Home page logo
/

oss-sec logo oss-sec mailing list archives

Xen Security Advisory 23 (CVE-2012-4538) - Unhooking empty PAE entries DoS vulnerability
From: Xen.org security team <security () xen org>
Date: Tue, 13 Nov 2012 12:56:16 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 Xen Security Advisory CVE-2012-4538 / XSA-23
                                version 2

                Unhooking empty PAE entries DoS vulnerability

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The HVMOP_pagetable_dying hypercall does not correctly check the
caller's pagetable state, leading to a hypervisor crash.

IMPACT
======

An HVM guest running on shadow pagetables (that is, not HAP) can
cause the hypervisor to crash.

VULNERABLE SYSTEMS
==================

All Xen versions from 4.0 onwards are vulnerable, except that:
 - systems that run only PV guests are not vulnerable
 - systems that run all HVM guests using HAP (which is the default on
   hardware that supports it) are not vulnerable.

MITIGATION
==========

This issue can be avoided by running only PV guests or by running
all HVM guests using hardware-assisited paging (HAP, also called
NPT, RVI and EPT).

Xen will run guests using HAP by default on hardware that
supports it, unless it is disbled by putting 'hap=0' either on
the xen hypervisor command-line or in the VM's configuration.

You can check whether a particular machine supports HAP by looking at
xen's boot messages.  On Xen 4.1, 4.2 and unstable, Xen will print
"HVM: Hardware Assisted Paging (HAP) detected" during boot; on xen 4.0
the message is "HVM: Hardware Assisted Paging detected".

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa23-4.0-4.1.patch         Xen 4.0.x, 4.1.x
xsa23-4.2-unstable.patch    Xen 4.2.x, xen-unstable

$ sha256sum xsa23*.patch
f696d597481595b14ac9577d1dad05fc97da68568f52db74d62f2e3dcb2c7a6e  xsa23-4.0-4.1.patch
70ffea07e58e4a747bf3ec103f656ba2cd0d8986722e6a72023c57d802c65964  xsa23-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQokGsAAoJEIP+FMlX6CvZTagH/iyB7+Y5Ug2+3o0minW/xYe5
sVoRIxYhOuKIoRZFVHn3WvXc2PkL/sVCg8PoQnxCs1v4etALl6TTwE9CuJYVgbR7
9OiN6l/NAg2Qbcg3W1j5Har0syOFL5ZkrvIZ3xvER1lsSINKFJ/HBYf9Oe3KUAaD
ffzgRupB/AcETIClv9qwhmSVgjDyNWEae4TS5MzvdUM5dDcCObg/OpyvCGx2MbA8
SF/s9bSwmUcEboy1wOm4wkTWfEJUCsE/ftpQRsEZPESOOXG5u2QB+EI1pbZ1SObx
yhbDGE1Ex3T9u88t+7bSiFn2CwNS7eWQwg7nKQ6P/8PlSwm8BFg7KBC+HUxHNW4=
=stq6
-----END PGP SIGNATURE-----

Attachment: xsa23-4.0-4.1.patch
Description:

Attachment: xsa23-4.2-unstable.patch
Description:


  By Date           By Thread  

Current thread:
  • Xen Security Advisory 23 (CVE-2012-4538) - Unhooking empty PAE entries DoS vulnerability Xen . org security team (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault