VDB-78957 · CVE-2015-7835 · XSA-148

XenSource Xen à 4.6.0 Mapping arch/x86/mm.c mod_l2_entry elévation de privilèges

Une vulnérabilité classée critique a été trouvée dans XenSource Xen (Virtualization Software). Affecté par cette vulnérabilité est la fonction mod_l2_entry du fichier arch/x86/mm.c du composant Mapping Handler. En appliquant un correctif il est possible d'éliminer le problème. Une solution envisageable a été publiée immédiatement après la publication de la vulnérabilité.

Domaine	30/10/2015 09:38	02/12/2018 09:54	25/06/2022 14:18
type	Virtualization Software	Virtualization Software	Virtualization Software
vendor	XenSource	XenSource	XenSource
name	Xen	Xen	Xen
version	3.4.0/3.4.1/3.4.2/3.4.3/3.4.4/4.0.0/4.0.1/4.0.2/4.0.3/4.0.4/4.1.0/4.1.1/4.1.2/4.1.3/4.1.4/4.1.5/4.1.6.1/4.2.0/4.2.1/4.2.2/4.2.3/4.3.0/4.3.1/4.3.2/4.3.4/4.4.0/4.4.1/4.5.0/4.5.1/4.6.0	3.4.0/3.4.1/3.4.2/3.4.3/3.4.4/4.0.0/4.0.1/4.0.2/4.0.3/4.0.4/4.1.0/4.1.1/4.1.2/4.1.3/4.1.4/4.1.5/4.1.6.1/4.2.0/4.2.1/4.2.2/4.2.3/4.3.0/4.3.1/4.3.2/4.3.4/4.4.0/4.4.1/4.5.0/4.5.1/4.6.0	3.4.0/3.4.1/3.4.2/3.4.3/3.4.4/4.0.0/4.0.1/4.0.2/4.0.3/4.0.4/4.1.0/4.1.1/4.1.2/4.1.3/4.1.4/4.1.5/4.1.6.1/4.2.0/4.2.1/4.2.2/4.2.3/4.3.0/4.3.1/4.3.2/4.3.4/4.4.0/4.4.1/4.5.0/4.5.1/4.6.0
component	Mapping Handler	Mapping Handler	Mapping Handler
file	arch/x86/mm.c	arch/x86/mm.c	arch/x86/mm.c
function	mod_l2_entry	mod_l2_entry	mod_l2_entry
introductiondate	1225843200	1225843200	1225843200
cwe	20 (elévation de privilèges)	20 (elévation de privilèges)	20 (elévation de privilèges)
risk	3	3	3
popularity	85	85	85
historic	0	0	0
cvss2_vuldb_basescore	4.6	4.6	4.6
cvss2_vuldb_tempscore	3.4	3.4	3.4
cvss2_vuldb_av	L	L	L
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_au	N	N	N
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_nvd_av	L	L	L
cvss2_nvd_ac	L	L	L
cvss2_nvd_au	N	N	N
cvss2_nvd_ci	C	C	C
cvss2_nvd_ii	C	C	C
cvss2_nvd_ai	C	C	C
cvss3_meta_basescore	5.9	5.9	5.9
cvss3_meta_tempscore	5.2	5.2	5.2
cvss3_vuldb_basescore	5.9	5.9	5.9
cvss3_vuldb_tempscore	5.2	5.2	5.2
sourcecode	if ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { //... }	if ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { //... }	if ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { //... }
advisoryquote	We see the attacker might request setting of the (PSE \| RW) bits in the L2 PDE (which is possible thanks to L2_DISALLOW_MASK not excluding the PSE bit, something which has been added to support the superpage mappings for the PV guests), thus making the whole L1 table accessible to the guest with R/W rights (now seen as a large 2MB page), and modify one or more of the PTEs there to point to an arbitrary MFN the attacker feels like having access to. Now that would not be all fatal, if the attacker had no way of tricking Xen into treating this (now under the attacker's control) super-page back as a valid table of PTEs. Sadly, there is nothing to stop her from doing that. Thus we end up with Xen now treating the attacker-filled memory as a set of valid PTEs for the (PV) guest. This means the guest, by referencing the addresses mapped by these pages, is now really accessing whatever MFNs the attacker decided to write into the PTEs. In other words, the guest can access now all the system's memory. Reliably. The attack works irrespectively of whether the opt_allow_superpage is true or not.	We see the attacker might request setting of the (PSE \| RW) bits in the L2 PDE (which is possible thanks to L2_DISALLOW_MASK not excluding the PSE bit, something which has been added to support the superpage mappings for the PV guests), thus making the whole L1 table accessible to the guest with R/W rights (now seen as a large 2MB page), and modify one or more of the PTEs there to point to an arbitrary MFN the attacker feels like having access to. Now that would not be all fatal, if the attacker had no way of tricking Xen into treating this (now under the attacker's control) super-page back as a valid table of PTEs. Sadly, there is nothing to stop her from doing that. Thus we end up with Xen now treating the attacker-filled memory as a set of valid PTEs for the (PV) guest. This means the guest, by referencing the addresses mapped by these pages, is now really accessing whatever MFNs the attacker decided to write into the PTEs. In other words, the guest can access now all the system's memory. Reliably. The attack works irrespectively of whether the opt_allow_superpage is true or not.	We see the attacker might request setting of the (PSE \| RW) bits in the L2 PDE (which is possible thanks to L2_DISALLOW_MASK not excluding the PSE bit, something which has been added to support the superpage mappings for the PV guests), thus making the whole L1 table accessible to the guest with R/W rights (now seen as a large 2MB page), and modify one or more of the PTEs there to point to an arbitrary MFN the attacker feels like having access to. Now that would not be all fatal, if the attacker had no way of tricking Xen into treating this (now under the attacker's control) super-page back as a valid table of PTEs. Sadly, there is nothing to stop her from doing that. Thus we end up with Xen now treating the attacker-filled memory as a set of valid PTEs for the (PV) guest. This means the guest, by referencing the addresses mapped by these pages, is now really accessing whatever MFNs the attacker decided to write into the PTEs. In other words, the guest can access now all the system's memory. Reliably. The attack works irrespectively of whether the opt_allow_superpage is true or not.
date	1446076800 (29/10/2015)	1446076800 (29/10/2015)	1446076800 (29/10/2015)
location	Website	Website	Website
type	Security Advisory	Security Advisory	Security Advisory
url	http://xenbits.xen.org/xsa/advisory-148.html	http://xenbits.xen.org/xsa/advisory-148.html	http://xenbits.xen.org/xsa/advisory-148.html
identifier	XSA-148	XSA-148	XSA-148
company_name	Xen Security Team	Xen Security Team	Xen Security Team
availability	0	0	0
price_0day	$100k et plus	$100k et plus	$25k-$100k
name	Patch	Patch	Patch
date	1446076800 (29/10/2015)	1446076800 (29/10/2015)	1446076800 (29/10/2015)
cve	CVE-2015-7835	CVE-2015-7835	CVE-2015-7835
cve_assigned	1444780800 (14/10/2015)	1444780800 (14/10/2015)	1444780800 (14/10/2015)
cve_nvd_published	1446163200	1446163200	1446163200
cve_nvd_summary	The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.	The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.	The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.
securityfocus	77366	77366	77366
securityfocus_date	1446076800 (29/10/2015)	1446076800 (29/10/2015)	1446076800 (29/10/2015)
securityfocus_class	Design Error	Design Error	Design Error
securityfocus_title	Xen CVE-2015-7835 Privilege Escalation Vulnerability	Xen CVE-2015-7835 Privilege Escalation Vulnerability	Xen CVE-2015-7835 Privilege Escalation Vulnerability
vulnerabilitycenter	54040	54040	54040
vulnerabilitycenter_title	Xen Local Privilege Escalation via a PV Guest Access	Xen Local Privilege Escalation via a PV Guest Access	Xen Local Privilege Escalation via a PV Guest Access
vulnerabilitycenter_severity	High	High	High
vulnerabilitycenter_creationdate	1446163200	1446163200	1446163200
vulnerabilitycenter_lastupdate	1535500800	1535500800	1535500800
vulnerabilitycenter_reportingdate	1446076800	1446076800	1446076800
xforce	107667	107667	107667
xforce_title	Xen mappings privilege escalation	Xen mappings privilege escalation	Xen mappings privilege escalation
xforce_identifier	xen-cve20157835-priv-esc	xen-cve20157835-priv-esc	xen-cve20157835-priv-esc
heise	2866773	2866773	2866773
nessus_id	86700	86700	86700
nessus_name	Debian DSA-3390-1 : xen - security update	Debian DSA-3390-1 : xen - security update	Debian DSA-3390-1 : xen - security update
nessus_filename	debian_DSA-3390.nasl	debian_DSA-3390.nasl	debian_DSA-3390.nasl
nessus_risk	High	High	High
nessus_family	Debian Local Security Checks	Debian Local Security Checks	Debian Local Security Checks
nessus_type	local	local	local
nessus_date	1446508800 (03/11/2015)	1446508800 (03/11/2015)	1446508800 (03/11/2015)
openvas_id	703390	703390	703390
openvas_filename	deb_3390.nasl	deb_3390.nasl	deb_3390.nasl
openvas_title	Debian Security Advisory DSA 3390-1 (xen - security update)	Debian Security Advisory DSA 3390-1 (xen - security update)	Debian Security Advisory DSA 3390-1 (xen - security update)
openvas_family	Debian Local Security Checks	Debian Local Security Checks	Debian Local Security Checks
qualys_id	370027	370027	370027
qualys_title	Citrix XenServer Security Update (CTX202404)	Citrix XenServer Security Update (CTX202404)	Citrix XenServer Security Update (CTX202404)
misc	https://blog.xenproject.org/author/ianj/	https://blog.xenproject.org/author/ianj/	https://blog.xenproject.org/author/ianj/
seealso	78959 78960 78963	78959 78960 78963	78959 78960 78963
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_ui	N	N	N
cvss2_vuldb_e	U	U	U
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_rc	C	C	C
cvss3_vuldb_e	U	U	U
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
0day_days	2549	2549	2549
person_nickname	Alibaba	Alibaba	Alibaba
cvss3_vuldb_av	L	L	L
cvss3_vuldb_pr	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
confirm_url		http://xenbits.xen.org/xsa/advisory-148.html	http://xenbits.xen.org/xsa/advisory-148.html
oval_id		oval:org.cisecurity:def:301	oval:org.cisecurity:def:301
sectracker			1034032
cvss2_nvd_basescore			7.2

◂ Précédent Aperçu Suivant ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!