{"id":4708,"date":"2012-06-16T21:45:30","date_gmt":"2012-06-17T02:45:30","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=4708"},"modified":"2012-06-16T21:45:30","modified_gmt":"2012-06-17T02:45:30","slug":"us-cert-vulnerability-note-vu649219-sysret-64-bit-operating-system-privilege-escalation-vulnerability-on-intel-cpu-hardware","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=4708","title":{"rendered":"US-CERT Vulnerability Note VU#649219 &#8211; SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware"},"content":{"rendered":"<blockquote><p>A <a href=\"http:\/\/en.wikipedia.org\/wiki\/Ring_3\">ring3 attacker<\/a> may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker&#8217;s chosen RSP causing a privilege escalation.<\/p><\/blockquote>\n<p>via <a href=\"http:\/\/www.kb.cert.org\/vuls\/id\/649219\">US-CERT Vulnerability Note VU#649219 &#8211; SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware<\/a>.<\/p>\n<blockquote><p><em><strong>Details from Red<\/strong><\/em><strong> Hat<\/strong><\/p>\n<p><a href=\"https:\/\/rhn.redhat.com\/errata\/RHSA-2012-0720.html\">RHSA-2012:0720-1<\/a><em> &amp; <\/em><a href=\"https:\/\/rhn.redhat.com\/errata\/RHSA-2012-0721.html\"><em>RHSA-2012:0721-1<\/em><\/a><em>: <\/em><em>It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. <strong>An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges,<\/strong> allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)<\/em><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=4708\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[81],"tags":[292,226,160,82],"class_list":["post-4708","post","type-post","status-publish","format-standard","hentry","category-virtualization-2","tag-cpu","tag-hypervisor","tag-intel","tag-xen"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/4708","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4708"}],"version-history":[{"count":1,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/4708\/revisions"}],"predecessor-version":[{"id":4709,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/4708\/revisions\/4709"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4708"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}