=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN440
_____________________________________________________________________

DATE                : 08/10/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Xen.

======================================================================
http://xenbits.xen.org/xsa/advisory-65.txt
______________________________________________________________________

             Xen Security Advisory CVE-2013-4344 / XSA-65
                              version 2

                 qemu SCSI REPORT LUNS buffer overflow

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

qemu contains a possible buffer overflow in the SCSI code that
implements the REPORT LUNS command.  The buffer can be overflowed by
creating a SCSI controller with more than 256 attached devices (such
as disks) and sending a REPORT LUNS command with a short transfer
buffer (less than 2056 bytes).

Xen systems do not use the qemu SCSI code by default.

IMPACT
======

On Xen systems where the device_model_args (or equivalent) parameters
have been used to configure a SCSI controller for a guest, with more
than 256 devices, a malicious guest might be able to escalate its
privilege to that of the qemu process in the host (typically root).

VULNERABLE SYSTEMS
==================

Only Xen systems whose administrators have deliberately configured HVM
guests to have emulated SCSI controllers, and where those guests are
provided with more than 256 devices, are vulnerable.

We are not aware of any such systems.

MITIGATION AND RESOLUTION
=========================

Please refer to the advisories and information from the Qemu project.

If, during the embargo period, you have any questions about this
advisory in the context of Xen, please contact the Xen Project
Security Team.

CREDITS
=======

This issue was reported to us by the Qemu project.

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================