Some vulnerabilities have been reported in Xen, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or bypass certain security restrictions.

1) An error within the handling of the DR7 debug register can be exploited out of a guest system to crash the hypervisor by setting certain breakpoints.

Successful exploitation may require that a HVM hypervisor is used.

2) Access to the CR4 register is not properly checked. This can be exploited out of a guest system to e.g. crash DomU or Dom0 domains.

Successful exploitation may require that a paravirtualised kernel is used.

3) The ioemu block device backends do not properly check a HVM guest's read or write attempts, which can be exploited out of a HVM guest system to e.g. crash Xen or potentially escape the virtualisation jail by writing into arbitrary Dom0 memory.

Note: Successful exploitation requires privileges to send specially crafted read or write requests to the ioemu block device driver backends.

This is related to vulnerability #7 in:
SA25073

4) An error exists in the PVFB (Para Virtualized Frame Buffer) functionality while processing screen update requests. This can be exploited to cause a crash or potentially execute arbitrary code in a Dom0 domain.

Solution
Update to version 3.2.1, which fixes vulnerabilities #3 and #4.
Further details available in Customer Area

Provided and/or discovered by
1, 2) Reported by Jan Beulich.
3) Ian Jackson
4) Daniel P. Berrange, Red Hat

Changelog
Further details available in Customer Area

Original Advisory
1) http://lists.xensource.com/archives/html/xen-devel/2007-10/msg01048.html
2) http://lists.xensource.com/archives/html/xen-devel/2007-10/msg00932.html
3) http://lists.xensource.com/archives/html/xen-devel/2008-02/msg00610.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area