Xen.org security team
2013-Feb-05 13:15 UTC
Xen Security Advisory 38 (CVE-2013-0215) - oxenstored incorrect handling of certain Xenbus ring states
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0215 / XSA-38 version 2 oxenstored incorrect handling of certain Xenbus ring states UPDATES IN VERSION 2 =================== Public release. ISSUE DESCRIPTION ================ The oxenstored daemon (the ocaml version of the xenstore daemon) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause oxenstored to read past the end of the ring (and very likely crash) or to allocate large amounts of RAM. IMPACT ===== A malicious guest administrator can mount a denial of service attack affecting domain control and management functions. In more detail: A malicious guest administrator can cause oxenstored to crash; after this many host control operations (for example, starting and stopping domains, device hotplug, and some monitoring functions), will be unavailable. Domains which are already running are not directly affected. Such an attacker can also cause a memory exhaustion in the domain running oxenstored; often this will make the host''s management functions unavailable. Information leak of control plane data is also theoretically possible. VULNERABLE SYSTEMS ================= Any system running oxenstored is vulnerable. oxenstored was introduced in Xen version 4.1. oxenstored was made the default in Xen 4.2.if a suitable ocaml toolchain was installed at build time. Systems running a 32-bit oxenstored are vulnerable only to the crash and not to the large memory allocation issue. MITIGATION ========= Running the C version of xenstored will avoid this issue. RESOLUTION ========= Applying the attached patch resolves this issue. xsa38.patch Xen 4.1.x, Xen 4.2.x, xen-unstable $ sha256sum xsa38*.patch 7d7a5746bc76da747bf61eb87b3303a8f3abb0d96561f35a706c671317ebe4eb xsa38.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJREQI0AAoJEIP+FMlX6CvZ6wAIAJdVEbDm51534QlQBGEE160O beOVzi6J0y1XOV3iDVnPlSxynhhBn3HcNWl0p0ERRAJt+FbZrH/WLMZ/9XLLbzZO LWVQHPiKkTYxbgxYsNXt/64CxKN8We2lffuBZn6DUQt1ZiV7T9L4SYVTWHeKo5vW mvs4j4VvlGgQTxIy0a724bEEPbBXNCu76+b6uwbJCkocnul1QMxyMK5mCJK/n/dv Q4KCXjJ9sfRHcKR8jteU0v45MP3VXbgEjrW70nvqXed3ly01SdBt/OJVAadmiG38 /EPJiFDT9cqPbl9591yQ6tQqRH5B4J3VoT7vl/hcV9AI8cduHVkQ8nLhfo71lLg=CAag -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Xen.org security team
2013-Feb-15 11:41 UTC
Xen Security Advisory 38 (CVE-2013-0215) - oxenstored incorrect handling of certain Xenbus ring states
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-0215 / XSA-38 version 3 oxenstored incorrect handling of certain Xenbus ring states UPDATES IN VERSION 3 =================== The patch supplied contained an error which would cause a failure when the ring became full. An updated patch is attached. The incremental fix can be found at: http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/759574df84a6 ISSUE DESCRIPTION ================ The oxenstored daemon (the ocaml version of the xenstore daemon) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause oxenstored to read past the end of the ring (and very likely crash) or to allocate large amounts of RAM. IMPACT ===== A malicious guest administrator can mount a denial of service attack affecting domain control and management functions. In more detail: A malicious guest administrator can cause oxenstored to crash; after this many host control operations (for example, starting and stopping domains, device hotplug, and some monitoring functions), will be unavailable. Domains which are already running are not directly affected. Such an attacker can also cause a memory exhaustion in the domain running oxenstored; often this will make the host''s management functions unavailable. Information leak of control plane data is also theoretically possible. VULNERABLE SYSTEMS ================= Any system running oxenstored is vulnerable. oxenstored was introduced in Xen version 4.1. oxenstored was made the default in Xen 4.2.if a suitable ocaml toolchain was installed at build time. Systems running a 32-bit oxenstored are vulnerable only to the crash and not to the large memory allocation issue. MITIGATION ========= Running the C version of xenstored will avoid this issue. RESOLUTION ========= Applying the attached patch resolves this issue. xsa38.patch Xen 4.1.x, Xen 4.2.x, xen-unstable $ sha256sum xsa38*.patch 9912d3239a6f784418fcec53fad7c316588a421e352462f661cd1070fcf21d4b xsa38.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRHh6yAAoJEIP+FMlX6CvZekUH/AsBw9dg8t2QLsPd391zxX6C XUJGW616979+tVCGVr+ahyRKnE2T598LBD+Vojvi7/jL+k59/j48jOkJIen9NfV6 aawnCrDWICa1Hq4/7xoj1ZagmdQuRuESbdsV6VbzF7v6eBybzKHjhFLNg2cSw6YB Zhay6tqpQGQIZrqWZla0OzNf34gWFZAnD4SL3CzlQaMlUb4gab1qprb2kOHttfcK wlPxy+U3CPppiRHR5Zs9RmGqnRCA9YpZF2JjxuunrZhFtvY1v+udLCiMkdUGblss tKimBDyxC1Qlthye6MTVftvRSsmBmhRJV7R9Wia3s7iAW4KASeobxS+4wicbcHM=GBLo -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users