Information

AdvisoryXSA-182
Public release 2016-07-26 11:32
Updated 2023-12-15 15:35
Version 4
CVE(s) CVE-2016-6258
Title x86: Privilege escalation in PV guests

Files

advisory-182.txt (signed advisory file)
xsa182-unstable.patch
xsa182-4.5.patch
xsa182-4.6.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2016-6258 / XSA-182
                              version 4

                x86: Privilege escalation in PV guests

UPDATES IN VERSION 4
====================

Fix patch name.

ISSUE DESCRIPTION
=================

The PV pagetable code has fast-paths for making updates to pre-existing
pagetable entries, to skip expensive re-validation in safe cases
(e.g. clearing only Access/Dirty bits).  The bits considered safe were too
broad, and not actually safe.

IMPACT
======

A malicous PV guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

The vulnerability is only exposed to PV guests on x86 hardware.

The vulnerability is not exposed to x86 HVM guests, or ARM guests.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Jérémie Boutoille of Quarkslab.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa182-unstable.patch  xen-unstable, Xen 4.7.x
xsa182-4.6.patch       Xen 4.6.x
xsa182-4.5.patch       Xen 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa182*
303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792  xsa182-unstable.patch
2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2  xsa182-4.5.patch
f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813  xsa182-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/MMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZdRkH/iyj4YYw06xblD3zpirV2J6HRf8BrjfrKgauEOZm
e5hLC/7GtRArPoR3usgw3zR7fGMvJINOQI1IRXxxntHWu0gZ/Nb+bmS7cVmeET7o
wVKDV+aH4MnmDjvlUw+Cc60ZVYrdyJsME1TLV/8r9BfFgrxNaHri1V0/jiqCG5ZA
o7rhPBO2fD9jsGxjsyqOuRSvShHqZvkQ6RwX5vTttWFWFcpxwPH7eocKTxPO2Wdi
oG6QORABYN2KmRvwa8tfA7MQIlViZObP51JIbYki7qsEahLnmXfuVD4/A/nDGu/o
3VHzHR3E5DKOfg9ZLy71K9+mZDvm2j8Ld0GxNtsk+Jsk1AE=
=NDTz
-----END PGP SIGNATURE-----


Xenproject.org Security Team