Bug 895802 – VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts

Bug 895802 - (CVE-2014-7156) VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emulation of software interrupts

(CVE-2014-7156)
Summary:	VUL-0: CVE-2014-7156: xen: XSA-106: Missing privilege level checks in x86 emu...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:59013 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-09-09 12:57 UTC by Marcus Meissner
Modified:	2015-02-10 10:50 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
xsa106.patch (871 bytes, patch) 2014-09-09 12:58 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-09 12:57:40 UTC

embargoed, via pre-advisory mail

                    Xen Security Advisory XSA-106

    Missing privilege level checks in x86 emulation of software interrupts

              *** EMBARGOED UNTIL 2014-09-23 12:00 UTC ***

ISSUE DESCRIPTION
=================

The emulation of instructions which generate software interrupts fails
to perform supervisor mode permission checks.

However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand (implicit for the affected instructions) lives
  in (emulated or passed through) memory mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
  instruction is (in execution flow) within four instructions of one
  doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
  and the guest then (likely maliciously) alters the instruction to
  become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
  checks anyway).

IMPACT
======

Malicious HVM guest user mode code may be able to crash the guest.

VULNERABLE SYSTEMS
==================

Xen versions from 3.3 onwards are vulnerable.

Only user processes in HVM guests can take advantage of this
vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

There is no mitigation available for HVM guests.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa106.patch        xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa106*.patch
004051a839851d779de79b7804c5ef9a4d290bf2c8724b57299ca3a7b5a6173a  xsa106.patch
$

Comment 1 Marcus Meissner 2014-09-09 12:58:03 UTC

Created attachment 605561 [details]
xsa106.patch

attached patch

Comment 2 SMASH SMASH 2014-09-09 13:30:33 UTC

Affected packages:

SLE-10-SP3-TERADATA: xen
SLE-11-SP1-TERADATA: xen
SLE-11-SP3: xen
SLE-11-SP3-PRODUCTS: xen
SLE-11-SP3-UPTU: xen

Comment 3 Swamp Workflow Management 2014-09-09 22:00:41 UTC

bugbot adjusting priority

Comment 4 Charles Arnold 2014-09-19 00:36:34 UTC

Xen submitted for relevant SLE platforms.

Comment 5 Marcus Meissner 2014-09-23 12:53:16 UTC

is public

Comment 6 Marcus Meissner 2014-09-24 08:02:07 UTC

CVE-2014-7156

Comment 7 Swamp Workflow Management 2014-10-09 11:08:27 UTC

openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_04-1.32.1

Comment 8 Swamp Workflow Management 2014-10-09 11:11:21 UTC

openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_02-27.1

Comment 9 Swamp Workflow Management 2014-10-22 23:08:16 UTC

SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657
CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_04-0.9.1

Comment 10 Swamp Workflow Management 2014-12-24 18:06:13 UTC

SUSE-SU-2014:1710-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 826717,867910,875668,880751,895798,895799,895802,897657,901317,903850,903967,903970,905465,905467,906439
CVE References: CVE-2013-3495,CVE-2014-2599,CVE-2014-3124,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188,CVE-2014-8594,CVE-2014-8595,CVE-2014-8866,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.5.1

Comment 11 Swamp Workflow Management 2014-12-30 19:05:45 UTC

SUSE-SU-2014:1732-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 826717,880751,895798,895799,895802,903967,903970,905467,906439
CVE References: CVE-2013-3495,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-8594,CVE-2014-8595,CVE-2014-8867,CVE-2014-9030
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.9.1

Comment 12 Marcus Meissner 2015-02-10 10:50:01 UTC

SLE12 was fixed before GA