Vulnerability Note VU#649219
SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware
Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.
Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable.
A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation.
Details from Red Hat
RHSA-2012:0720-1 & RHSA-2012:0721-1: It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)
Details from some affected vendors were not available at the time of publication.
A local authenticated attacker may exploit this vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Citrix||Affected||-||18 Jun 2012|
|FreeBSD Project||Affected||01 May 2012||12 Jun 2012|
|Intel Corporation||Affected||01 May 2012||13 Jun 2012|
|Joyent||Affected||-||14 Jun 2012|
|Microsoft Corporation||Affected||01 May 2012||18 Jun 2012|
|NetBSD||Affected||01 May 2012||08 Jun 2012|
|Oracle Corporation||Affected||01 May 2012||08 Jun 2012|
|Red Hat, Inc.||Affected||01 May 2012||12 Jun 2012|
|SUSE Linux||Affected||02 May 2012||12 Jun 2012|
|Xen||Affected||02 May 2012||12 Jun 2012|
|AMD||Not Affected||-||13 Jun 2012|
|Apple Inc.||Not Affected||01 May 2012||08 Jun 2012|
|OpenBSD||Not Affected||-||25 Jun 2012|
|VMware||Not Affected||01 May 2012||08 Jun 2012|
|Debian GNU/Linux||Unknown||02 May 2012||02 May 2012|
CVSS Metrics (Learn More)
Thanks to Rafal Wojtczuk of Bromium, Inc. for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: CVE-2012-0217 CVE-2006-0744
- Date Public: 12 Apr 2006
- Date First Published: 12 Jun 2012
- Date Last Updated: 04 Sep 2012
- Document Revision: 85
If you have feedback, comments, or additional information about this vulnerability, please send us email.