Information
| Advisory | XSA-58 |
|---|
| Public release | 2013-06-26 12:00 |
|---|
| Updated | 2013-06-26 13:18 |
|---|
| Version | 2 |
|---|
| CVE(s) | CVE-2013-1432 |
|---|
| Title | Page reference counting error due to XSA-45/CVE-2013-1918 fixes |
|---|
Files
advisory-58.txt (signed advisory file)
xsa58-4.1.patch
xsa58-4.2.patch
xsa58-unstable.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-1432 / XSA-58
version 2
Page reference counting error due to XSA-45/CVE-2013-1918 fixes
UPDATES IN VERSION 2
====================
Public release. Credits section added.
ISSUE DESCRIPTION
=================
The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke
page reference counting by not retaining a reference on pages stored for
deferred cleanup. This would lead to the hypervisor prematurely attempting to
free the page, generally crashing upon finding the page still in use.
CREDITS
=======
Thanks to Andrew Cooper and the Citrix XenServer team for discovering
and reporting this vulnerability, and helping investigate it.
IMPACT
======
Malicious or buggy PV guest kernels can mount a denial of service attack
affecting the whole system. It can't be excluded that this could also be
exploited to mount a privilege escalation attack.
VULNERABLE SYSTEMS
==================
All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable.
The vulnerability is only exposed by PV guests.
MITIGATION
==========
Running only HVM guests, or PV guests with trusted kernels, will avoid this
vulnerability.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa58-4.1.patch Xen 4.1.x
xsa58-4.2.patch Xen 4.2.x
xsa58-unstable.patch xen-unstable
$ sha256sum xsa58*.patch
3623ec87e5a2830f0d41de19a8e448d618954973c3264727a1f3a095f15a8641 xsa58-4.1.patch
194d6610fc38b767d643e5d58a1268f45921fb35e309b47aca6a388b861311c2 xsa58-4.2.patch
2c94b099d7144d03c0f7f44e892a521537fc040d11bc46f84a2438eece46a0f5 xsa58-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRyuoNAAoJEIP+FMlX6CvZY3EH/04uBhD797FdBhCRkq/y1ACc
Dvg1BRZ4lHkURDp97gD4Fdyf95Lw4qtniYBq8H/kpVPWJgN7+Dmj8uoluWhOI62Y
Q7a97CZ3O39VcuNRQnZG8c6dduGwMTzbJMkftG0CcltygAxVVRU4uHSG4+MHQ5PZ
N1xauljWrbw49iZz0shxZv4BA/1MQyuyZGFIpOaYoom0vV67pfrQJ2kgCMDUctmq
WXNkVcOiS7lwS/+++goPIboSEy6UJCIVrhZmL7GhbNfiznlOFVgExMttQRcUDi/D
4SS4ghl3IyB34TwoX1P7TPEeHGbfonObGpzBQNduBIJDM32nqO7P8097XG0j0Tw=
=aw1s
-----END PGP SIGNATURE-----
Xenproject.org Security Team