[kernel-xen] Xen Security Advisory 76 (CVE-2013-4554) - Hypercalls exposed to privilege rings 1 and 2 of HVM guests

Steven Haigh netwiz at crc.id.au
Wed Nov 27 11:05:24 EST 2013


             Xen Security Advisory CVE-2013-4554 / XSA-76
                              version 3

      Hypercalls exposed to privilege rings 1 and 2 of HVM guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The privilege check applied to hypercall attempts by a HVM guest only
refused
access from ring 3; rings 1 and 2 were allowed through.

IMPACT
======

Code running in the intermediate privilege rings of HVM guest OSes may
be able
to elevate its privileges inside the guest by careful hypercall use.

VULNERABLE SYSTEMS
==================

Xen 3.0.3 and later are vulnerable.
Xen 3.0.2 and earlier are not vulnerable.

MITIGATION
==========

Running only PV guests, or running HVM guests known to not make use of
protection rings 1 and 2 will avoid this issue. As far as we are aware no
mainstream OS (Linux, Windows, BSD) make use of these rings.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Fixed in xen-4.2.3-10

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131127/31d548b6/attachment.sig>


More information about the kernel-xen mailing list