Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512572 (CVE-2014-3969) - <app-emulation/xen-4.4.0-r4: insufficient permissions checks accessing guest memory on ARM (CVE-2014-3969) (XSA-98)
Summary: <app-emulation/xen-4.4.0-r4: insufficient permissions checks accessing guest ...
Status: RESOLVED FIXED
Alias: CVE-2014-3969
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-06 07:56 UTC by Agostino Sarubbo
Modified: 2014-07-10 04:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-06 07:56:58 UTC
From ${URL} :

            Xen Security Advisory CVE-2014-3969 / XSA-98
                            version 3

       insufficient permissions checks accessing guest memory on ARM

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When accessing guest memory Xen does not correctly perform permissions
checks on the (possibly guest provided) virtual address: it only
checks that the mapping is readable by the guest, even when writing on
behalf of the guest.  This allows a guest to write to memory which
it should only be able to read.

A guest running on a vulnerable system is able to write to memory
which should be read-only.  This includes supposedly read only foreign
mappings established using the grant table mechanism.  Such read-only
mappings are commonly used as part of the paravirtualised I/O drivers
(such as guest disk write and network transmit).

In order to exploit this vulnerability the guest must have a mapping
of the memory; it does not allow access to arbitrary addresses.

In the event that a guest executes code from a page which has been
shared read-only with another guest it would be possible to mount a
take over attack on that guest.

IMPACT
======

A domain which is deliberately exchanging data with another,
malicious, domain, may be vulnerable to privilege escalation.  The
vulnerability depends on the precise behaviour of the victim domain.

In a typical configuration this means that, depending on the behaviour
of the toolstack or device driver domain, a malicious guest
administrator might be able to escalate their privilege to that of the
whole host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

MITIGATION
==========

None.

CREDITS
=======

This issue was discovered by Julien Grall.

RESOLUTION
==========

Applying the appropriate pair of attached patches resolves this issue.

xsa98-unstable-{01,02}.patch        xen-unstable
xsa98-4.4-{01,02}.patch             Xen 4.4.x



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yixun Lan gentoo-dev 2014-06-14 07:23:11 UTC
*xen-4.4.0-r4 (14 Jun 2014)
*xen-4.3.2-r3 (14 Jun 2014)
*xen-4.2.4-r3 (14 Jun 2014)

  14 Jun 2014; Yixun Lan <dlan@gentoo.org> +xen-4.2.4-r3.ebuild,
  +xen-4.3.2-r3.ebuild, +xen-4.4.0-r4.ebuild:
  bump security patches, fix bug 482138, 512572, 512294
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 03:55:22 UTC
Thank you for your work, since this is ARM only if you can cleanup vulnerable version we can close this.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-17 19:41:36 UTC
CVE-2014-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3969):
  Xen 4.4.x, when running on an ARM system, does not properly check write
  permissions on virtual addresses, which allows local guest administrators to
  gain privileges via unspecified vectors.
Comment 4 Yixun Lan gentoo-dev 2014-07-09 03:01:13 UTC
(In reply to GLSAMaker/CVETool Bot from comment #3)
> CVE-2014-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3969):
>   Xen 4.4.x, when running on an ARM system, does not properly check write
>   permissions on virtual addresses, which allows local guest administrators
> to
>   gain privileges via unspecified vectors.

this is already fixed, see comment #1
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-07-10 04:53:56 UTC
dlan, Thank you for cleanup!

No GLSA needed as there are no stable versions for ARM.