988675 – (CVE-2016-6258) VUL-0: CVE-2016-6258: xen: x86: Privilege escalation in PV guests (XSA-182)

Bug 988675 (CVE-2016-6258) - VUL-0: CVE-2016-6258: xen: x86: Privilege escalation in PV guests (XSA-182)

Summary: VUL-0: CVE-2016-6258: xen: x86: Privilege escalation in PV guests (XSA-182)

Status:	RESOLVED FIXED
Duplicates (1):	988692 (view as bug list)

Alias:	CVE-2016-6258

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Major
Target Milestone:	---
Deadline:	2016-10-06
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2016-6258:6.0:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-07-13 06:23 UTC by Alexander Bergmann
Modified:	2021-01-22 08:58 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 4 Andreas Stieger 2016-07-13 08:30:03 UTC

*** Bug 988692 has been marked as a duplicate of this bug. ***

Comment 5 Andreas Stieger 2016-07-13 08:59:06 UTC

CVSSv2 base score 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
CVSSv3 base score 8.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Comment 6 Alexander Bergmann 2016-07-21 12:09:46 UTC

CVE-2016-6258 was assigned.

Comment 7 Andreas Stieger 2016-07-26 12:34:40 UTC

Public at https://xenbits.xen.org/xsa/advisory-182.html

            Xen Security Advisory CVE-2016-6258 / XSA-182
                              version 3

                x86: Privilege escalation in PV guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The PV pagetable code has fast-paths for making updates to pre-existing
pagetable entries, to skip expensive re-validation in safe cases
(e.g. clearing only Access/Dirty bits).  The bits considered safe were too
broad, and not actually safe.

IMPACT
======

A malicous PV guest administrator can escalate their privilege to that
of the host.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

The vulnerability is only exposed to PV guests on x86 hardware.

The vulnerability is not exposed to x86 HVM guests, or ARM guests.

MITIGATION
==========

Running only HVM guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Jérémie Boutoille of Quarkslab.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa182.patch           xen-unstable, Xen 4.7.x
xsa182-4.6.patch       Xen 4.6.x
xsa182-4.5.patch       Xen 4.5.x, 4.4.x, 4.3.x

$ sha256sum xsa182*
303400b9a832a3c1d423cc2cc97c2f00482793722f9ef7dd246783a049ac2792  xsa182-unstable.patch
2383695b1dc114e4e31e42dd05d4c86239ce9606478b5e1a71db1111d95b63a2  xsa182-4.5.patch
f10665acaf17dedd15c40bfeb832b188db1ab3e789d95cc3787575529a280813  xsa182-4.6.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

Comment 8 Swamp Workflow Management 2016-08-17 16:17:48 UTC

SUSE-SU-2016:2093-1: An update that solves 27 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,957986,958848,961600,963161,964427,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_08-17.1

Comment 9 Swamp Workflow Management 2016-08-18 16:19:33 UTC

SUSE-SU-2016:2100-1: An update that solves 26 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 954872,955399,957986,958848,961600,963161,964427,967630,973188,974038,974912,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,985503,986586,988675,989235,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_07-37.1

Comment 10 Swamp Workflow Management 2016-09-29 16:20:41 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-10-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63075

Comment 11 Charles Arnold 2016-10-03 17:32:40 UTC

Submitted for,

SLE10-SP3
SLE10-SP4
SLE-11-SP1
SLE-11-SP2
SLE-11-SP3
SLE-11-SP4
SLE-12
SLE-12-SP1

Comment 12 Swamp Workflow Management 2016-10-07 12:10:10 UTC

SUSE-SU-2016:2473-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 953518,955104,959330,959552,970135,971949,988675,988676,990500,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2016-6258,CVE-2016-6259,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_10-20.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_10-20.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_10-20.1

Comment 13 Swamp Workflow Management 2016-10-11 17:17:06 UTC

openSUSE-SU-2016:2494-1: An update that solves 46 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,955104,958848,959330,959552,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990500,990843,990923,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2015-7512,CVE-2015-8504,CVE-2015-8558,CVE-2015-8568,CVE-2015-8613,CVE-2015-8743,CVE-2016-1714,CVE-2016-1981,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.3_10-15.2

Comment 14 Swamp Workflow Management 2016-10-11 17:28:15 UTC

openSUSE-SU-2016:2497-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,958848,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_05-49.1

Comment 15 Swamp Workflow Management 2016-10-12 13:11:55 UTC

SUSE-SU-2016:2507-1: An update that solves 10 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 966467,970135,971949,988675,990970,991934,992224,993507,994136,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2016-6258,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_08-40.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_08-40.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_08-40.2

Comment 16 Swamp Workflow Management 2016-10-13 18:10:36 UTC

SUSE-SU-2016:2528-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 973188,974038,975130,975138,978164,978295,980716,980724,981264,982960,983984,988675,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-6258,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-29.1

Comment 17 Swamp Workflow Management 2016-10-13 19:17:26 UTC

SUSE-SU-2016:2533-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,957986,958848,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_04-22.22.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_04-22.22.2

Comment 18 Swamp Workflow Management 2016-11-04 14:15:34 UTC

SUSE-SU-2016:2725-1: An update that solves 21 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 954872,961600,963161,973188,973631,974038,975130,975138,976470,978164,978295,978413,980716,980724,981264,982224,982225,982960,983984,985503,988675,990843,990923,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-27.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-27.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-27.1

Comment 19 Marcus Meissner 2016-12-22 11:57:30 UTC

released