__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN xen Security and Bug Fix Update [Red Hat RHSA-2008:0194-20] May 13, 2008 20:00 GMT Number S-292 ______________________________________________________________________________ PROBLEM: There are several security issues in xen which could lead to the execution of arbitrary code. PLATFORM: RHEL Desktop Multi OS (v. 5 client) RHEL Virtualization (v. 5 server) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) DAMAGE: Execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A malicious local administrator of guest ASSESSMENT: domain could trigger this flaw to potentially execute arbitrary code outside of the domain. ______________________________________________________________________________ CVSS 2 BASE SCORE: 6.8 TEMPORAL SCORE: 5.3 VECTOR: (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-292.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0194.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-3919 CVE-2007-5730 CVE-2008-0928 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004 ______________________________________________________________________________ [***** Start Red Hat RHSA-2008:0194-20 *****] Important: xen security and bug fix update Advisory: RHSA-2008:0194-20 Type: Security Advisory Severity: Important Issued on: 2008-05-13 Last updated on: 2008-05-13 Affected Products: RHEL Desktop Multi OS (v. 5 client) RHEL Virtualization (v. 5 server) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20080194.xml CVEs (cve.mitre.org): CVE-2007-3919 CVE-2007-5730 CVE-2008-0928 CVE-2008-1943 CVE-2008-1944 CVE-2008-2004 Details Updated xen packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The xen packages contain tools for managing the virtual machine monitor in Red Hat Virtualization. These updated packages fix the following security issues: Daniel P. Berrange discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the format of messages serving to update the contents of the framebuffer. This could allow a malicious user to cause a denial of service, or compromise the privileged domain (Dom0). (CVE-2008-1944) Markus Armbruster discovered that the hypervisor's para-virtualized framebuffer (PVFB) backend failed to validate the frontend's framebuffer description. This could allow a malicious user to cause a denial of service, or to use a specially crafted frontend to compromise the privileged domain (Dom0). (CVE-2008-1943) Chris Wright discovered a security vulnerability in the QEMU block format auto-detection, when running fully-virtualized guests. Such fully-virtualized guests, with a raw formatted disk image, were able to write a header to that disk image describing another format. This could allow such guests to read arbitrary files in their hypervisor's host. (CVE-2008-2004) Ian Jackson discovered a security vulnerability in the QEMU block device drivers backend. A guest operating system could issue a block device request and read or write arbitrary memory locations, which could lead to privilege escalation. (CVE-2008-0928) Tavis Ormandy found that QEMU did not perform adequate sanity-checking of data received via the "net socket listen" option. A malicious local administrator of a guest domain could trigger this flaw to potentially execute arbitrary code outside of the domain. (CVE-2007-5730) Steve Kemp discovered that the xenbaked daemon and the XenMon utility communicated via an insecure temporary file. A malicious local administrator of a guest domain could perform a symbolic link attack, causing arbitrary files to be truncated. (CVE-2007-3919) As well, in the previous xen packages, it was possible for Dom0 to fail to flush data from a fully-virtualized guest to disk, even if the guest explicitly requested the flush. This could cause data integrity problems on the guest. In these updated packages, Dom0 always respects the request to flush to disk. Users of xen are advised to upgrade to these updated packages, which resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Multi OS (v. 5 client) -------------------------------------------------------------------------------- IA-32: xen-3.0.3-41.el5_1.5.i386.rpm 01bfef5c31ceb34204dc399bd83e347a xen-devel-3.0.3-41.el5_1.5.i386.rpm 6e4aad94c98dd23365e85ac79bf106f3 x86_64: xen-3.0.3-41.el5_1.5.x86_64.rpm 778df7410dc54ce8e41deba1e7e2647a xen-devel-3.0.3-41.el5_1.5.i386.rpm 6e4aad94c98dd23365e85ac79bf106f3 xen-devel-3.0.3-41.el5_1.5.x86_64.rpm 121c2fc09883c8218a88dcc4e3c506a1 RHEL Virtualization (v. 5 server) -------------------------------------------------------------------------------- IA-32: xen-3.0.3-41.el5_1.5.i386.rpm 01bfef5c31ceb34204dc399bd83e347a xen-devel-3.0.3-41.el5_1.5.i386.rpm 6e4aad94c98dd23365e85ac79bf106f3 IA-64: xen-3.0.3-41.el5_1.5.ia64.rpm a005142b9831e353b370db3153627464 xen-devel-3.0.3-41.el5_1.5.ia64.rpm 63b6af2d2522cbcfa70c2c3c3b5ba221 x86_64: xen-3.0.3-41.el5_1.5.x86_64.rpm 778df7410dc54ce8e41deba1e7e2647a xen-devel-3.0.3-41.el5_1.5.i386.rpm 6e4aad94c98dd23365e85ac79bf106f3 xen-devel-3.0.3-41.el5_1.5.x86_64.rpm 121c2fc09883c8218a88dcc4e3c506a1 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: xen-3.0.3-41.el5_1.5.src.rpm ea85165bcdc7d00e37a165a76cb4df86 IA-32: xen-libs-3.0.3-41.el5_1.5.i386.rpm e7d5be18a0dc59e333bcdfe3f7b9d065 IA-64: xen-libs-3.0.3-41.el5_1.5.ia64.rpm 103ecae467c2b6e5a0864ace8606e001 x86_64: xen-libs-3.0.3-41.el5_1.5.i386.rpm e7d5be18a0dc59e333bcdfe3f7b9d065 xen-libs-3.0.3-41.el5_1.5.x86_64.rpm 5c15cf920cd38193f2a2644f14114197 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: xen-3.0.3-41.el5_1.5.src.rpm ea85165bcdc7d00e37a165a76cb4df86 IA-32: xen-libs-3.0.3-41.el5_1.5.i386.rpm e7d5be18a0dc59e333bcdfe3f7b9d065 x86_64: xen-libs-3.0.3-41.el5_1.5.i386.rpm e7d5be18a0dc59e333bcdfe3f7b9d065 xen-libs-3.0.3-41.el5_1.5.x86_64.rpm 5c15cf920cd38193f2a2644f14114197 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 350421 - CVE-2007-3919 xen xenmon.py / xenbaked insecure temporary file accesss 360381 - CVE-2007-5730 QEMU Buffer overflow via crafted "net socket listen" option 433560 - CVE-2008-0928 Qemu insufficient block device address range checking 435495 - [RHEL5.2]: LTC41676-Xen full virt has data integrity issue 443078 - CVE-2008-1943 PVFB backend fails to validate frontend's framebuffer description 443390 - CVE-2008-1944 PVFB SDL backend chokes on bogus screen updates 444583 - CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3919 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0928 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0194-20 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update