Vigil@nce - Xen: privilege escalation via libxl HVM
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When IOMMU is disabled, on an HVM system, with a PCI Passthrough
Busmastering-Capable device, a local attacker can directly access
to the memory via libxl of Xen, in order to escalate his
privileges.
– Impacted products: Fedora, Unix (platform)
– Severity: 2/4
– Creation date: 10/09/2013
DESCRIPTION OF THE VULNERABILITY
The IOMMU (Input/Output Memory Management Unit) feature allows a
bus connected device to access to the memory. This feature can be
disabled in Xen.
However, a Busmastering-Capable device, configured with PCI
Passthrough, can be used to send DMA (Direct Memory Access)
queries from the guest system.
When IOMMU is disabled, on an HVM system, with a PCI Passthrough
Busmastering-Capable device, a local attacker can therefore
directly access to the memory via libxl of Xen, in order to
escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-privilege-escalation-via-libxl-HVM-13364