thr3ads.net - Xen users - Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts [Sep 2014]

If this information is useful, please help other people find it:
Share via:

Xen.org security team

2014-Sep-24 10:30 UTC

Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2014-7156 / XSA-106
                              version 3

    Missing privilege level checks in x86 emulation of software interrupts

UPDATES IN VERSION 3
===================
This issue has been assigned CVE-2014-7156.

ISSUE DESCRIPTION
================
The emulation of instructions which generate software interrupts fails
to perform supervisor mode permission checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand (implicit for the affected instructions) lives
  in (emulated or passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
=====
Malicious HVM guest user mode code may be able to crash the guest.

VULNERABLE SYSTEMS
=================
Xen versions from 3.3 onwards are vulnerable.

Only user processes in HVM guests can take advantage of this
vulnerability.

MITIGATION
=========
Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

CREDITS
======
This issue was discovered Andrei Lutas at BitDefender and analyzed by
Andrew Cooper at Citrix.

RESOLUTION
=========
Applying the attached patch resolves this issue.

xsa106.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa106*.patch
301060f801ab39c15ac773e1bcc250f0e6bf30d748007a96173459b83afc9270  xsa106.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUIpznAAoJEIP+FMlX6CvZNzsH/2EiupxpKxmHXoWxZAqlDz5E
+cdmv5axHGO74bU8xGe/WFcfOCjx8LaPifWd/g6AMlSa7BHe1i1sPmOifr6jhRlz
xfJonBcXl6/Z7LpfaYdu2M+6mDXoO2Ov5yKEYDNPyzwfmRH+bLBBGrGTzJvyaEj2
PS2JgtIzIVRFHdmYh7zJeS9isKt9+/lKplAIluKUUUhnX1pMUaTV9Ax67MUs7BdJ
SHh37YoMIZAxAkRl80nT7gBdohLUmQJZm3CVFFjk71hSFlvdRJNZuVJnxMyXXBA3
awQlxUAhUQmP8ls1JTK0EMVe9EAPvyqgPlk/2Ch8UBtpg0MeGzBs9UJwjYeP47Y=c9bK
-----END PGP SIGNATURE-----


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Xen users - Sep 2014 - Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts

Xen Security Advisory 106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts