Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.
Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable.
A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation.
Details from Red Hat
RHSA-2012:0720-1 & RHSA-2012:0721-1: It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)
Details from some affected vendors were not available at the time of publication.
A local authenticated attacker may exploit this vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape.
Apply an Update
FreeBSD Project Affected
Intel Corporation Affected
Microsoft Corporation Affected
Oracle Corporation Affected
Red Hat, Inc. Affected
SUSE Linux Affected
AMD Not Affected
Apple Inc. Not Affected
OpenBSD Not Affected
VMware Not Affected
Debian GNU/Linux Unknown
Fedora Project Unknown
Gentoo Linux Unknown
Hewlett-Packard Company Unknown
IBM Corporation Unknown
Parallels Holdings Ltd Unknown
Slackware Linux Inc. Unknown
Thanks to Rafal Wojtczuk of Bromium, Inc. for reporting this vulnerability.
This document was written by Jared Allar.