Executive Summary

Summary
Title SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware
Informations
Name VU#649219 First vendor Publication 2012-06-12
Vendor VU-CERT Last vendor Modification 2012-06-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#649219

SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

Original Release date: 12 Jun 2012 | Last revised: 25 Jun 2012

Overview

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable.

Description

A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation.

Details from Xen

CVE-2012-0217 / XSA-7 - 64-bit PV guest privilege escalation vulnerability

A vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state.

Details from FreeBSD

FreeBSD-SA-12:04.sysret:Privilege escalation when returning from kernel

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.

Details from Microsoft

User Mode Scheduler Memory Corruption Vulnerability - MS12-042 - Important

An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Mitigating Factors for User Mode Scheduler Memory Corruption Vulnerability

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2.
  • Systems with AMD or ARM-based CPUs are not affected by this vulnerability.

Details from Red Hat

RHSA-2012:0720-1& RHSA-2012:0721-1: It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

Details from some affected vendors were not available at the time of publication.

Impact

A local authenticated attacker may exploit this vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape.

Solution

Apply an Update
Please review the Vendor Information section of this document for vendor-specific patch and workaround details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CitrixAffected-18 Jun 2012
FreeBSD ProjectAffected01 May 201212 Jun 2012
Intel CorporationAffected01 May 201213 Jun 2012
JoyentAffected-14 Jun 2012
Microsoft CorporationAffected01 May 201218 Jun 2012
NetBSDAffected01 May 201208 Jun 2012
Oracle CorporationAffected01 May 201208 Jun 2012
Red Hat, Inc.Affected01 May 201212 Jun 2012
SUSE LinuxAffected02 May 201212 Jun 2012
XenAffected02 May 201212 Jun 2012
AMDNot Affected-13 Jun 2012
Apple Inc.Not Affected01 May 201208 Jun 2012
OpenBSDNot Affected-25 Jun 2012
VMwareNot Affected01 May 201208 Jun 2012
Debian GNU/LinuxUnknown02 May 201202 May 2012
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base6.6AV:L/AC:M/Au:S/C:C/I:C/A:C
Temporal5.5E:F/RL:OF/RC:C
Environmental5.5CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • http://en.wikipedia.org/wiki/Ring_3
  • http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
  • http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
  • https://bugzilla.redhat.com/show_bug.cgi?id=813428
  • http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
  • http://blog.gmane.org/gmane.linux.kernel.commits.2-4/month=20060401
  • http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html

Credit

Thanks to Rafal Wojtczuk of Bromium, Inc. for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2012-0217CVE-2006-0744
  • Date Public:12 Apr 2006
  • Date First Published:12 Jun 2012
  • Date Last Updated:25 Jun 2012
  • Document Revision:83

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/649219

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
50 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15596
 
Oval ID: oval:org.mitre.oval:def:15596
Title: User Mode Scheduler Memory Corruption Vulnerability (CVE-2012-0217)
Description: The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
Family: windows Class: vulnerability
Reference(s): CVE-2012-0217
 Version: 8
Platform(s): Microsoft Windows 7
Microsoft Windows Server 2008 R2
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19281
 
Oval ID: oval:org.mitre.oval:def:19281
Title: CRITICAL PATCH UPDATE OCTOBER 2012
Description: The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.
Family: unix Class: vulnerability
Reference(s): CVE-2012-0217
 Version: 3
Platform(s): Sun Solaris 10
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19861
 
Oval ID: oval:org.mitre.oval:def:19861
Title: DSA-2508-1 kfreebsd-8 - privilege escalation
Description: Rafal Wojtczuk from Bromium discovered that FreeBSD wasn't handling correctly uncanonical return addresses on Intel amd64 CPUs, allowing privilege escalation to kernel for local users.
Family: unix Class: patch
Reference(s): DSA-2508-1
CVE-2012-0217
 Version: 5
Platform(s): Debian GNU/kFreeBSD 6.0
 Product(s): kfreebsd-8
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9732
 
Oval ID: oval:org.mitre.oval:def:9732
Title: Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
Description: Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
Family: unix Class: vulnerability
Reference(s): CVE-2006-0744
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 18
Application 2
Application 16
Os 289
Os 1
Os 1
Os 138
Os 2
Os 1
Os 1
Os 1
Os 74
Os 42
Os 44

OpenVAS Exploits

Date Description
2012-12-18 Name : Fedora Update for xen FEDORA-2012-19828
File : nvt/gb_fedora_2012_19828_xen_fc16.nasl
2012-12-14 Name : Fedora Update for xen FEDORA-2012-19717
File : nvt/gb_fedora_2012_19717_xen_fc17.nasl
2012-12-13 Name : SuSE Update for xen openSUSE-SU-2012:0886-1 (xen)
File : nvt/gb_suse_2012_0886_1.nasl
2012-11-23 Name : Fedora Update for xen FEDORA-2012-18249
File : nvt/gb_fedora_2012_18249_xen_fc16.nasl
2012-11-23 Name : Fedora Update for xen FEDORA-2012-18242
File : nvt/gb_fedora_2012_18242_xen_fc17.nasl
2012-11-15 Name : Fedora Update for xen FEDORA-2012-17204
File : nvt/gb_fedora_2012_17204_xen_fc17.nasl
2012-11-15 Name : Fedora Update for xen FEDORA-2012-17408
File : nvt/gb_fedora_2012_17408_xen_fc16.nasl
2012-09-22 Name : Fedora Update for xen FEDORA-2012-13434
File : nvt/gb_fedora_2012_13434_xen_fc17.nasl
2012-09-22 Name : Fedora Update for xen FEDORA-2012-13443
File : nvt/gb_fedora_2012_13443_xen_fc16.nasl
2012-08-30 Name : Fedora Update for xen FEDORA-2012-9386
File : nvt/gb_fedora_2012_9386_xen_fc17.nasl
2012-08-30 Name : Fedora Update for xen FEDORA-2012-11182
File : nvt/gb_fedora_2012_11182_xen_fc17.nasl
2012-08-30 Name : Fedora Update for xen FEDORA-2012-11755
File : nvt/gb_fedora_2012_11755_xen_fc17.nasl
2012-08-24 Name : Fedora Update for xen FEDORA-2012-11785
File : nvt/gb_fedora_2012_11785_xen_fc16.nasl
2012-08-10 Name : Debian Security Advisory DSA 2501-1 (xen)
File : nvt/deb_2501_1.nasl
2012-08-10 Name : FreeBSD Ports: FreeBSD
File : nvt/freebsd_FreeBSD16.nasl
2012-08-10 Name : Debian Security Advisory DSA 2508-1 (kfreebsd-8)
File : nvt/deb_2508_1.nasl
2012-08-06 Name : Fedora Update for xen FEDORA-2012-11190
File : nvt/gb_fedora_2012_11190_xen_fc16.nasl
2012-07-30 Name : CentOS Update for kernel CESA-2012:0721 centos5
File : nvt/gb_CESA-2012_0721_kernel_centos5.nasl
2012-06-28 Name : Fedora Update for xen FEDORA-2012-9399
File : nvt/gb_fedora_2012_9399_xen_fc16.nasl
2012-06-28 Name : Fedora Update for xen FEDORA-2012-9430
File : nvt/gb_fedora_2012_9430_xen_fc15.nasl
2012-06-15 Name : RedHat Update for kernel RHSA-2012:0721-01
File : nvt/gb_RHSA-2012_0721-01_kernel.nasl
2012-06-13 Name : Microsoft Windows Kernel Privilege Elevation Vulnerabilities (2711167)
File : nvt/secpod_ms12-042.nasl
2009-10-10 Name : SLES9: Security update for Linux kernel
File : nvt/sles9p5020521.nasl
2008-01-17 Name : Debian Security Advisory DSA 1103-1 (kernel-source-2.6.8)
File : nvt/deb_1103_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
24639 Linux Kernel on Intel EM64T SYSRET Local DoS

The Linux Kernel contains a flaw that may allow a local denial of service. The issue is triggered when control is returned using SYSRET. The way Intel EM64T handles exceptions with uncanonical addresses might cause a Denial of Service, and will result in loss of availability for the platform.

Nessus® Vulnerability Scanner

Date Description
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2012-0022.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2012-0021.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2012-0020.nasl - Type : ACT_GATHER_INFO
2014-07-26 Name : The remote Solaris system is missing a security patch from CPU oct2012.
File : solaris_oct2012_SRU10_5.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-404.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-403.nasl - Type : ACT_GATHER_INFO
2013-09-28 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201309-24.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-0721.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-0721-1.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_xen-201206-120606.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0720.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120612_kernel_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-07-23 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2508.nasl - Type : ACT_GATHER_INFO
2012-06-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2501.nasl - Type : ACT_GATHER_INFO
2012-06-28 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_aed44c4ec06711e1b5e0000c299b62e1.nasl - Type : ACT_GATHER_INFO
2012-06-26 Name : The remote Fedora host is missing a security update.
File : fedora_2012-9430.nasl - Type : ACT_GATHER_INFO
2012-06-26 Name : The remote Fedora host is missing a security update.
File : fedora_2012-9386.nasl - Type : ACT_GATHER_INFO
2012-06-26 Name : The remote Fedora host is missing a security update.
File : fedora_2012-9399.nasl - Type : ACT_GATHER_INFO
2012-06-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-0721.nasl - Type : ACT_GATHER_INFO
2012-06-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0721.nasl - Type : ACT_GATHER_INFO
2012-06-13 Name : The Windows kernel is affected by multiple elevation of privilege vulnerabili...
File : smb_nt_ms12-042.nasl - Type : ACT_GATHER_INFO
2012-06-13 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_xen-201206-8180.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-302-1.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1103.nasl - Type : ACT_GATHER_INFO
2006-08-04 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2006-0437.nasl - Type : ACT_GATHER_INFO
2006-07-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2006-0437.nasl - Type : ACT_GATHER_INFO
2006-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2006-0493.nasl - Type : ACT_GATHER_INFO
2006-05-24 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2006-0493.nasl - Type : ACT_GATHER_INFO
2006-05-19 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2006-086.nasl - Type : ACT_GATHER_INFO
2006-04-21 Name : The remote Fedora Core host is missing a security update.
File : fedora_2006-423.nasl - Type : ACT_GATHER_INFO
2006-04-21 Name : The remote Fedora Core host is missing a security update.
File : fedora_2006-421.nasl - Type : ACT_GATHER_INFO