Bug 895799 – VUL-0: CVE-2014-7155: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

Bug 895799 - (CVE-2014-7155) VUL-0: CVE-2014-7155: xen: XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

(CVE-2014-7155)
Summary:	VUL-0: CVE-2014-7155: xen: XSA-105: Missing privilege level checks in x86 HLT...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:59012 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-09-09 12:54 UTC by Marcus Meissner
Modified:	2015-02-10 10:49 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xsa105.patch (1.21 KB, patch) 2014-09-09 12:55 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-09 12:54:25 UTC

embargoed, via pre-advisory email

              *** EMBARGOED UNTIL 2014-09-23 12:00 UTC ***

                    Xen Security Advisory XSA-105

    Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

              *** EMBARGOED UNTIL 2014-09-23 12:00 UTC ***

ISSUE DESCRIPTION
=================

The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to
perform supervisor mode permission checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when the instruction's memory operand (if any) lives in (emulated or
  passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones.

Malicious guest user mode code may be able to leverage this to install
e.g. its own Interrupt Descriptor Table (IDT).

IMPACT
======

Malicious HVM guest user mode code may be able to crash the guest or
escalate its own privilege to guest kernel mode.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2.x onwards are vulnerable.  Older
versions have not been inspected.

Only user processes in HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa105.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa105*.patch
30f9fa7c9f69b466921e4e684869881c9101f9b18783b5be5876469dcd2cbef9  xsa105.patch
$

Comment 1 Marcus Meissner 2014-09-09 12:55:23 UTC

Created attachment 605560 [details]
xsa105.patch

patch attached

Comment 2 SMASH SMASH 2014-09-09 13:30:22 UTC

Affected packages:

SLE-10-SP3-TERADATA: xen
SLE-11-SP1-TERADATA: xen
SLE-11-SP3: xen
SLE-11-SP3-PRODUCTS: xen
SLE-11-SP3-UPTU: xen

Comment 4 Swamp Workflow Management 2014-09-09 22:00:29 UTC

bugbot adjusting priority

Comment 6 Charles Arnold 2014-09-19 00:35:52 UTC

Xen submitted for relevant SLE platforms.

Comment 7 Marcus Meissner 2014-09-23 12:52:40 UTC

public now

Comment 8 Marcus Meissner 2014-09-24 08:01:21 UTC

CVE-2014-7155

Comment 9 Swamp Workflow Management 2014-10-09 11:08:16 UTC

openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1

Comment 10 Swamp Workflow Management 2014-10-09 11:11:10 UTC

openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1

Comment 11 Swamp Workflow Management 2014-10-22 23:08:05 UTC

SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1

Comment 12 Swamp Workflow Management 2014-12-23 18:05:10 UTC

SUSE-SU-2014:1691-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 880751,895799,903850,903970,905467,906439
CVE References: CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.9.1

Comment 13 Swamp Workflow Management 2014-12-24 18:06:03 UTC

SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1

Comment 14 Swamp Workflow Management 2014-12-30 19:05:34 UTC

SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1

Comment 15 Marcus Meissner 2015-02-10 10:49:46 UTC

SLE12 was fixed before GA. done