SB2019030601 - Multiple vulnerabilities in Xen
Published: March 6, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2019-17348)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient TLB flushing when using PCID on 64-bit x86 PV guest systems. A local user with access to guest operating system can use a specially crafted program to crash the Xen host.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-17347)
The vulnerability allows a local user to escalate privileges on the guest system.The vulnerability exists due to incorrect implementation of the hardware supported fsgsbase feature. A local user or process on 64bit PV guest system can execute arbitrary code on the guest operating system with escalated privileges.
This vulnerability affects 64bit systems that are running on Intel IvyBridge and later hardware, and AMD Steamroller and later hardware.
3) Race condition (CVE-ID: CVE-2019-17346)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition when processing TLB flushing on PCID-enabled guest system. A local user of guest operating system can crash a hosts system or execute arbitrary code on other guests.
Only x86 systems with at least one PCID-enabled PV guest are vulnerable.
4) Resource management error (CVE-ID: CVE-2019-17345)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error related to page type reference counting with failed IOMMU update. A local user of guest operating system can use a specially crafted kernel to perform denial of service attack against the host system.
5) Resource management error (CVE-ID: CVE-2019-17344)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error related to missing preemption in x86 PV page table unvalidation. A local user of guest operating system can use a specially crafted kernel to perform denial of service attack against the host system.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-17343)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure processing of PV domains and related configuration. An untrusted PV domain with access to a physical device can DMA into its own pagetables, leading to privilege escalation.
7) Improper access control (CVE-ID: CVE-2019-17342)
The vulnerability allows a local user to escalate privileges on the host system.
The vulnerability exists due security violations within the page structure access control implementation with introduction of XENMEM_exchange hypercall. A local user can leak arbitrary amounts of memory or use a cooperating pair of PV and HVM/PVH guests to get a writable pagetable entry and escalate privileges on the host operating system.
8) Race condition (CVE-ID: CVE-2019-17341)
9) Memory leak (CVE-ID: CVE-2019-17340)
The vulnerability allows a local user to perform DoS attack or escalate privileges on the target system.
The vulnerability exists due memory leak when processing grant table transfer requests. A local user from one domain can gain access to data stored in memory that belong to another domain or consume all available memory resources on the system.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service attack or, in certain cases, to allow privilege escalation.
Remediation
Install update from vendor's website.
References
- https://xenbits.xen.org/xsa/advisory-294.html
- https://xenbits.xen.org/xsa/advisory-293.html
- https://xenbits.xen.org/xsa/advisory-292.html
- https://xenbits.xen.org/xsa/advisory-291.html
- https://xenbits.xen.org/xsa/advisory-290.html
- https://xenbits.xen.org/xsa/advisory-288.html
- https://xenbits.xen.org/xsa/advisory-287.html
- https://xenbits.xen.org/xsa/advisory-285.html
- https://xenbits.xen.org/xsa/advisory-284.html