XenSource Xen à 4.6.0 Mapping arch/x86/mm.c mod_l2_entry elévation de privilèges

Une vulnérabilité classée critique a été trouvée dans XenSource Xen (Virtualization Software). Affecté par cette vulnérabilité est la fonction mod_l2_entry du fichier arch/x86/mm.c du composant Mapping Handler. En appliquant un correctif il est possible d'éliminer le problème. Une solution envisageable a été publiée immédiatement après la publication de la vulnérabilité.

Domaine30/10/2015 09:3802/12/2018 09:5425/06/2022 14:18
typeVirtualization SoftwareVirtualization SoftwareVirtualization Software
vendorXenSourceXenSourceXenSource
nameXenXenXen
version3.4.0/3.4.1/3.4.2/3.4.3/3.4.4/4.0.0/4.0.1/4.0.2/4.0.3/4.0.4/4.1.0/4.1.1/4.1.2/4.1.3/4.1.4/4.1.5/4.1.6.1/4.2.0/4.2.1/4.2.2/4.2.3/4.3.0/4.3.1/4.3.2/4.3.4/4.4.0/4.4.1/4.5.0/4.5.1/4.6.03.4.0/3.4.1/3.4.2/3.4.3/3.4.4/4.0.0/4.0.1/4.0.2/4.0.3/4.0.4/4.1.0/4.1.1/4.1.2/4.1.3/4.1.4/4.1.5/4.1.6.1/4.2.0/4.2.1/4.2.2/4.2.3/4.3.0/4.3.1/4.3.2/4.3.4/4.4.0/4.4.1/4.5.0/4.5.1/4.6.03.4.0/3.4.1/3.4.2/3.4.3/3.4.4/4.0.0/4.0.1/4.0.2/4.0.3/4.0.4/4.1.0/4.1.1/4.1.2/4.1.3/4.1.4/4.1.5/4.1.6.1/4.2.0/4.2.1/4.2.2/4.2.3/4.3.0/4.3.1/4.3.2/4.3.4/4.4.0/4.4.1/4.5.0/4.5.1/4.6.0
componentMapping HandlerMapping HandlerMapping Handler
filearch/x86/mm.carch/x86/mm.carch/x86/mm.c
functionmod_l2_entrymod_l2_entrymod_l2_entry
introductiondate122584320012258432001225843200
cwe20 (elévation de privilèges)20 (elévation de privilèges)20 (elévation de privilèges)
risk333
popularity858585
historic000
cvss2_vuldb_basescore4.64.64.6
cvss2_vuldb_tempscore3.43.43.4
cvss2_vuldb_avLLL
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_nvd_avLLL
cvss2_nvd_acLLL
cvss2_nvd_auNNN
cvss2_nvd_ciCCC
cvss2_nvd_iiCCC
cvss2_nvd_aiCCC
cvss3_meta_basescore5.95.95.9
cvss3_meta_tempscore5.25.25.2
cvss3_vuldb_basescore5.95.95.9
cvss3_vuldb_tempscore5.25.25.2
sourcecodeif ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { //... }if ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { //... }if ( l2e_get_flags(nl2e) & _PAGE_PRESENT ) { if ( unlikely(l2e_get_flags(nl2e) & L2_DISALLOW_MASK) ) { //... }
advisoryquoteWe see the attacker might request setting of the (PSE | RW) bits in the L2 PDE (which is possible thanks to L2_DISALLOW_MASK not excluding the PSE bit, something which has been added to support the superpage mappings for the PV guests), thus making the whole L1 table accessible to the guest with R/W rights (now seen as a large 2MB page), and modify one or more of the PTEs there to point to an arbitrary MFN the attacker feels like having access to. Now that would not be all fatal, if the attacker had no way of tricking Xen into treating this (now under the attacker's control) super-page back as a valid table of PTEs. Sadly, there is nothing to stop her from doing that. Thus we end up with Xen now treating the attacker-filled memory as a set of valid PTEs for the (PV) guest. This means the guest, by referencing the addresses mapped by these pages, is now really accessing whatever MFNs the attacker decided to write into the PTEs. In other words, the guest can access now all the system's memory. Reliably. The attack works irrespectively of whether the opt_allow_superpage is true or not.We see the attacker might request setting of the (PSE | RW) bits in the L2 PDE (which is possible thanks to L2_DISALLOW_MASK not excluding the PSE bit, something which has been added to support the superpage mappings for the PV guests), thus making the whole L1 table accessible to the guest with R/W rights (now seen as a large 2MB page), and modify one or more of the PTEs there to point to an arbitrary MFN the attacker feels like having access to. Now that would not be all fatal, if the attacker had no way of tricking Xen into treating this (now under the attacker's control) super-page back as a valid table of PTEs. Sadly, there is nothing to stop her from doing that. Thus we end up with Xen now treating the attacker-filled memory as a set of valid PTEs for the (PV) guest. This means the guest, by referencing the addresses mapped by these pages, is now really accessing whatever MFNs the attacker decided to write into the PTEs. In other words, the guest can access now all the system's memory. Reliably. The attack works irrespectively of whether the opt_allow_superpage is true or not.We see the attacker might request setting of the (PSE | RW) bits in the L2 PDE (which is possible thanks to L2_DISALLOW_MASK not excluding the PSE bit, something which has been added to support the superpage mappings for the PV guests), thus making the whole L1 table accessible to the guest with R/W rights (now seen as a large 2MB page), and modify one or more of the PTEs there to point to an arbitrary MFN the attacker feels like having access to. Now that would not be all fatal, if the attacker had no way of tricking Xen into treating this (now under the attacker's control) super-page back as a valid table of PTEs. Sadly, there is nothing to stop her from doing that. Thus we end up with Xen now treating the attacker-filled memory as a set of valid PTEs for the (PV) guest. This means the guest, by referencing the addresses mapped by these pages, is now really accessing whatever MFNs the attacker decided to write into the PTEs. In other words, the guest can access now all the system's memory. Reliably. The attack works irrespectively of whether the opt_allow_superpage is true or not.
date1446076800 (29/10/2015)1446076800 (29/10/2015)1446076800 (29/10/2015)
locationWebsiteWebsiteWebsite
typeSecurity AdvisorySecurity AdvisorySecurity Advisory
urlhttp://xenbits.xen.org/xsa/advisory-148.htmlhttp://xenbits.xen.org/xsa/advisory-148.htmlhttp://xenbits.xen.org/xsa/advisory-148.html
identifierXSA-148XSA-148XSA-148
company_nameXen Security TeamXen Security TeamXen Security Team
availability000
price_0day$100k et plus$100k et plus$25k-$100k
namePatchPatchPatch
date1446076800 (29/10/2015)1446076800 (29/10/2015)1446076800 (29/10/2015)
cveCVE-2015-7835CVE-2015-7835CVE-2015-7835
cve_assigned1444780800 (14/10/2015)1444780800 (14/10/2015)1444780800 (14/10/2015)
cve_nvd_published144616320014461632001446163200
cve_nvd_summaryThe mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping.
securityfocus773667736677366
securityfocus_date1446076800 (29/10/2015)1446076800 (29/10/2015)1446076800 (29/10/2015)
securityfocus_classDesign ErrorDesign ErrorDesign Error
securityfocus_titleXen CVE-2015-7835 Privilege Escalation VulnerabilityXen CVE-2015-7835 Privilege Escalation VulnerabilityXen CVE-2015-7835 Privilege Escalation Vulnerability
vulnerabilitycenter540405404054040
vulnerabilitycenter_titleXen Local Privilege Escalation via a PV Guest AccessXen Local Privilege Escalation via a PV Guest AccessXen Local Privilege Escalation via a PV Guest Access
vulnerabilitycenter_severityHighHighHigh
vulnerabilitycenter_creationdate144616320014461632001446163200
vulnerabilitycenter_lastupdate153550080015355008001535500800
vulnerabilitycenter_reportingdate144607680014460768001446076800
xforce107667107667107667
xforce_titleXen mappings privilege escalationXen mappings privilege escalationXen mappings privilege escalation
xforce_identifierxen-cve20157835-priv-escxen-cve20157835-priv-escxen-cve20157835-priv-esc
heise286677328667732866773
nessus_id867008670086700
nessus_nameDebian DSA-3390-1 : xen - security updateDebian DSA-3390-1 : xen - security updateDebian DSA-3390-1 : xen - security update
nessus_filenamedebian_DSA-3390.nasldebian_DSA-3390.nasldebian_DSA-3390.nasl
nessus_riskHighHighHigh
nessus_familyDebian Local Security ChecksDebian Local Security ChecksDebian Local Security Checks
nessus_typelocallocallocal
nessus_date1446508800 (03/11/2015)1446508800 (03/11/2015)1446508800 (03/11/2015)
openvas_id703390703390703390
openvas_filenamedeb_3390.nasldeb_3390.nasldeb_3390.nasl
openvas_titleDebian Security Advisory DSA 3390-1 (xen - security update)Debian Security Advisory DSA 3390-1 (xen - security update)Debian Security Advisory DSA 3390-1 (xen - security update)
openvas_familyDebian Local Security ChecksDebian Local Security ChecksDebian Local Security Checks
qualys_id370027370027370027
qualys_titleCitrix XenServer Security Update (CTX202404)Citrix XenServer Security Update (CTX202404)Citrix XenServer Security Update (CTX202404)
mischttps://blog.xenproject.org/author/ianj/https://blog.xenproject.org/author/ianj/https://blog.xenproject.org/author/ianj/
seealso78959 78960 7896378959 78960 7896378959 78960 78963
cvss3_vuldb_acLLL
cvss3_vuldb_uiNNN
cvss2_vuldb_eUUU
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcCCC
cvss3_vuldb_eUUU
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
0day_days254925492549
person_nicknameAlibabaAlibabaAlibaba
cvss3_vuldb_avLLL
cvss3_vuldb_prNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
confirm_urlhttp://xenbits.xen.org/xsa/advisory-148.htmlhttp://xenbits.xen.org/xsa/advisory-148.html
oval_idoval:org.cisecurity:def:301oval:org.cisecurity:def:301
sectracker1034032
cvss2_nvd_basescore7.2

Do you want to use VulDB in your project?

Use the official API to access entries easily!