The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Xen: several vulnerabilities

Synthesis of the vulnerability 

An attacker, who is located in a Xen guest system, can use several vulnerabilities, in order to create a denial of service on the host, or to execute code.
Vulnerable products: XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity of this weakness: 2/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 05/09/2012.
Références of this bulletin: BID-55400, BID-55406, BID-55410, BID-55411, BID-55412, BID-55413, BID-55414, CERTA-2012-AVI-485, CTX134708, CVE-2012-3494, CVE-2012-3495, CVE-2012-3496, CVE-2012-3497-REJECT, CVE-2012-3498, CVE-2012-3515, CVE-2012-3516, CVE-2012-6030, CVE-2012-6031, CVE-2012-6032, CVE-2012-6033, CVE-2012-6034, CVE-2012-6035, CVE-2012-6036, DSA-2542-1, DSA-2543-1, DSA-2544-1, DSA-2545-1, FEDORA-2012-13434, FEDORA-2012-13443, FEDORA-2012-15606, FEDORA-2012-15740, MDVSA-2013:121, openSUSE-SU-2012:1153-1, openSUSE-SU-2012:1170-1, openSUSE-SU-2012:1172-1, openSUSE-SU-2012:1174-1, openSUSE-SU-2012:1176-1, openSUSE-SU-2012:1572-1, openSUSE-SU-2012:1573-1, RHSA-2012:1233-01, RHSA-2012:1234-01, RHSA-2012:1235-01, RHSA-2012:1236-01, RHSA-2012:1262-01, RHSA-2012:1325-01, SOL13405416, SUSE-SU-2012:1129-1, SUSE-SU-2012:1132-1, SUSE-SU-2012:1133-1, SUSE-SU-2012:1135-1, SUSE-SU-2012:1162-1, SUSE-SU-2012:1203-1, SUSE-SU-2012:1205-1, SUSE-SU-2012:1486-1, SUSE-SU-2012:1487-1, SUSE-SU-2012:1503-1, SUSE-SU-2014:0446-1, VIGILANCE-VUL-11916, XSA-12, XSA-13, XSA-14, XSA-15, XSA-16, XSA-17, XSA-18.

Description of the vulnerability 

Several vulnerabilities were announced in Xen.

An attacker, who is located in a paravirtualized 64 bit guest system, can change the debug register DR7. [severity:1/4; BID-55400, CVE-2012-3494, XSA-12]

The PHYSDEVOP_get_free_pirq hypercall of Xen 4.1, which is used to obtain the structure physdev_get_free_pirq, uses the return code of the get_free_pirq() function as an array index. However, if the function fails, the error code is an invalid index, which corrupts the memory, and could lead to code execution. An attacker, who is located in a guest system, can try to access to a physical IRQ, to exploit this vulnerability. [severity:2/4; BID-55406, CVE-2012-3495, XSA-13]

An attacker, who is located in a paravirtualized guest system, can call XENMEM_populate_physmap with an invalid parameter, in order to stop the host system. [severity:1/4; BID-55412, CVE-2012-3496, XSA-14]

When TMEM (Transcendent Memory) is enabled via the option "tmem" on the hypervisor command line, an attacker located in a guest can corrupt the host memory, in order to execute code on the host. [severity:2/4; BID-55410, CVE-2012-3497-REJECT, CVE-2012-6030, CVE-2012-6031, CVE-2012-6032, CVE-2012-6033, CVE-2012-6034, CVE-2012-6035, CVE-2012-6036, XSA-15]

An attacker, who is located in a HVM guest system, can use PHYSDEVOP_map_pirq with the parameter MAP_PIRQ_TYPE_GSI, in order to stop the host system. [severity:1/4; BID-55414, CVE-2012-3498, XSA-16]

An attacker, who is located in a HVM guest system, can use a malicious VT100 sequence, in order to corrupt the memory, to elevate his privileges. [severity:2/4; BID-55413, CVE-2012-3515, XSA-17]

An attacker, who is a located in the Xen 4.2RC guest system, can use GNTTABOP_swap_grant_ref to stop the host, and possibly to execute code on the host. [severity:2/4; BID-55411, CVE-2012-3516, XSA-18]

An attacker, who is located in a Xen guest system, can therefore use several vulnerabilities, in order to create a denial of service on the host, or to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 7 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

Xen: version 4.1.4.
The version 4.1.4 is fixed:
  http://xen.org/download/index_4.1.4.html
Note: according to the announce, this version takes into account all vulnerabilities which have been announced on December, 03, 2012 except VIGILANCE-VUL-12206.

Xen: patches.
Patches are available in information sources.
A patch will be available soon for the vulnerability CVE-2012-3497/XSA-15. In the meantime, it is recommended to disable TMEM.

Citrix XenServer: hotfix.
A patch is available:
Citrix XenServer 6.0.2:
  http://support.citrix.com/article/ctx134753
Citrix XenServer 6.0.0:
  http://support.citrix.com/article/ctx134752
Citrix XenServer 5.6 Service Pack 2:
  http://support.citrix.com/article/ctx134751
Citrix XenServer 5.6 Feature Pack 1:
  http://support.citrix.com/article/ctx134750
Citrix XenServer 5.6:
  http://support.citrix.com/article/ctx134748
Citrix XenServer 5.5 Update 2:
  http://support.citrix.com/article/ctx134747
Citrix XenServer 5.0 Update 3:
  http://support.citrix.com/article/ctx134746

Debian: new qemu-kvm packages.
New packages are available:
  qemu-kvm 0.12.5+dfsg-5+squeeze9

Debian: new qemu packages.
New packages are available:
  qemu 0.12.5+dfsg-3squeeze2

Debian: new xen packages.
New packages are available:
  xen 4.0.1-5.4

Debian: new xen-qemu-dm-4.0 packages.
New packages are available:
  xen-qemu-dm-4.0 4.0.1-2+squeeze2

F5 BIG-IP: fixed versions for QEMU.
Fixed versions are indicated in information sources.

Fedora: new qemu packages.
New packages are available:
  qemu-0.15.1-8.fc16
  qemu-1.0.1-2.fc17

Fedora: new xen packages.
New packages are available:
  xen-4.1.3-2.fc16
  xen-4.1.3-4.fc17

Mandriva Business Server: new qemu packages.
New packages are available:
  qemu-1.0-8.1.mbs1

openSUSE 11.4: new xen packages.
New packages are available:
  xen-4.0.3_04-45.1

openSUSE 12.1: new xen packages.
New packages are available:
  xen-4.1.3_01-1.13.1

openSUSE 12.2: new xen packages.
New packages are available:
  xen-4.1.3_01-5.6.2

openSUSE 12: new xen packages.
New packages are available:
  openSUSE 12.1: xen-4.1.3_04-1.21.1
  openSUSE 12.2: xen-4.1.3_04-5.13.1

RHEL 5: new kvm packages.
New packages are available:
  kvm-83-249.el5_8.5

RHEL 5: new xen packages.
New packages are available:
  xen-3.0.3-135.el5_8.5

RHEL 5 RHEV: new rhev-hypervisor5 packages.
New packages are available:
  rhev-hypervisor5-5.8-20120905.0.el5_8

RHEL 6.3: new qemu-kvm packages.
New packages are available:
  qemu-kvm-0.12.1.2-2.295.el6_3.2

RHEL 6 RHEV Agents: new qemu-kvm-rhev packages.
New packages are available:
  RHEV Agents (vdsm) :
    qemu-img-rhev-0.12.1.2-2.295.el6_3.2

RHEL 6 RHEV: new rhev-hypervisor6 packages.
New packages are available:
RHEV Hypervisor for RHEL-6:
  rhev-hypervisor6-6.3-20120926.0.el6_3

SUSE LE 10: new xen packages (16/11/2012).
New packages are available:
  xen-3.2.3_17040_42-0.7.2

SUSE LE 11: new libvirt packages.
New packages are available:
  libvirt-0.9.6-0.23.1

SUSE LE 11: new xen packages.
New packages are available:
  xen-4.1.3_04-0.5.1

SUSE LE 11 SP1: new xen packages.
New packages are available:
  SUSE LE 11: xen 4.0.3_21548_16-0.5.1

SUSE LE: new xen packages.
New packages are available:
  SUSE LE 10 SP2 : xen-3.2.0_16718_26-0.10.1
  SUSE LE 10 SP3 : xen-3.2.3_17040_28-0.6.13.5
  SUSE LE 10 SP4 : xen-3.2.3_17040_40-0.7.2
  SUSE LE 11 SP1 : xen-4.0.3_21548_10-0.5.1
  SUSE LE 11 SP2 : xen-4.1.3_02-0.5.1

SUSE: new kvm packages.
New packages are available:
  openSUSE 11.4 : kvm-0.14.0.0-23.1
  openSUSE 12.1 : kvm-0.15.1-1.13.1
  openSUSE 12.2 : kvm-1.1.1-1.8.1
  SUSE LE 11 : kvm-0.15.1-0.23.1

SUSE: new qemu packages.
New packages are available:
  openSUSE 11.4 : qemu-0.14.1-1.10.1
  openSUSE 12.1 : qemu-0.14.1-7.6.1
  openSUSE 12.2 : qemu-1.1.1-3.9.1
  SUSE LE 11 : qemu-0.10.1-0.5.7.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security announce. The technology watch team tracks security threats targeting the computer system.