Xen Security Advisory 56 (CVE-2013-2072) - Buffer overflow in xencontrol Python bindings affecting xend
ISSUE DESCRIPTION
The Python bindings for the xc_vcpu_setaffinity call do not properly
check their inputs. Systems which allow untrusted administrators to
configure guest vcpu affinity may be exploited to trigger a buffer
overrun and corrupt memory.
IMPACT
An attacker who is able to configure a specific vcpu affinity via a
toolstack which uses the Python bindings is able to exploit this
issue.
Exploiting this issue leads to memory corruption which may result in a
DoS against the system by crashing the toolstack. The possibility of
code execution (privilege escalation) has not been ruled out.
The xend toolstack passes a cpumap to this function without
sanitization. xend allows the cpumap to be configured via the guest
configuration file or the SXP/XenAPI interface. Normally these
interfaces are not considered safe to expose to non-trusted
parties. However systems which attempt to allow guest administrator
control of VCPU affinity in a safe way via xend may expose this issue.
VULNERABLE SYSTEMS
Xen version 4.0 and later contain this flaw.
Only systems which allow the specification of cpu affinity masks by
untrusted guest administrators are vulnerable. Normally the cpu
affinity is specified by the host administrator as part of the guest
configuration; there is then no vulnerability.
Only systems which use the libxc Python bindings, are vulnerable.
Toolstacks which do not use Python, such as xl or xapi, are not
vulnerable.
MITIGATION
Not allowing untrusted guest administrators to configure VCPU affinity
will avoid exposure.
Where possible switching to a toolstack which does not use Python will
also avoid exposure to this vulnerability.
RESOLUTION
Applying the appropriate attached patch resolves this issue.
xsa56.patch Xen 4.1.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa56*.patch
a691c5f5332a42c0d38ddb4dc037eb902f01ba31033b64c47d02909a8de0257d
xsa56.patch
$
reference:
http://www.openwall.com/lists/oss-security/2013/05/17/2
(from redmine: issue id 1900, created on 2013-05-17, closed on 2013-05-21)
- Relations:
- child #1901 (closed)
- child #1902 (closed)
- child #1903 (closed)
- child #1904 (closed)
- Changesets:
- Revision 98f79460 by Natanael Copa on 2013-05-20T09:56:07Z:
main/xen: security fix (CVE-2013-2072)
ref #1900
- Revision 9e709edc by Natanael Copa on 2013-05-20T10:58:29Z:
main/xen: security fix (CVE-2013-2072)
ref #1900
fixes #1901
- Revision 13e7303b by Natanael Copa on 2013-05-20T11:20:03Z:
main/xen: security fix (CVE-2013-2072)
ref #1900
fixes #1903
- Revision 84b9026d by Natanael Copa on 2013-05-21T11:57:18Z:
main/xen: security fix (CVE-2013-2072)
ref #1900
fixes #1902
- Revision 7338a7f1 by Natanael Copa on 2013-05-21T13:14:45Z:
main/xen: security fix (CVE-2013-2072)
ref #1900
fixes #1904
(cherry picked from commit 13e7303be19a003b85e73795409e1bcb7bfa9666)
Conflicts:
main/xen/APKBUILD
- Uploads: