol Python bindings affecting xend UPDATES IN VERSION 2 =================== Public release. ISSUE DESCRIPTION ================ The Python bindings for the xc_vcpu_setaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer overrun and corrupt memory. IMPACT ===== An attacker who is able to configure a specific vcpu affinity via a toolstack which uses the Python bindings is able to exploit this issue. Exploiting this issue leads to memory corruption which may result in a DoS against the system by crashing the toolstack. The possibility of code execution (privilege escalation) has not been ruled out. The xend toolstack passes a cpumap to this function without sanitization. xend allows the cpumap to be configured via the guest configuration file or the SXP/XenAPI interface. Normally these interfaces are not considered safe to expose to non-trusted parties. However systems which attempt to allow guest administrator control of VCPU affinity in a safe way via xend may expose this issue. VULNERABLE SYSTEMS ================= Xen version 4.0 and later contain this flaw. Only systems which allow the specification of cpu affinity masks by untrusted guest administrators are vulnerable. Normally the cpu affinity is specified by the host administrator as part of the guest configuration; there is then no vulnerability. Only systems which use the libxc Python bindings, are vulnerable. Toolstacks which do not use Python, such as xl or xapi, are not vulnerable. MITIGATION ========= Not allowing untrusted guest administrators to configure VCPU affinity will avoid exposure. Where possible switching to a toolstack which does not use Python will also avoid exposure to this vulnerability. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. xsa56.patch Xen 4.1.x, Xen 4.2.x, xen-unstable $ sha256sum xsa56*.patch a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d xsa56.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRlk9eAAoJEIP+FMlX6CvZIOMIAJFcMxxknbjo9oT9Plv8I9TA agEEaUV/cbZTUWHCdGLj6G8kHp4Td8mfKzHy9ZKlNn0GJ0vgezi08enxjgjSlloG 7KAsLAYYlrwjtSmu74CC48EDKF5KTy3xhxGIMT14fJAyDUAStwgHHZbcE8dNvaXk sfygb5epW+ZzQBkOxhKQkNDt5yoGVZ+Zb4Z/pmBXb+e8SVx+4i005HPuB8aIFowi 1nlbo2cSkFj6/NP5olhDQOYM5LEqzO8GPgHjTXJmIoTxA0Zuu4P53qjLsose5DCy 4OQY1v76lMP419t0I3UwA/KUott3PaUc3kzE24/3AmVxsh27k6cyVxovV4jsvf0=5dzZ -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel