Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: CVE-2012-0217 (from MS12-042) applies to other environments too SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CVE-2012-0217 (from MS12-042) applies to other environments too

A week ago we covered MS12-042 ("Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)") on the monthly Microsoft patch update cycle. This Microsoft advisory includes two vulnerabilities: CVE-2012-0217 and CVE-2012-1515 (VMware related).

Unfortunately, the official CVE-2012-0217 only makes references to Microsoft Windows OS, but other environments are also affected by this local privilege escalation vulnerability associated to 64-bit Intel processors. From the US-CERT note: "Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape." In particular, it affects FreeBSD or Xen (RedHat, SUSE, etc).

More details at "Vulnerability Note VU#649219: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware".

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

 Raul Siles

152 Posts
Subscribe Jun 20th 2012
7 years ago
And NetBSD. In the kernel itself, and in the packaged Xen kernels if used in PV mode.

I don't notice anything new committed in OpenBSD relating to this, so I wonder if it was somehow immune, or just not patched yet.
 Steven C.

171 Posts
Quote Jun 20th 2012
7 years ago
quick searching on the web, I found the following posts to misc@openbsd mailing list.

http://old.nabble.com/CVE-2012-0217%3A-SYSRET-64-bit-operating-system-privilege-escalation-vulnerability-on-Intel-CPU-hardware-td34003925.html

are there anyone checking the OpenBSD kernel source code?
I think the relevant part is around machdep.c.

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/amd64/machdep.c
 Steven C.
1 Posts
Quote Jun 21st 2012
7 years ago
@yozo, thanks, somehow I missed that when I was searching.

So this was fixed in OpenBSD CVS uhhh almost a year ago :)
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/amd64/machdep.c#rev1.147
 Steven C.

171 Posts
Quote Jun 21st 2012
7 years ago

Sign Up for Free or Log In to start participating in the conversation!