Information
| Advisory | XSA-110 |
|---|
| Public release | 2014-11-18 12:00 |
|---|
| Updated | 2023-12-15 15:35 |
|---|
| Version | 4 |
|---|
| CVE(s) | CVE-2014-8595 |
|---|
| Title | Missing privilege level checks in x86 emulation of far branches |
|---|
Files
advisory-110.txt (signed advisory file)
xsa110-4.3-and-4.2.patch
xsa110.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2014-8595 / XSA-110
version 4
Missing privilege level checks in x86 emulation of far branches
UPDATES IN VERSION 4
====================
Fix patch name.
ISSUE DESCRIPTION
=================
The emulation of far branch instructions (CALL, JMP, and RETF in Intel
assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax)
incompletely performs privilege checks.
However these instructions are not usually handled by the emulator.
Exceptions to this are
- - when a memory operand lives in (emulated or passed through) memory
mapped IO space,
- - in the case of guests running in 32-bit PAE mode, when such an
instruction is (in execution flow) within four instructions of one
doing a page table update,
- - when an Invalid Opcode exception gets raised by a guest instruction,
and the guest then (likely maliciously) alters the instruction to
become one of the affected ones,
- - when the guest is in real mode (in which case there are no privilege
checks anyway).
IMPACT
======
Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS
==================
Xen 3.2.1 and onward are vulnerable on x86 systems.
ARM systems are not vulnerable.
Only user processes in x86 HVM guests can take advantage of this
vulnerability.
MITIGATION
==========
Running only PV guests will avoid this issue.
There is no mitigation available for HVM guests.
CREDITS
=======
This issue was discovered by Jan Beulich of SUSE.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa110.patch xen-unstable, Xen 4.4.x
xsa110-4.3-and-4.2.patch Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa110*.patch
a114ba586d18125b368112527a077abfe309826ad47aca8cc80ba4549c5f9ae2 xsa110-4.3-and-4.2.patch
eac4691848dcd093903e0a0f5fd7ab15be15d0f10b98575379911e91e5dcbd70 xsa110.patch
$
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+oMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZRv4IAK8G6TZkYY6/ORxnTusxwI7qKQBziAVxoJdQCr/m
WpG/XsBzUCBPEHt4Mgk6lJBLA22lyambNRYtpoGkfIdZ3LmuTPbkn3d6qUhLTZ8E
6pGTEUVGvnWFWVyzyIc45CLm4fnaCvYNmY1m4FjdVBBpzDryitsuZ5IoPbEB0lLS
ywYo2ueh3ZaS8BsUT2ZgSxH8hUzF8f/P56Zecn3LgmQXlKj9idP6QsFbKvSjx4jl
k3NN3d5BrsX7+J39zNAoZ4JAI1MBZ+C4BPgIi7SwZJBizKcx4axgx0X7ui1dgJx6
42E+dZuUmGKunzyFFKtw3bGuZLHE/TXRXlj7eGCquj2SFH4=
=dG+a
-----END PGP SIGNATURE-----
Xenproject.org Security Team