|
 |
|
Xen Multiple Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA26986
|
|
|
Release Date:
|
2007-09-27
|
|
Last Update:
|
2007-10-03
|
|
|
Critical:
|

Less critical
|
|
Impact:
|
Security Bypass Privilege escalation
|
|
Where:
|
Local system
|
|
Solution Status:
|
Unpatched
|
|
| Software: | Xen 3.x
|
| | CVE reference: | CVE-2007-1320 (Secunia mirror) CVE-2007-1321 (Secunia mirror) CVE-2007-4993 (Secunia mirror)
|
|
|
This advisory is currently marked as unpatched! - Companies can be alerted when a patch is released! |
|
|
Description: Some vulnerabilities have been reported in Xen, which can be exploited by malicious, local users to bypass certain security restrictions or gain escalated privileges.
1) A vulnerability is caused due to an input validation error in tools/pygrub/src/GrubConf.py. This can be exploited by "root" users of a guest domain to execute arbitrary commands in domain 0 via specially crafted entries in grub.conf when the guest system is booted.
2) A boundary error exists within the "cirrus_invalidate_region()" function of the Cirrus video driver, which can be exploited to cause a heap-based buffer overflow.
3) The size of ethernet frames is not correctly checked against the "MTU" before being copied into the registers of the NE2000 network driver. This can be exploited to cause a heap-based buffer overflow.
4) An integer signedness error when processing data in the NE2000 device registers can be exploited to cause a heap-based buffer overflow
Note: Xen does not use the NE2000 network driver by default. Vulnerabilities 2-4 are related to:
SA25073
Vulnerability #1 is reported in Xen 3.0.3. Other versions may also be affected.
Solution: Grant only trusted users "root" privileges to guest domains.
Provided and/or discovered by: 1) Joris van Rantwijk
2-4) Tavis Ormandy
Changelog: 2007-10-03: Added vulnerabilities 2-4.
Original Advisory: 1) http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068
Other References: SA25073:
http://secunia.com/advisories/25073/
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
5 Related Secunia Security Advisories
|
|
|
1. Xen PVFB Shared Framebuffer Processing Vulnerability
|
|
2. Xen Multiple Vulnerabilities
|
|
3. Xen PAL Emulation "copy_to_user()" Security Bypass
|
|
4. Xen "mov_to_rr" Security Bypass Vulnerability
|
|
5. Xen "xenbaked" Insecure Temporary Files
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|

|
 |
Secunia PSI Scan | Patch | Track Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|