CVE-2012-0217: Buffer Overflow
First published: Tue Apr 17 2012(Updated: )
On Intel CPUs sysret to non-canonical address causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the CPL is changed. Systems running on AMD CPUs are not vulnerable to this issue as sysret on AMD CPUs does not generate a fault before the CPL change. On Xen, a privileged user on a 64 bit PV guest kernel running on a 64 bit hypervisor could use this flaw to escalate privileges to that of the host. Depending on the particular guest kernel it is also possible that non-privileged guest users could also elevate their privileges to that of the host. For Red Hat Enterprise Linux guests, only privileged guest users can exploit this issue. HVM guests and 32-bit PV guests cannot be used to exploit this issue. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Rafal Wojtczuk as the original reporter.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeBSD FreeBSD | <=9.0 | |
| illumos | <=r13723 | |
| Joyent SmartOS | <=20120614 | |
| Xen xen-unstable | <=4.1.2 | |
| Xen xen-unstable | =4.0.0 | |
| Xen xen-unstable | =4.0.1 | |
| Xen xen-unstable | =4.0.2 | |
| Xen xen-unstable | =4.0.3 | |
| Xen xen-unstable | =4.0.4 | |
| Xen xen-unstable | =4.1.0 | |
| Xen xen-unstable | =4.1.1 | |
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows Server 2008 Itanium | =r2 | |
| Microsoft Windows XP | =sp3 | |
| XenServer | <=6.0.2 | |
| XenServer | =6.0 | |
| NetBSD NetBSD | <=6.0 | |
| Sun SunOS | <=5.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.illumos.org/2012/06/14/illumos-vulnerability-patched/
- http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
- http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-003.txt.asc
- http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
- http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html
- http://secunia.com/advisories/55082
- http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
- http://security.gentoo.org/glsa/glsa-201309-24.xml
- http://smartos.org/2012/06/15/smartos-news-3/
- http://support.citrix.com/article/CTX133161
- http://wiki.smartos.org/display/DOC/SmartOS+Change+Log#SmartOSChangeLog-June14%2C2012
- http://www.debian.org/security/2012/dsa-2501
- http://www.debian.org/security/2012/dsa-2508
- http://www.kb.cert.org/vuls/id/649219
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- http://www.us-cert.gov/cas/techalerts/TA12-164A.html
- https://bugzilla.redhat.com/show_bug.cgi?id=813428
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-042
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15596
- https://www.exploit-db.com/exploits/28718/
- https://www.exploit-db.com/exploits/46508/
- https://www.illumos.org/issues/2873
- https://access.redhat.com/security/cve/CVE-2005-1764
- https://access.redhat.com/security/cve/CVE-2006-0744
- http://www.openwall.com/lists/oss-security/2012/06/12/1
- https://rhn.redhat.com/errata/RHSA-2012-0720.html
- https://rhn.redhat.com/errata/RHSA-2012-0721.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=813428#c33
- http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php
Frequently Asked Questions
What is the severity of CVE-2012-0217?
CVE-2012-0217 is classified as a high severity vulnerability due to its potential to allow privilege escalation on affected systems.
How do I fix CVE-2012-0217?
To fix CVE-2012-0217, apply the relevant security updates provided by your operating system or software vendor.
Which systems are affected by CVE-2012-0217?
CVE-2012-0217 affects systems running FreeBSD up to version 9.0, various versions of Xen, Microsoft Windows systems, and several others.
Is CVE-2012-0217 exploitable on AMD CPUs?
No, CVE-2012-0217 is not exploitable on AMD CPUs as the sysret instruction does not generate a fault before the CPL change.
What type of vulnerability is CVE-2012-0217?
CVE-2012-0217 is a privilege escalation vulnerability that occurs due to improper handling of sysret instructions in Intel CPUs.
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-0217
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/freebsd
- canonical/freebsd freebsd
- version/freebsd freebsd/9.0
- vendor/illumos
- canonical/illumos
- version/illumos/r13723
- vendor/joyent
- canonical/joyent smartos
- version/joyent smartos/20120614
- vendor/xen
- canonical/xen xen-unstable
- version/xen xen-unstable/4.1.2
- version/xen xen-unstable/4.0.0
- version/xen xen-unstable/4.0.1
- version/xen xen-unstable/4.0.2
- version/xen xen-unstable/4.0.3
- version/xen xen-unstable/4.0.4
- version/xen xen-unstable/4.1.0
- version/xen xen-unstable/4.1.1
- vendor/microsoft
- canonical/microsoft windows 7
- version/microsoft windows 7/sp1
- canonical/microsoft windows server 2003
- version/microsoft windows server 2003/sp2
- canonical/microsoft windows server 2008 itanium
- version/microsoft windows server 2008 itanium/r2
- canonical/microsoft windows xp
- version/microsoft windows xp/sp3
- vendor/citrix
- canonical/xenserver
- version/xenserver/6.0.2
- version/xenserver/6.0
- vendor/netbsd
- canonical/netbsd netbsd
- version/netbsd netbsd/6.0
- vendor/sun
- canonical/sun sunos
- version/sun sunos/5.11