Vulnerability Note VU#649219

SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

Original Release date: 12 Jun 2012 | Last revised: 04 Sep 2012

Overview

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable.

Description

A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation.

Details from Xen

CVE-2012-0217 / XSA-7 - 64-bit PV guest privilege escalation vulnerability

A vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state.

Details from FreeBSD

FreeBSD-SA-12:04.sysret: Privilege escalation when returning from kernel

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash.

Details from Microsoft

User Mode Scheduler Memory Corruption Vulnerability - MS12-042 - Important

An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Mitigating Factors for User Mode Scheduler Memory Corruption Vulnerability

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2.
  • Systems with AMD or ARM-based CPUs are not affected by this vulnerability.

Details from Red Hat

RHSA-2012:0720-1 & RHSA-2012:0721-1: It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

Details from some affected vendors were not available at the time of publication.

Impact

A local authenticated attacker may exploit this vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape.

Solution

Apply an Update
Please review the Vendor Information section of this document for vendor-specific patch and workaround details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CitrixAffected-18 Jun 2012
FreeBSD ProjectAffected01 May 201212 Jun 2012
Intel CorporationAffected01 May 201213 Jun 2012
JoyentAffected-14 Jun 2012
Microsoft CorporationAffected01 May 201218 Jun 2012
NetBSDAffected01 May 201208 Jun 2012
Oracle CorporationAffected01 May 201208 Jun 2012
Red Hat, Inc.Affected01 May 201212 Jun 2012
SUSE LinuxAffected02 May 201212 Jun 2012
XenAffected02 May 201212 Jun 2012
AMDNot Affected-13 Jun 2012
Apple Inc.Not Affected01 May 201208 Jun 2012
OpenBSDNot Affected-25 Jun 2012
VMwareNot Affected01 May 201208 Jun 2012
Debian GNU/LinuxUnknown02 May 201202 May 2012
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C
Temporal 5.5 E:F/RL:OF/RC:C
Environmental 5.5 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Rafal Wojtczuk of Bromium, Inc. for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-0217 CVE-2006-0744
  • Date Public: 12 Apr 2006
  • Date First Published: 12 Jun 2012
  • Date Last Updated: 04 Sep 2012
  • Document Revision: 85

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.