Vigil@nce - Xen: several vulnerabilities
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is located in a Xen guest system, can use several
vulnerabilities, in order to create a denial of service on the
host, or to execute code.
Impacted products: XenServer, Debian, Fedora, openSUSE, RHEL, SUSE
Linux Enterprise Desktop, SLES, Unix (platform)
Severity: 2/4
Creation date: 05/09/2012
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Xen.
An attacker, who is located in a paravirtualized 64 bit guest
system, can change the debug register DR7. [severity:1/4;
BID-55400, CVE-2012-3494, XSA-12]
The PHYSDEVOP_get_free_pirq hypercall of Xen 4.1, which is used to
obtain the structure physdev_get_free_pirq, uses the return code
of the get_free_pirq() function as an array index. However, if the
function fails, the error code is an invalid index, which corrupts
the memory, and could lead to code execution. An attacker, who is
located in a guest system, can try to access to a physical IRQ, to
exploit this vulnerability. [severity:2/4; BID-55406,
CVE-2012-3495, XSA-13]
An attacker, who is located in a paravirtualized guest system, can
call XENMEM_populate_physmap with an invalid parameter, in order
to stop the host system. [severity:1/4; BID-55412, CVE-2012-3496,
XSA-14]
When TMEM (Transcendent Memory) is enabled via the option "tmem"
on the hypervisor command line, an attacker located in a guest can
corrupt the host memory, in order to execute code on the host.
[severity:2/4; BID-55410, CVE-2012-3497, XSA-15]
An attacker, who is located in a HVM guest system, can use
PHYSDEVOP_map_pirq with the parameter MAP_PIRQ_TYPE_GSI, in order
to stop the host system. [severity:1/4; BID-55414, CVE-2012-3498,
XSA-16]
An attacker, who is located in a HVM guest system, can use a
malicious VT100 sequence, in order to corrupt the memory, to
elevate his privileges. [severity:2/4; BID-55413, CVE-2012-3515,
XSA-17]
An attacker, who is a located in the Xen 4.2RC guest system, can
use GNTTABOP_swap_grant_ref to stop the host, and possibly to
execute code on the host. [severity:2/4; BID-55411, CVE-2012-3516,
XSA-18]
An attacker, who is located in a Xen guest system, can therefore
use several vulnerabilities, in order to create a denial of
service on the host, or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-several-vulnerabilities-11916