Multiple vulnerabilities in Xen
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2018-15469 CVE-2018-15470 CVE-2018-14007 CVE-2018-15471 CVE-2018-15468 CVE-2018-3646 CVE-2018-3620 |
| CWE-ID | CWE-264 CWE-119 CWE-22 CWE-190 CWE-200 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Xen Server applications / Virtualization software |
| Vendor |
Xen Project |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Denial of service
EUVDB-ID: #VU14472
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15469
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to improper implementation of version 2 of grant tables in the affected software, in the hypervisor or in Linux. An adjacent attacker can request version 2 grant tables, trigger a BUG() check and cause the service to crash.
MitigationInstall update from vendor's website.
Xen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-268.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU14473
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15470
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The vulnerability exists due to the affected software fails to enforce the quota-maxentity setting. An adjacent attacker can write an excessive number of XenStore entries, trigger unbounded memory usage and cause the service to crash.
MitigationInstall update from vendor's website.
Xen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-272.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU14474
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14007
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to path traversal. An adjacent attacker can conduct directory traversal attack and read arbitrary files from the dom0 filesystem including the pool secret /etc/xensource/ptoken which grants the attacker full administrator.
MitigationInstall update from vendor's website.
Xen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-271.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Integer overflow
EUVDB-ID: #VU14475
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15471
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to gain elevated privileges on the target system.
The vulnerability exists in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c due to integer overflow when handling malicious input. An adjacent attacker can supply a malicious or buggy frontend request to set or change mapping of requests to request queues, cause the (usually privileged) backend to make out of bounds memory accesses and gain access to arbitrary data, cause the service to crash or gain elevated privileges.
MitigationInstall update from vendor's website.
Xen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-270.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Denial of service
EUVDB-ID: #VU14476
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15468
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows an adjacent administrative attacker to cause DoS condition on the target system.
The vulnerability exists due to the DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not when Branch Trace Store is not virtualised by the processor. An adjacent attacker can lock up the entire host, choose any MSR_DEBUGCTL setting it likes and cause the service to crash.
MitigationInstall update from vendor's website.
Xen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-269.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Side-channel attack
EUVDB-ID: #VU14412
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-3646
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to obtain potentially sensitive information.
The vulnerability exists due to an error in systems with microprocessors utilizing speculative execution and address translations. An adjacent attacker with guest OS privilege can trigger terminal page fault, conduct side-channel attack and gain access to potentially sensitive information residing in the L1 data cache.
Install update from vendor's website.
Vulnerable software versionsXen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-273.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Side-channel attack
EUVDB-ID: #VU14411
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-3620
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists due to an error in systems with microprocessors utilizing speculative execution and address translations . A local attacker can trigger terminal page fault, conduct side-channel attack and gain access to potentially sensitive information residing in the L1 data cache.
Install update from vendor's website.
Vulnerable software versionsXen: 4.6.0 - 4.11.0
External linkshttp://xenbits.xen.org/xsa/advisory-273.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
