CVE-2012-0217: Buffer Overflow
First published: Tue Apr 17 2012(Updated: )
On Intel CPUs sysret to non-canonical address causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the CPL is changed. Systems running on AMD CPUs are not vulnerable to this issue as sysret on AMD CPUs does not generate a fault before the CPL change. On Xen, a privileged user on a 64 bit PV guest kernel running on a 64 bit hypervisor could use this flaw to escalate privileges to that of the host. Depending on the particular guest kernel it is also possible that non-privileged guest users could also elevate their privileges to that of the host. For Red Hat Enterprise Linux guests, only privileged guest users can exploit this issue. HVM guests and 32-bit PV guests cannot be used to exploit this issue. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeBSD FreeBSD | <=9.0 | |
| Illumos Illumos | <=r13723 | |
| Joyent SmartOS | <=20120614 | |
| Xen Xen | <=4.1.2 | |
| Xen Xen | =4.0.0 | |
| Xen Xen | =4.0.1 | |
| Xen Xen | =4.0.2 | |
| Xen Xen | =4.0.3 | |
| Xen Xen | =4.0.4 | |
| Xen Xen | =4.1.0 | |
| Xen Xen | =4.1.1 | |
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows Server 2008 | =r2 | |
| Microsoft Windows XP | =sp3 | |
| Citrix XenServer | <=6.0.2 | |
| Citrix XenServer | =6.0 | |
| NetBSD NetBSD | <=6.0 | |
| Sun SunOS | <=5.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.illumos.org/2012/06/14/illumos-vulnerability-patched/
- http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc
- http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
- http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html
- http://secunia.com/advisories/55082
- http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
- http://security.gentoo.org/glsa/glsa-201309-24.xml
- http://smartos.org/2012/06/15/smartos-news-3/
- http://support.citrix.com/article/CTX133161
- http://wiki.smartos.org/display/DOC/SmartOS+Change+Log#SmartOSChangeLog-June14%2C2012
- http://www.debian.org/security/2012/dsa-2501
- http://www.debian.org/security/2012/dsa-2508
- http://www.kb.cert.org/vuls/id/649219
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- http://www.us-cert.gov/cas/techalerts/TA12-164A.html
- https://bugzilla.redhat.com/show_bug.cgi?id=813428
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-042
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15596
- https://www.exploit-db.com/exploits/28718/
- https://www.exploit-db.com/exploits/46508/
- https://www.illumos.org/issues/2873
- https://access.redhat.com/security/cve/CVE-2005-1764
- https://access.redhat.com/security/cve/CVE-2006-0744
- http://www.openwall.com/lists/oss-security/2012/06/12/1
- https://rhn.redhat.com/errata/RHSA-2012-0720.html
- https://rhn.redhat.com/errata/RHSA-2012-0721.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=813428#c33
- http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php
- agent/type
- agent/first-publish-date
- agent/references
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-0217
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/9.0
- vendor/illumos
- canonical/illumos illumos
- version/illumos illumos/r13723
- vendor/joyent
- canonical/joyent smartos
- version/joyent smartos/20120614
- vendor/xen
- canonical/xen xen
- version/xen xen/4.1.2
- version/xen xen/4.0.0
- version/xen xen/4.0.1
- version/xen xen/4.0.2
- version/xen xen/4.0.3
- version/xen xen/4.0.4
- version/xen xen/4.1.0
- version/xen xen/4.1.1
- vendor/microsoft
- canonical/microsoft windows 7
- version/microsoft windows 7/sp1
- canonical/microsoft windows server 2003
- version/microsoft windows server 2003/sp2
- canonical/microsoft windows server 2008
- version/microsoft windows server 2008/r2
- canonical/microsoft windows xp
- version/microsoft windows xp/sp3
- vendor/citrix
- canonical/citrix xenserver
- version/citrix xenserver/6.0.2
- version/citrix xenserver/6.0
- vendor/netbsd
- canonical/netbsd netbsd
- version/netbsd netbsd/6.0
- vendor/sun
- canonical/sun sunos
- version/sun sunos/5.11