|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Xen: infinite loop via GNTTABOP_get_status_frames
Synthesis of the vulnerability
A local attacker, who is administrator in a PV guest system, can use the GNTTABOP_get_status_frames hypercall, in order to lock Xen.
Vulnerable systems: XenServer, Debian, Fedora, openSUSE, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity of this threat: 1/4.
Consequences of an attack: denial of service on server.
Pirate's origin: user shell.
Creation date: 13/11/2012.
Références of this weakness: BID-56498, CERTA-2012-AVI-650, CERTA-2012-AVI-651, CTX135458, CVE-2012-4539, DSA-2582-1, FEDORA-2012-18242, FEDORA-2012-18249, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-12140, XSA-24.
Description of the vulnerability
The Xen hypervisor can be installed on a 64 bit processor, and can provide ParaVirtualized 32 bit systems.
However, in this configuration, the GNTTABOP_get_status_frames hypercall uses twice the same loop control variable. An attacker can then use a malicious hypercall parameter, to generate an infinite loop.
A local attacker, who is administrator in a PV guest system, can therefore use the GNTTABOP_get_status_frames hypercall, in order to lock Xen.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides network vulnerability announces. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.