SB2017091548 - Fedora 25 update for xen

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2017-14316)

The vulnerability allows an adjacent attacker to execute arbitrary code on the host system.

The weakness exists due to out-of-bounds array access in the processing of NUMA node parameters. An adjacent attacker can invoke specially crafted hypercalls and execute arbitrary code with elevated privileges.

2) Null pointer dereference (CVE-ID: CVE-2017-14318)

The vulnerability allows an adjacent attacker to gain elevated privileges or cause DoS condition on the host system.

The weakness exists due to NULL pointer deference in certain GNTTABOP_cache_flush grant table operations. If exploited on x86-based PV guest systems without SMAP enabled, an adjacent attacker can gain elevated privileges. If exploited on ARM-based guest systems and x86-based PV guest systems that have SMAP enabled, an adjacent attacker can cause the host system to crash.

3) Race condition (CVE-ID: CVE-2017-14317)

The vulnerability allows an adjacent attacker to cause DoS condition on the host system.

The weakness exists due to race condition in cxenstored. An adjacent attacker can shut down a virtual machine with a stubdomain, trigger a double-free memory error and cause the xenstored daemon to crash.

The vulnerability is exploitable on the systems running the C version os xenstored ("xenstored") and running devicemodel stubdomains.

4) Privilege escalation (CVE-ID: CVE-2017-14319)

The vulnerability allows an adjacent attacker to gain elevated privileges or cause DoS condition on the host system.

The weakness exists due to a flaw in grant unmapping. A local attacker on an x86 PV guest system can gain elevated privileges on the host system or cause the hypervisor to crash.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2017-f7fd3fe7eb