SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

Overview

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable.

Description

A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker’s chosen RSP causing a privilege escalation.

Details from Xen

CVE-2012-0217 / XSA-7 - 64-bit PV guest privilege escalation vulnerability

A vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state.

Details from FreeBSD

FreeBSD-SA-12:04.sysret:_ _Privilege escalation when returning from kernel

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.

Details from Microsoft

_User Mode Scheduler Memory Corruption Vulnerability - _MS12-042 - Important

An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Mitigating Factors for User Mode Scheduler Memory Corruption Vulnerability

_Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: _

* _An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users._
* _This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2._
* _Systems with AMD or ARM-based CPUs are not affected by this vulnerability._

Details from Red Hat

RHSA-2012:0720-1_ & RHSA-2012:0721-1: _It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

Details from some affected vendors were not available at the time of publication.

Impact

A local authenticated attacker may exploit this vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape.

---

Solution

Apply an Update
Please review the Vendor Information section of this document for vendor-specific patch and workaround details.

---

Vendor Information

649219

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Citrix __ Affected

Updated: June 18, 2012

Status

Affected

Vendor Statement

A number of security vulnerabilities have been identified in Citrix XenServer. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including version 6.0.2.

The following issues have been addressed:

• 64-bit PV guest to host privilege escalation vulnerability. This issue only impacts servers running on Intel processors and could permit a 64-bit PV guest to compromise the XenServer host (CVE-2012-0217).

• Guest denial of service on syscall/sysenter exception generation. This issue could permit user code within a PV guest to crash the guest operating system (CVE-2012-0218).

• Administrative connections to VM consoles through XAPI or XenCenter could be routed to the wrong VM.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.citrix.com/article/CTX133161&gt;

FreeBSD Project Affected

Notified: May 01, 2012 Updated: June 12, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc&gt;

Intel Corporation __ Affected

Notified: May 01, 2012 Updated: June 13, 2012

Statement Date: June 13, 2012

Status

Affected

Vendor Statement

This is a software implementation issue. Intel processors are functioning as per specifications and this behavior is correctly documented in the IntelR64 Software Developers Manual, Volume 2B Pages 4-598-599.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Joyent __ Affected

Updated: June 14, 2012

Status

Affected

Vendor Statement

We have an illumos-derived system, SmartOS – it (and every other illumos derivative) was affected by this vulnerability. illumos issue: <https://www.illumos.org/issues/2873&gt;

Patch is in hg changeset: 13724:7740792727e0. This can also be found on the github bridge: <https://github.com/illumos/illumos-gate/commit/6ba2dbf5e79c7fc6e1221844ddaa2c88a42a3fc1&gt;

Joyent’s cloud customers are unaffected. Joyent’s SmartDataCenter customers will be receiving an updated platform, versioned joyent_20120614T001014Z.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://www.illumos.org/issues/2873&gt;
• <https://github.com/illumos/illumos-gate/commit/6ba2dbf5e79c7fc6e1221844ddaa2c88a42a3fc1&gt;

Microsoft Corporation __ Affected

Notified: May 01, 2012 Updated: June 18, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that exploits the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Vendor References

• <https://technet.microsoft.com/en-us/security/bulletin/MS12-042&gt;

NetBSD Affected

Notified: May 01, 2012 Updated: June 08, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Affected

Notified: May 01, 2012 Updated: June 08, 2012

Statement Date: May 11, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Notified: May 01, 2012 Updated: June 12, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://bugzilla.redhat.com/show_bug.cgi?id=813428&gt;
• <https://access.redhat.com/security/cve/CVE-2012-0217&gt;
• <https://rhn.redhat.com/errata/RHSA-2012-0720.html&gt;
• <https://rhn.redhat.com/errata/RHSA-2012-0721.html&gt;

SUSE Linux Affected

Notified: May 02, 2012 Updated: June 12, 2012

Statement Date: May 02, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.novell.com/security/cve/CVE-2012-0217.html&gt;

Xen Affected

Notified: May 02, 2012 Updated: June 12, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html&gt;

AMD __ Not Affected

Updated: June 13, 2012

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Systems using AMD CPUs are not vulnerable to this privilege escalation. AMD have issued the following statement:

_ AMD processors’ SYSRET behavior is such that a non-canonical address in RCX does not generate a #GP while in CPL0. We have verified this with our architecture team, with our design team, and have performed tests that verified this on silicon. Therefore, this privilege escalation exposure is not applicable to any AMD processor._
This statement comes from the Xen security advisory.

Apple Inc. Not Affected

Notified: May 01, 2012 Updated: June 08, 2012

Statement Date: May 15, 2012

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Not Affected

Updated: June 25, 2012

Statement Date: June 25, 2012

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

VMware __ Not Affected

Notified: May 01, 2012 Updated: June 08, 2012

Statement Date: June 08, 2012

Status

Not Affected

Vendor Statement

The VMware Security Response Center has reviewed the technical details of CVE-2012-0217, the “#GP in sysret” vulnerability. The “sysret” instruction is not used in VMware hypervisor code, therefore VMware products are not affected by this issue. Please note that guest operating systems that are installed as virtual machines may be affected and should be patched based on the recommendation of their respective OS vendors.

For further questions on this or any security vulnerability, please contact the VSRC at [email protected].

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified: May 02, 2012 Updated: May 02, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: May 02, 2012 Updated: May 02, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: May 02, 2012 Updated: May 02, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: May 01, 2012 Updated: May 01, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: May 01, 2012 Updated: May 01, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Parallels Holdings Ltd Unknown

Notified: May 21, 2012 Updated: May 21, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: May 02, 2012 Updated: May 02, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: May 01, 2012 Updated: May 01, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 22 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	6.6	AV:L/AC:M/Au:S/C:C/I:C/A:C
Temporal	5.5	E:F/RL:OF/RC:C
Environmental	5.5	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

• <http://en.wikipedia.org/wiki/Ring_3&gt;
• <http://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html&gt;
• <http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/&gt;
• <https://bugzilla.redhat.com/show_bug.cgi?id=813428&gt;
• <http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc&gt;
• <http://blog.gmane.org/gmane.linux.kernel.commits.2-4/month=20060401&gt;
• <http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html&gt;
• <http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php&gt;

Acknowledgements

Thanks to Rafal Wojtczuk of Bromium, Inc. for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2012-0217, CVE-2006-0744
Date Public:	2006-04-12 Date First Published: