Bug 1051788 - (CVE-2017-12137) VUL-0: CVE-2017-12137: xen: x86: PV privilege escalation via map_grant_ref (XSA-227)
(CVE-2017-12137)
VUL-0: CVE-2017-12137: xen: x86: PV privilege escalation via map_grant_ref (X...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2017-12137:7.2:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 06:24 UTC by Johannes Segitz
Modified: 2021-01-21 18:18 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Fixed 4.5 backport (1.89 KB, patch)
2017-08-03 06:06 UTC, Johannes Segitz
Details | Diff
metadata file (1.82 KB, text/plain)
2017-08-03 06:06 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2017-08-02 06:28:43 UTC
CRD: 2017-08-15 12:00 UTC
Comment 2 Johannes Segitz 2017-08-03 06:06:25 UTC
Created attachment 735053 [details]
Fixed 4.5 backport
Comment 3 Johannes Segitz 2017-08-03 06:06:52 UTC
Created attachment 735056 [details]
metadata file
Comment 4 Swamp Workflow Management 2017-08-11 09:44:19 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-08-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63827
Comment 5 Charles Arnold 2017-08-11 16:48:20 UTC
Submitted for,

SUSE:SLE-10-SP3:Update:Test
SUSE:SLE-11-SP1:Update:Teradata
SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
Comment 6 Marcus Meissner 2017-08-15 12:51:37 UTC
is public

            Xen Security Advisory CVE-2017-12137 / XSA-227
                               version 3

            x86: PV privilege escalation via map_grant_ref

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When mapping a grant reference, a guest must inform Xen of where it
would like the grant mapped.  For PV guests, this is done by nominating
an existing linear address, or an L1 pagetable entry, to be altered.

Neither of these PV paths check for alignment of the passed parameter.
The linear address path suitably truncates the linear address when
calculating the L1 entry to use, but the path which uses a directly
nominated L1 entry performs no checks.

This causes Xen to make an incorrectly-aligned update to a pagetable,
which corrupts both the intended entry and the subsequent entry with
values which are largely guest controlled.  If the misaligned value
crosses a page boundary, then an arbitrary other heap page is
corrupted.

IMPACT
======

A PV guest can elevate its privilege to that of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.

Any system running untrusted PV guests is vulnerable.

The vulnerability is exposed to PV stub qemu serving as the device model
for HVM guests.  Our default assumption is that an HVM guest has
compromised its PV stub qemu.  By extension, it is likely that the
vulnerability is exposed to HVM guests which are served by a PV stub
qemu.

MITIGATION
==========

Running only HVM guests, served by a dom0-based qemu, will avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa227.patch           xen-unstable, Xen 4.9.x, 4.8.x, 4.7.x
xsa227-4.6.patch       Xen 4.6.x
xsa227-4.5.patch       Xen 4.5.x

$ sha256sum xsa227*
c48cc3be47e81a4ceebcf60659b8755516c68916fc5150920ed42c6b61e3f219  xsa227.meta
9923a47e5f86949800887596f098954a08ef73a01d74b1dbe16cab2e6b1fabb2  xsa227.patch
6f83d0d9ff853192840d2b82d26d8fde21473bf4ac1441a153f3ee02efd1dd67  xsa227-4.5.patch
162b991b27b86f210089526a01cae715563d3a069c92f42538b423bba7709fcc  xsa227-4.6.patch
$

(The .meta file is a prototype machine-readable file for describing
which patches are to be applied how.)
Comment 7 Swamp Workflow Management 2017-09-01 01:10:28 UTC
SUSE-SU-2017:2319-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1002573,1046637,1047675,1048920,1049578,1051787,1051788,1052686
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_14-22.25.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_14-22.25.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_14-22.25.1
Comment 8 Swamp Workflow Management 2017-09-01 16:09:42 UTC
SUSE-SU-2017:2326-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.3_03-43.9.1
SUSE Container as a Service Platform ALL (src):    xen-4.7.3_03-43.9.1
Comment 9 Swamp Workflow Management 2017-09-01 16:11:52 UTC
SUSE-SU-2017:2327-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.0_11-3.9.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.0_11-3.9.1
Comment 10 Swamp Workflow Management 2017-09-04 16:09:42 UTC
SUSE-SU-2017:2339-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1046637,1048920,1049578,1051787,1051788,1052686
CVE References: CVE-2017-10664,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.5.1
Comment 11 Swamp Workflow Management 2017-09-08 19:10:08 UTC
openSUSE-SU-2017:2394-1: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.0_11-4.1
Comment 12 Swamp Workflow Management 2017-09-08 19:15:45 UTC
openSUSE-SU-2017:2398-1: An update that solves 7 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1035231,1037840,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2016-9603,CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.3_03-11.12.1
Comment 13 Swamp Workflow Management 2017-09-13 16:10:04 UTC
SUSE-SU-2017:2450-1: An update that solves 10 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1032598,1037413,1046637,1047675,1048920,1049578,1051787,1051788,1052686,1056278,1056281,1056282
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855,CVE-2017-14316,CVE-2017-14317,CVE-2017-14319
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_22-61.9.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_22-61.9.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_22-61.9.2
Comment 14 Swamp Workflow Management 2017-09-21 19:09:37 UTC
SUSE-SU-2017:2541-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1002573,1027519,1032598,1037413,1046637,1047675,1048920,1049578,1051787,1051788,1052686,1056278,1056281,1056282
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-12135,CVE-2017-12137,CVE-2017-12855,CVE-2017-14316,CVE-2017-14317,CVE-2017-14319
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_22-22.51.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_22-22.51.2
Comment 15 Marcus Meissner 2017-10-25 17:30:30 UTC
released
Comment 16 Swamp Workflow Management 2017-11-16 14:08:16 UTC
SUSE-SU-2017:2327-2: An update that solves 6 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1002573,1026236,1027519,1035231,1046637,1049578,1051787,1051788,1051789,1052686,1055695
CVE References: CVE-2017-10664,CVE-2017-11434,CVE-2017-12135,CVE-2017-12136,CVE-2017-12137,CVE-2017-12855
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.0_11-3.9.1