ID CVE-2012-0217
Summary The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
References
Vulnerable Configurations
  • FreeBSD 9.0
    cpe:2.3:o:freebsd:freebsd:9.0
  • Illumos r13723
    cpe:2.3:o:illumos:illumos:r13723
  • Joyent SmartOS 20120614
    cpe:2.3:o:joyent:smartos:20120614
  • Xen 4.0.0
    cpe:2.3:o:xen:xen:4.0.0
  • Xen 4.0.1
    cpe:2.3:o:xen:xen:4.0.1
  • Xen 4.0.2
    cpe:2.3:o:xen:xen:4.0.2
  • Xen 4.0.3
    cpe:2.3:o:xen:xen:4.0.3
  • Xen 4.0.4
    cpe:2.3:o:xen:xen:4.0.4
  • Xen 4.1.0
    cpe:2.3:o:xen:xen:4.1.0
  • Xen 4.1.1
    cpe:2.3:o:xen:xen:4.1.1
  • Xen 4.1.2
    cpe:2.3:o:xen:xen:4.1.2
  • cpe:2.3:o:microsoft:windows_7:-:x64
    cpe:2.3:o:microsoft:windows_7:-:x64
  • Microsoft Windows 7 64-bit Service Pack 1 (initial release)
    cpe:2.3:o:microsoft:windows_7:-:sp1:x64
  • Microsoft Windows Server 2003 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2003:-:sp2
  • Windows Server 2008 R2 for 32-bit Systems
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:x64
  • Microsoft Windows Server 2008 R2 Service Pack 1 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:x64
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
  • Citrix XenServer 6.0
    cpe:2.3:a:citrix:xenserver:6.0
  • Citrix XenServer 6.0.2
    cpe:2.3:a:citrix:xenserver:6.0.2
  • NetBSD 6.0 Beta
    cpe:2.3:o:netbsd:netbsd:6.0:beta
  • Sun SunOS (Solaris 11) 5.11
    cpe:2.3:o:sun:sunos:5.11
CVSS
Base: 7.2 (as of 03-10-2013 - 09:28)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Microsoft Windows Kernel Intel x64 SYSRET PoC. CVE-2012-0217. Local exploit for win64 platform
    id EDB-ID:20861
    last seen 2016-02-02
    modified 2012-08-27
    published 2012-08-27
    reporter Shahriyar Jalayeri
    source https://www.exploit-db.com/download/20861/
    title Microsoft Windows Kernel Intel x64 SYSRET PoC
  • description FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation Exploit. CVE-2012-0217. Local exploit for freebsd platform
    file exploits/freebsd/local/28718.c
    id EDB-ID:28718
    last seen 2016-02-03
    modified 2013-10-04
    platform freebsd
    port
    published 2013-10-04
    reporter CurcolHekerLink
    source https://www.exploit-db.com/download/28718/
    title FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation Exploit
    type local
msbulletin via4
bulletin_id MS12-042
bulletin_url
date 2012-06-12T00:00:00
impact Elevation of Privilege
knowledgebase_id 2711167
knowledgebase_url
severity Important
title Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2012-0021.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86-64: detect processors subject to AMD erratum #121 and refuse to boot(CVE-2006-0744) - guest denial of service on syscall/sysenter exception generation (CVE-2012-0217),(CVE-2012-0218) - Remove unnecessary balloon retries on vm create. This is a backport from fix for bug 14143327.
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 79477
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79477
    title OracleVM 3.1 : xen (OVMSA-2012-0021)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2012-0022.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2012-0217 CVE-2012-0218: guest DoS on syscall/sysenter exception generation [orabug 13993157]
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 79478
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79478
    title OracleVM 2.2 : xen (OVMSA-2012-0022)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_XEN-201206-8180.NASL
    description Three security issues were found in XEN. Two security issues are fixed by this update : - Due to incorrect fault handling in the XEN hypervisor it was possible for a XEN guest domain administrator to execute code in the XEN host environment. (CVE-2012-0217) - Also a guest user could crash the guest XEN kernel due to a protection fault bounce. (CVE-2012-0218) The third fix is changing the Xen behaviour on certain hardware : - The issue is a denial of service issue on older pre-SVM AMD CPUs (AMD Erratum 121). (CVE-2012-2934) AMD Erratum #121 is described in 'Revision Guide for AMD Athlon 64 and AMD Opteron Processors': http://support.amd.com/us/Processor_TechDocs/25759.pdf The following 130nm and 90nm (DDR1-only) AMD processors are subject to this erratum : o First-generation AMD-Opteron(tm) single and dual core processors in either 939 or 940 packages : - AMD Opteron(tm) 100-Series Processors - AMD Opteron(tm) 200-Series Processors - AMD Opteron(tm) 800-Series Processors - AMD Athlon(tm) processors in either 754, 939 or 940 packages - AMD Sempron(tm) processor in either 754 or 939 packages - AMD Turion(tm) Mobile Technology in 754 package This issue does not effect Intel processors. The impact of this flaw is that a malicious PV guest user can halt the host system. As this is a hardware flaw, it is not fixable except by upgrading your hardware to a newer revision, or not allowing untrusted 64bit guestsystems. The patch changes the behaviour of the host system booting, which makes it unable to create guest machines until a specific boot option is set. There is a new XEN boot option 'allow_unsafe' for GRUB which allows the host to start guests again. This is added to /boot/grub/menu.lst in the line looking like this : kernel /boot/xen.gz .... allow_unsafe Note: .... in this example represents the existing boot options for the host.
    last seen 2018-09-01
    modified 2018-01-31
    plugin id 59469
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59469
    title SuSE 10 Security Update : Xen (ZYPP Patch Number 8180)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-404.NASL
    description This update of XEN fixed multiple security flaws that could be exploited by local attackers to cause a Denial of Service or potentially escalate privileges. Additionally, several other upstream changes were backported.
    last seen 2018-09-01
    modified 2018-02-02
    plugin id 74683
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74683
    title openSUSE Security Update : xen (openSUSE-2012-404)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20120612_KERNEL_ON_SL5_X.NASL
    description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - It was found that the Xen hypervisor implementation as shipped with Scientific Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) - It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to upstream bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate) Note: For Scientific Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2018-09-01
    modified 2018-01-31
    plugin id 61326
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61326
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0721-1.NASL
    description From Red Hat Security Advisory 2012:0721 : Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) * It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate) Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues. Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 68539
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68539
    title Oracle Linux 5 : kernel (ELSA-2012-0721-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2508.NASL
    description Rafal Wojtczuk from Bromium discovered that FreeBSD wasn't handling correctly uncanonical return addresses on Intel amd64 CPUs, allowing privilege escalation to kernel for local users.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 60088
    published 2012-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60088
    title Debian DSA-2508-1 : kfreebsd-8 - privilege escalation
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0721.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) * It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate) Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues. Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 59479
    published 2012-06-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59479
    title CentOS 5 : kernel (CESA-2012:0721)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2501.NASL
    description Several vulnerabilities were discovered in Xen, a hypervisor. - CVE-2012-0217 Xen does not properly handle uncanonical return addresses on Intel amd64 CPUs, allowing amd64 PV guests to elevate to hypervisor privileges. AMD processors, HVM and i386 guests are not affected. - CVE-2012-0218 Xen does not properly handle SYSCALL and SYSENTER instructions in PV guests, allowing unprivileged users inside a guest system to crash the guest system. - CVE-2012-2934 Xen does not detect old AMD CPUs affected by AMD Erratum #121. For CVE-2012-2934, Xen refuses to start domUs on affected systems unless the 'allow_unsafe' option is passed.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 59779
    published 2012-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59779
    title Debian DSA-2501-1 : xen - several vulnerabilities
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2012-0020.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86-64: detect processors subject to AMD erratum #121 and refuse to boot(CVE-2006-0744) - guest denial of service on syscall/sysenter exception generation (CVE-2012-0217) - Remove unnecessary balloon retries on vm create. This is a backport from fix for bug 14143327. - This backport from 3.1.1: Author: amisherf Put back the patch that prevent older guest that uses kudzu from hanging on a reboot. Fixed the patch to prevent excessive watcher writes which causes xend, xenstored to run at a 100% cpu usage. Now the watch is written only if console in Initialising, InitWait, Initialised states which happen once at boot time. [bug 13523487] - Backport from upstream changeset 20968 xend: notify xenpv device model that console info is ready Sometimes PV domain with vfb doesn't boot up. /sbin/kudzu is stuck. After investigation, I've found that the evtchn for console is not bound at all. Normal sequence of evtchn initialization in qemu-dm for xenpv is: 1) watch xenstore backpath (/local/domain/0/backend/console//0) 2) read console info (/local/domain//console/[type, ring-ref, port..= ]) 3) bind the evtchn to the port. But in some case, xend writes to the backpath before the console info is prepared, and never write to the backpath again. So the qemu-dm fails at 2) and never reach to 3). When this happens, manually xenstore-write command on Domain-0 resumes the guest. - Set max cstate to 1. This is a backport requirement for bug 13703504. We have several bugs that cstate made system unstable, both for ovm2 and ovm3: For OVM3.x: Bug 13703504 - unexplained network disconnect causes ocfs to fence the server For OVM2.x
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 79476
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79476
    title OracleVM 3.0 : xen (OVMSA-2012-0020)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201309-24.NASL
    description The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : Guest domains could possibly gain privileges, execute arbitrary code, or cause a Denial of Service on the host domain (Dom0). Additionally, guest domains could gain information about other virtual machines running on the same host or read arbitrary files on the host. Workaround : The CVEs listed below do not currently have fixes, but only apply to Xen setups which have “tmem” specified on the hypervisor command line. TMEM is not currently supported for use in production systems, and administrators using tmem should disable it. Relevant CVEs: * CVE-2012-2497 * CVE-2012-6030 * CVE-2012-6031 * CVE-2012-6032 * CVE-2012-6033 * CVE-2012-6034 * CVE-2012-6035 * CVE-2012-6036
    last seen 2018-09-01
    modified 2018-07-11
    plugin id 70184
    published 2013-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70184
    title GLSA-201309-24 : Xen: Multiple vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0721.NASL
    description From Red Hat Security Advisory 2012:0721 : Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) * It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate) Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues. Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 68540
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68540
    title Oracle Linux 5 : kernel (ELSA-2012-0721)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-403.NASL
    description This update of XEN fixed multiple security flaws that could be exploited by local attackers to cause a Denial of Service or potentially escalate privileges. Additionally, several other upstream changes were backported.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 74682
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74682
    title openSUSE Security Update : xen (openSUSE-SU-2012:0886-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_XEN-201206-120606.NASL
    description Three security issues were found in XEN. Two security issues are fixed by this update : - Due to incorrect fault handling in the XEN hypervisor it was possible for a XEN guest domain administrator to execute code in the XEN host environment. (CVE-2012-0217) - Also a guest user could crash the guest XEN kernel due to a protection fault bounce. The third fix is changing the Xen behaviour on certain hardware:. (CVE-2012-0218) - The issue is a denial of service issue on older pre-SVM AMD CPUs (AMD Erratum 121). AMD Erratum #121 is described in 'Revision Guide for AMD Athlon 64 and AMD Opteron Processors': http://support.amd.com/us/Processor_TechDocs/25759.pdf. (CVE-2012-2934) The following 130nm and 90nm (DDR1-only) AMD processors are subject to this erratum : - First-generation AMD-Opteron(tm) single and dual core processors in either 939 or 940 packages : - AMD Opteron(tm) 100-Series Processors - AMD Opteron(tm) 200-Series Processors - AMD Opteron(tm) 800-Series Processors - AMD Athlon(tm) processors in either 754, 939 or 940 packages - AMD Sempron(tm) processor in either 754 or 939 packages - AMD Turion(tm) Mobile Technology in 754 package This issue does not effect Intel processors. The impact of this flaw is that a malicious PV guest user can halt the host system. As this is a hardware flaw, it is not fixable except by upgrading your hardware to a newer revision, or not allowing untrusted 64bit guestsystems. The patch changes the behaviour of the host system booting, which makes it unable to create guest machines until a specific boot option is set. There is a new XEN boot option 'allow_unsafe' for GRUB which allows the host to start guests again. This is added to /boot/grub/menu.lst in the line looking like this : kernel /boot/xen.gz .... allow_unsafe Note: .... in this example represents the existing boot options for the host.
    last seen 2018-09-01
    modified 2018-01-31
    plugin id 64233
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64233
    title SuSE 11.1 Security Update : Xen (SAT Patch Number 6399)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS_OCT2012_SRU10_5.NASL
    description This Solaris system is missing necessary patches to address critical security updates : - Vulnerability in the Solaris component of Oracle Sun Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: CVE-2012-0217 only affects Solaris instances running on platforms other than SPARC. (CVE-2012-0217) - Vulnerability in the Solaris component of Oracle Sun Products Suite (subcomponent: Power Management). The supported version that is affected is 11. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. (CVE-2012-3204) - Vulnerability in the Solaris component of Oracle Sun Products Suite (subcomponent: Logical Domain(LDOM)). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized Operating System hang or frequently repeatable crash (complete DOS) as well as update, insert or delete access to some Solaris accessible data. Note: CVE-2012-3209 and CVE-2012-3215 only affects Solaris on the SPARC platform. (CVE-2012-3209) - Vulnerability in the Solaris component of Oracle Sun Products Suite (subcomponent: Vino server). The supported version that is affected is 11. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Solaris accessible data. (CVE-2012-3205)
    last seen 2018-11-15
    modified 2018-11-14
    plugin id 76829
    published 2014-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76829
    title Oracle Solaris Critical Patch Update : oct2012_SRU10_5
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0720.NASL
    description Updated kernel packages that fix two security issues and multiple bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. [Updated 19th June 2012] The original erratum text provided an incorrect description for BZ#807929. The text has been updated to provide the correct description. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit CVE-2012-0217. * A flaw in the xfrm6_tunnel_rcv() function in the Linux kernel's IPv6 implementation could lead to a use-after-free or double free flaw in tunnel6_rcv(). A remote attacker could use this flaw to send specially crafted packets to a target system that is using IPv6 and also has the xfrm6_tunnel kernel module loaded, causing it to crash. (CVE-2012-1583, Important) If you do not run applications that use xfrm6_tunnel, you can prevent the xfrm6_tunnel module from being loaded by creating (as the root user) a '/etc/modprobe.d/xfrm6_tunnel.conf' file, and adding the following line to it : blacklist xfrm6_tunnel This way, the xfrm6_tunnel module cannot be loaded accidentally. A reboot is not necessary for this change to take effect. Red Hat would like to thank the Xen project for reporting CVE-2012-0217. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217. This update also fixes the following bugs : * A bug in the vsyscall interface caused 32-bit multi-threaded programs, which received the SIGCANCEL signal right after they returned from a system call, to terminate unexpectedly with a segmentation fault when run on the AMD64 or Intel 64 architecture. A patch has been provided to address this issue and the crashes no longer occur in the described scenario. (BZ#807929) * Incorrect duplicate MAC addresses were being used on a rack network daughter card that contained a quad-port Intel I350 Gigabit Ethernet Controller. With this update, the underlying source code has been modified to address this issue, and correct MAC addresses are now used under all circumstances. (BZ#813195) * When the Fibre Channel (FC) layer sets a device to 'running', the layer also scans for other new devices. Previously, there was a race condition between these two operations. Consequently, for certain targets, thousands of invalid devices were created by the SCSI layer and the udev service. This update ensures that the FC layer always sets a device to 'online' before scanning for others, thus fixing this bug. Additionally, when attempting to transition priority groups on a busy FC device, the multipath layer retried immediately. If this was the only available path, a large number of retry operations were performed in a short period of time. Consequently, the logging of retry messages slowed down the system. This bug has been fixed by ensuring that the DM Multipath feature delays retry operations in the described scenario. (BZ#816683) * Due to incorrect use of the list_for_each_entry_safe() macro, the enumeration of remote procedure calls (RPCs) priority wait queue tasks stored in the tk_wait.links list failed. As a consequence, the rpc_wake_up() and rpc_wake_up_status() functions failed to wake up all tasks. This caused the system to become unresponsive and could significantly decrease system performance. Now, the list_for_each_entry_safe() macro is no longer used in rpc_wake_up(), ensuring reasonable system performance. (BZ#817570) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 64039
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64039
    title RHEL 5 : kernel (RHSA-2012:0720)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0721.NASL
    description Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) * It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate) Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues. Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 59467
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59467
    title RHEL 5 : kernel (RHSA-2012:0721)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_AED44C4EC06711E1B5E0000C299B62E1.NASL
    description Problem description : FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 59748
    published 2012-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59748
    title FreeBSD : FreeBSD -- Privilege escalation when returning from kernel (aed44c4e-c067-11e1-b5e0-000c299b62e1)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS12-042.NASL
    description The remote host is running a Windows kernel version that is affected by multiple elevation of privilege vulnerabilities : - A vulnerability exists in the way that the Windows User Mode Scheduler handles system requests that can be exploited to execute arbitrary code in kernel mode. (CVE-2012-0217) - A vulnerability exists in the way that Windows handles BIOS memory that can be exploited to execute arbitrary code in kernel mode. (CVE-2012-1515)
    last seen 2018-11-17
    modified 2018-11-15
    plugin id 59460
    published 2012-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59460
    title MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)
oval via4
accepted 2012-07-30T04:00:28.580-04:00
class vulnerability
contributors
  • name SecPod Team
    organization SecPod Technologies
  • name Chandan S
    organization SecPod Technologies
definition_extensions
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows 7 x64 Service Pack 1 is installed
    oval oval:org.mitre.oval:def:12627
  • comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed
    oval oval:org.mitre.oval:def:12567
description The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
family windows
id oval:org.mitre.oval:def:15596
status accepted
submitted 2012-06-18T12:53:22
title User Mode Scheduler Memory Corruption Vulnerability (CVE-2012-0217)
version 71
redhat via4
rpms
  • kernel-0:2.6.18-308.8.2.el5
  • kernel-PAE-0:2.6.18-308.8.2.el5
  • kernel-PAE-devel-0:2.6.18-308.8.2.el5
  • kernel-debug-0:2.6.18-308.8.2.el5
  • kernel-debug-devel-0:2.6.18-308.8.2.el5
  • kernel-devel-0:2.6.18-308.8.2.el5
  • kernel-doc-0:2.6.18-308.8.2.el5
  • kernel-headers-0:2.6.18-308.8.2.el5
  • kernel-kdump-0:2.6.18-308.8.2.el5
  • kernel-kdump-devel-0:2.6.18-308.8.2.el5
  • kernel-xen-0:2.6.18-308.8.2.el5
  • kernel-xen-devel-0:2.6.18-308.8.2.el5
refmap via4
cert TA12-164A
cert-vn VU#649219
confirm
debian
  • DSA-2501
  • DSA-2508
freebsd FreeBSD-SA-12:04
gentoo GLSA-201309-24
mandriva MDVSA-2013:150
mlist
  • [xen-announce] 20120612 Xen Security Advisory 7 (CVE-2012-0217) - PV privilege escalation
  • [xen-devel] 20120619 Security vulnerability process, and CVE-2012-0217
ms MS12-042
netbsd NetBSD-SA2012-003
secunia 55082
Last major update 10-10-2013 - 23:40
Published 12-06-2012 - 18:55
Last modified 12-10-2018 - 18:02
Back to Top