Information

Advisory XSA-38
Public release 2013-02-05 12:00
Updated 2013-02-15 11:40
Version 3
CVE(s) CVE-2013-0215
Title oxenstored incorrect handling of certain Xenbus ring states

Files

advisory-38.txt (signed advisory file)
xsa38.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

         Xen Security Advisory CVE-2013-0215 / XSA-38
			      version 3

    oxenstored incorrect handling of certain Xenbus ring states

UPDATES IN VERSION 3
====================

The patch supplied contained an error which would cause a failure when
the ring became full. An updated patch is attached. The incremental
fix can be found at:
    http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/759574df84a6

ISSUE DESCRIPTION
=================

The oxenstored daemon (the ocaml version of the xenstore daemon) does
not correctly handle unusual or malicious contents in the xenstore
ring.  A malicious guest can exploit this to cause oxenstored to read
past the end of the ring (and very likely crash) or to allocate large
amounts of RAM.

IMPACT
======

A malicious guest administrator can mount a denial of service attack
affecting domain control and management functions.

In more detail:

A malicious guest administrator can cause oxenstored to crash; after
this many host control operations (for example, starting and stopping
domains, device hotplug, and some monitoring functions), will be
unavailable.  Domains which are already running are not directly
affected.

Such an attacker can also cause a memory exhaustion in the domain
running oxenstored; often this will make the host's management
functions unavailable.

Information leak of control plane data is also theoretically possible.

VULNERABLE SYSTEMS
==================

Any system running oxenstored is vulnerable. oxenstored was introduced
in Xen version 4.1.

oxenstored was made the default in Xen 4.2.if a suitable ocaml
toolchain was installed at build time.

Systems running a 32-bit oxenstored are vulnerable only to the crash
and not to the large memory allocation issue.

MITIGATION
==========

Running the C version of xenstored will avoid this issue.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa38.patch             Xen 4.1.x, Xen 4.2.x, xen-unstable

$ sha256sum xsa38*.patch
9912d3239a6f784418fcec53fad7c316588a421e352462f661cd1070fcf21d4b  xsa38.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRHh6yAAoJEIP+FMlX6CvZekUH/AsBw9dg8t2QLsPd391zxX6C
XUJGW616979+tVCGVr+ahyRKnE2T598LBD+Vojvi7/jL+k59/j48jOkJIen9NfV6
aawnCrDWICa1Hq4/7xoj1ZagmdQuRuESbdsV6VbzF7v6eBybzKHjhFLNg2cSw6YB
Zhay6tqpQGQIZrqWZla0OzNf34gWFZAnD4SL3CzlQaMlUb4gab1qprb2kOHttfcK
wlPxy+U3CPppiRHR5Zs9RmGqnRCA9YpZF2JjxuunrZhFtvY1v+udLCiMkdUGblss
tKimBDyxC1Qlthye6MTVftvRSsmBmhRJV7R9Wia3s7iAW4KASeobxS+4wicbcHM=
=GBLo
-----END PGP SIGNATURE-----

Xenproject.org Security Team