|Public release ||2014-09-23 12:00|
|Updated ||2014-09-24 10:29|
|Title ||Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation|
Filesadvisory-105.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-7155 / XSA-105
Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
UPDATES IN VERSION 3
This issue has been assigned CVE-2014-7155.
The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to
perform supervisor mode permission checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when the instruction's memory operand (if any) lives in (emulated or
passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one
doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
and the guest then (likely maliciously) alters the instruction to
become one of the affected ones.
Malicious guest user mode code may be able to leverage this to install
e.g. its own Interrupt Descriptor Table (IDT).
Malicious HVM guest user mode code may be able to crash the guest or
escalate its own privilege to guest kernel mode.
Xen versions from at least 3.2.x onwards are vulnerable. Older
versions have not been inspected.
Only user processes in HVM guests can take advantage of this
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests.
This issue was discovered Andrei Lutas at BitDefender and analyzed by
Andrew Cooper at Citrix.
Applying the attached patch resolves this issue.
xsa105.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa105*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team