|Public release ||2013-05-17 12:00|
|Updated ||2013-05-17 15:44|
|Title ||Buffer overflow in xencontrol Python bindings affecting xend|
Filesadvisory-56.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-2072 / XSA-56
Buffer overflow in xencontrol Python bindings affecting xend
UPDATES IN VERSION 2
The Python bindings for the xc_vcpu_setaffinity call do not properly
check their inputs. Systems which allow untrusted administrators to
configure guest vcpu affinity may be exploited to trigger a buffer
overrun and corrupt memory.
An attacker who is able to configure a specific vcpu affinity via a
toolstack which uses the Python bindings is able to exploit this
Exploiting this issue leads to memory corruption which may result in a
DoS against the system by crashing the toolstack. The possibility of
code execution (privilege escalation) has not been ruled out.
The xend toolstack passes a cpumap to this function without
sanitization. xend allows the cpumap to be configured via the guest
configuration file or the SXP/XenAPI interface. Normally these
interfaces are not considered safe to expose to non-trusted
parties. However systems which attempt to allow guest administrator
control of VCPU affinity in a safe way via xend may expose this issue.
Xen version 4.0 and later contain this flaw.
Only systems which allow the specification of cpu affinity masks by
untrusted guest administrators are vulnerable. Normally the cpu
affinity is specified by the host administrator as part of the guest
configuration; there is then no vulnerability.
Only systems which use the libxc Python bindings, are vulnerable.
Toolstacks which do not use Python, such as xl or xapi, are not
Not allowing untrusted guest administrators to configure VCPU affinity
will avoid exposure.
Where possible switching to a toolstack which does not use Python will
also avoid exposure to this vulnerability.
Applying the appropriate attached patch resolves this issue.
xsa56.patch Xen 4.1.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa56*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team