Bug 777091 - VUL-0: CVE-2012-3496: xen: XENMEM_populate_physmap DoS vulnerability (XSA-14)
VUL-0: CVE-2012-3496: xen: XENMEM_populate_physmap DoS vulnerability (XSA-14)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:48942 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-23 09:23 UTC by Matthias Weckbecker
Modified: 2015-02-19 01:03 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-08-23 09:23:06 UTC
A BUG can be triggered via calling functions with invalid flags which causes
a Denial of Service (host crash).

Note: This flaw is embargoed until Wednesday 2012-09-05 12:00:00 UTC. Please
do NOT publish any information about this outside of SUSE and do NOT use the
open build service.

Details available from the second comment.
Comment 1 Matthias Weckbecker 2012-08-23 09:23:46 UTC
Created attachment 503225 [details]
-- xsa14-unstable.patch
Comment 2 Matthias Weckbecker 2012-08-23 09:24:19 UTC
Created attachment 503226 [details]
-- xsa14-xen-3.4-and-4.x.patch
Comment 3 Matthias Weckbecker 2012-08-23 09:25:03 UTC
Original advisory (unmodified):

--------------------------------------------------------------------------
            Xen Security Advisory CVE-2012-3496 / XSA-14

           XENMEM_populate_physmap DoS vulnerability

       *** EMBARGOED UNTIL Wednesday 2012-09-05 12:00:00 UTC ***

ISSUE DESCRIPTION
=================

XENMEM_populate_physmap can be called with invalid flags.  By calling
it with MEMF_populate_on_demand flag set, a BUG can be triggered if a
translating paging mode is not being used.

IMPACT
======

A malicious guest kernel can crash the host.

VULNERABLE SYSTEMS
==================

All Xen systems running PV guests.  Systems running only HVM guests
are not vulnerable.

The vulnerability dates back to at least Xen 4.0.  4.0, 4.1, the 4.2
RCs, and xen-unstable.hg are all vulnerable.

MITIGATION
==========

This issue can be mitigated by ensuring that the guest kernel is
trustworthy or by running only HVM guests.

RESOLUTION
==========

Applying the appropriate attached patch will resolve the issue.

PATCH INFORMATION
=================

The attached patches resolve this issue

 xen-unstable                                xsa14-unstable.patch
 Xen 4.1, 4.1.x, 4.0, 4.0.x, 3.4 and 3.4.x   xsa14-xen-3.4-and-4.x.patch

$ sha256sum xsa14-*.patch
7a2e119b114708420c3484ecc338c7a198097f40e0d38854756dfa69c4c859a8  xsa14-unstable.patch
41a1ee1da7e990dc93b75fad0d46b66a2bda472e9aa288c91d1dc5d15d2c2012  xsa14-xen-3.4-and-4.x.patch
--------------------------------------------------------------------------
Comment 4 Swamp Workflow Management 2012-08-23 09:28:03 UTC
The SWAMPID for this issue is 48833.
This issue was rated as important.
Please submit fixed packages until 2012-08-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 Charles Arnold 2012-08-29 15:36:19 UTC
Packages have been submitted with the following submit requests:

SLE11-SP2: 21570 (xen), 21571 (vm-install)
SLE11-SP1: 21572 (xen)
Comment 7 Sebastian Krahmer 2012-09-05 10:49:57 UTC
public via oss-sec
Comment 8 Swamp Workflow Management 2012-09-07 08:09:20 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-trace, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 9 Swamp Workflow Management 2012-09-07 10:06:54 UTC
Update released for: vm-install, xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-default, xen-kmp-trace, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP2 (x86_64)
SLE-DESKTOP 11-SP2 (x86_64)
SLE-SDK 11-SP2 (x86_64)
SLE-SERVER 11-SP2 (x86_64)
SLES4VMWARE 11-SP2 (x86_64)
Comment 10 Swamp Workflow Management 2012-09-13 17:05:27 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, x86_64)
Comment 11 Marcus Meissner 2012-09-14 11:35:05 UTC
released
Comment 12 Swamp Workflow Management 2012-09-14 12:11:25 UTC
openSUSE-SU-2012:1172-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 762484,766283,767273,773393,773401,776995,777084,777086,777088,777090,777091
CVE References: CVE-2012-2625,CVE-2012-3432,CVE-2012-3433,CVE-2012-3494,CVE-2012-3495,CVE-2012-3496,CVE-2012-3498,CVE-2012-3515
Sources used:
openSUSE 12.1 (src):    xen-4.1.3_01-1.13.1
Comment 13 Swamp Workflow Management 2012-09-14 12:13:49 UTC
openSUSE-SU-2012:1174-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 744771,762484,773393,773401,776995,777084,777090,777091
CVE References: CVE-2012-2625,CVE-2012-3432,CVE-2012-3433,CVE-2012-3494,CVE-2012-3496,CVE-2012-3515
Sources used:
openSUSE 11.4 (src):    xen-4.0.3_04-45.1
Comment 14 Swamp Workflow Management 2012-09-14 12:16:10 UTC
openSUSE-SU-2012:1176-1: An update that solves 8 vulnerabilities and has four fixes is now available.

Category: security (low)
Bug References: 762484,766283,766284,767273,773393,773401,776995,777084,777086,777088,777090,777091
CVE References: CVE-2012-2625,CVE-2012-3432,CVE-2012-3433,CVE-2012-3494,CVE-2012-3495,CVE-2012-3496,CVE-2012-3498,CVE-2012-3515
Sources used:
openSUSE 12.2 (src):    xen-4.1.3_01-5.6.2
Comment 15 Swamp Workflow Management 2012-11-26 14:10:32 UTC
openSUSE-SU-2012:1572-1: An update that solves 16 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 764077,771099,776755,776995,777086,777090,777091,777890,778105,779212,784087,786516,786517,786518,786519,786520,787163
CVE References: CVE-2007-0998,CVE-2012-2625,CVE-2012-2934,CVE-2012-3494,CVE-2012-3495,CVE-2012-3496,CVE-2012-3497,CVE-2012-3498,CVE-2012-3515,CVE-2012-4411,CVE-2012-4535,CVE-2012-4536,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544
Sources used:
openSUSE 12.1 (src):    xen-4.1.3_04-1.21.1
Comment 16 Swamp Workflow Management 2012-11-26 14:14:44 UTC
openSUSE-SU-2012:1573-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 764077,771099,776755,777086,777090,777091,777890,778105,779212,784087,786516,786517,786518,786519,786520,787163
CVE References: CVE-2007-0998,CVE-2012-2625,CVE-2012-2934,CVE-2012-3494,CVE-2012-3495,CVE-2012-3496,CVE-2012-3497,CVE-2012-3498,CVE-2012-3515,CVE-2012-4411,CVE-2012-4535,CVE-2012-4536,CVE-2012-4537,CVE-2012-4538,CVE-2012-4539,CVE-2012-4544
Sources used:
openSUSE 12.2 (src):    xen-4.1.3_04-5.13.1