Headline
CVE-2019-18425: 298 - Xen Security Advisories
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don’t install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.
Information
Advisory
XSA-298
Public release
2019-10-31 12:00
Updated
2019-10-31 12:28
Version
3
CVE(s)
CVE-2019-18425
Title
missing descriptor table limit checking in x86 PV emulation
Filesadvisory-298.txt (signed advisory file)
xsa298.meta
xsa298.patch
xsa298-4.9.patch
xsa298-4.10.patch
xsa298-4.11.patchAdvisory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2019-18425 / XSA-298
version 3
missing descriptor table limit checking in x86 PV emulation
UPDATES IN VERSION 3
Public release.
ISSUE DESCRIPTION
When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don’t install any LDT by default).
IMPACT
32-bit PV guest user mode can elevate its privileges to that of the guest kernel.
VULNERABLE SYSTEMS
Xen versions from at least 3.2 onwards are affected.
Only 32-bit PV guest user mode can leverage this vulnerability.
HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability.
Arm systems are unaffected.
MITIGATION
Running only HVM, PVH, or 64-bit PV guests will avoid this vulnerability.
CREDITS
This issue was discovered by Andrew Cooper of Citrix.
RESOLUTION
Applying the appropriate attached patch resolves this issue.
xsa298.patch xen-unstable, Xen 4.12.x xsa298-4.11.patch Xen 4.11.x xsa298-4.10.patch Xen 4.10.x xsa298-4.9.patch Xen 4.9.x, Xen 4.8.x, Xen 4.7.x
$ sha256sum xsa298* 82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce xsa298.meta 3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3 xsa298.patch da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c xsa298-4.9.patch 92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d xsa298-4.10.patch d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71 xsa298-4.11.patch $
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.
(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)
For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2601AMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZk/AH/iLP9TpdOKNoW8fJDuOjlIQHsI0RPtU6KIdSc1a8 nzrcPfwpdP3/89GJQyEHwi5ZZdXAnNcXSK7BC+EEzqznV/VwHRDusCBH0enjUe0z jDpOsxeI5RsuyJnSFojhI2E+y1khjKtVvnbNWbHzBfWMPD9Inc+nw9Q1KWfpSkk6 TTS8OwR9DwNiVXz9Na+BKuIBOVinFd1wA+HBNZKJl3JCz8N0Oa6RHDKFQQKJ4Uy2 KzBdzm5dWr0xP4stQmnYoU7JobGbcvKyMVMwwryS3cffLyhOLuzCWjDO+n7RkoRy xWmGWVeQWAeIzqvvtb104NrHSVwVeFSOsen0cqFLvV82MRw= =tmUK -----END PGP SIGNATURE-----
Xenproject.org Security Team