Multiple vulnerabilities in Xen



Published: 2019-11-05
Risk Medium
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2019-18420
CVE-2019-18425
CVE-2019-18421
CVE-2019-18423
CVE-2019-18424
CVE-2019-18422
CWE-ID CWE-20
CWE-264
CWE-362
CWE-399
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
Xen
Server applications / Virtualization software

Vendor Xen Project

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU22541

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18420

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the VCPUOP_initialise hypercall in Xen. A remote user on a guest operating system can run a specially crafted program and perform a denial of service attack against the host operating system.

Mitigation

xsa296.patch           Xen 4.9 ... unstable
xsa296-4.8.patch       Xen 4.7 ... 4.8

$ sha256sum xsa296*
71bd433f788dd511fad90165bc5ba9bcabe949eecd912f2a616e3c996960d67d  xsa296.meta
ccfd81b162b8535d952f56b1f87dfdd960e71bf07c1cf8388976e78e2e86cde5  xsa296.patch
b283be3df6789402553172b7fd582bfffb4fa72a6b33543439bd2fb1b87bfbd4  xsa296-4.8.patch
$

Vulnerable software versions

Xen: 4.6.0 - 4.9.4

External links

http://www.openwall.com/lists/oss-security/2019/10/31/1
http://xenbits.xen.org/xsa/advisory-296.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22540

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18425

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to missing descriptor table limit checking in x86 PV emulation. A remote unprivileged user of a guest operating system can escalate privileges within the same guest system.

Note, only 32-bit PV guest is affected.

Mitigation

Applying the appropriate attached patch resolves this issue.

xsa298.patch           xen-unstable, Xen 4.12.x
xsa298-4.11.patch      Xen 4.11.x
xsa298-4.10.patch      Xen 4.10.x
xsa298-4.9.patch       Xen 4.9.x, Xen 4.8.x, Xen 4.7.x

$ sha256sum xsa298*
82c6f626732f99711212155b280270fe2f6683460299b1a6fc3f70b3932970ce  xsa298.meta
3f422ad83abb54fe6afed460a5982cf1faa1717e51ab19fbf2375be1b5f8f4a3  xsa298.patch
da8d5bad97a46c072dd1715c96401b145cecda14f0303043e6dca313e7ffff0c  xsa298-4.9.patch
92dba14b6a208379c2569b9c1c11438da384ec47db2508b4761af30d74a9403d  xsa298-4.10.patch
d2d8eb5de5601b88f2a6503ecf6bb83207e4b2f17833d61a74fcd185ac7f5a71  xsa298-4.11.patch
$

Vulnerable software versions

Xen: 4.7.0 - 4.12.1

External links

http://www.openwall.com/lists/oss-security/2019/10/31/2
http://xenbits.xen.org/xsa/advisory-298.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Race condition

EUVDB-ID: #VU22539

Risk: Medium

CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18421

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a race condition when handling restartable PV type change operations. A remote administrator of a guest operating system can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Mitigation

Applying the appropriate attached patch resolves this issue.

xsa299/*.patch           xen-unstable
xsa299-4.12/*.patch      Xen 4.12.x
xsa299-4.11/*.patch      Xen 4.11.x
xsa299-4.10/*.patch      Xen 4.10.x
xsa299-4.9/*.patch       Xen 4.9.x
xsa299-4.8/*.patch       Xen 4.8.x

$ sha256sum xsa299* xsa299*/*
687fb0f3273a424726edb4d249b79cfc45d1ef7000610405b11eaac49baecaa8  xsa299.meta
6c8f46e57f61a5e1e2e5e628a32e4c9ae144218ce475309811bb9900d3fdda48  xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch
3409e71ed7bc199bcda33892ea6f70fe257c4f3906d74b4a6f4352415daeedb0  xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
1179fe0f1a591c542478bf8614501f8ddb67e342d7d452f6bff3b6a999f2b20f  xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc0352a1d82079c4072cc3871d0d397f7abb3c0480dfc3c5c542091d2ec7d7b0  xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2b96857ef3e0f8259df7ad01600f1c30ca234668d6f26744c2ae0d3d7dded090  xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
fe119a8255e23a86845fa1ac5f93afa25acdaff705061c172ea9e0589b0bc1a4  xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
562415d5fdb4e173443a2aa211094743a722ef1fe5a2d19c59cb3d329e101984  xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
454296ac46ea5feea8866101e7c953bf6dbd37a5275f7b006eeb6d22cbae387d  xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
f203a70da67f304c2ede516ef989b58ace6774eeee4eca919631c75f09860ba3  xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
1f4877c10ead99c51d822d29ebaed9774cdb97cca869fe1a1ccf905540e291c7  xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
733d260d731cce9902d66dc5b42ae9d10a319acda6dadcc426b6dfeba6e917da  xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch
cd105c15e2fd915644cb7d31000df60e51d1054a807b575d5436ccb87c1e9a18  xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d8db456679e652f5a33a0a448d379e3a88b0cf7ce1415ee46007873cfb6f49b7  xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch
e54df901b5f13d70643938ff365a09a43725637511251efc3ac55c45b80016f5  xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
8da540f32ff77f5871f646a6ef2847bc3adc2aecfa4698dcec4335b72e758616  xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
e97044ffb5edcc7f1094dd47e365f2f29971cacf784d8aaa9a0e42f770ca899d  xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
53977fd090d488f484e6191c6b68cbc59f771d8cf4aeb230b7b9f8ddc891a58e  xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
d10b9d434d341ac380e8a9c6fc4b3ddec8baf8dec9d565c2e66867f8d05497ba  xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7e01debdbe59cfa734e63b5c9d5c2799aa25f961f0d065ce8c8bdb64d577b164  xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
12f0732907547367645db6300cff959f15118b91503165dc2c66083769ac7e56  xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
06044bf56130dd845e08ed9af75f4aade186d48b1cea88d7862026bbe0bf51af  xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
2fea704a716d6ff8a589fba7bf5d71443e2b52f41f591f8173d50dcb3ba9a94b  xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4bcfd94bdd77726e8ea1069081f5f544705b22752a185ee4e1f58c730a902b74  xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch
580fa03182e40f122e3d21a5c71183b6a9500eae2afba490cf43514b75e15062  xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
c3bde8f42e75c0f98c22938267f947d4729e7372510dededa3750699ac8cb2f5  xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
0794fd0d20d71367977926f2393e354d4a43452a51f421616fa413acd68bf24a  xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
0591cd2fa566fcec43e2aa6e1cfb92629c816e55c7548b2534c5a7a84505cd06  xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
736966986c43bcdfcbf337fc87af6f430458bad5d105b33f7dfa0a1eb72f2416  xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
416db71e950838dbf5d024ae9ba8bb6e6685314608543fd8df0516db7786b811  xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7d84aaf129401faa863565df084e776413dd07ec440c1a67db961b8a147651a4  xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
59d37dc3cfd811bcbbedb72ca9d80eb2d460dce4e373e581c88fdb6b874b4111  xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
746156888f0dc4a75164cd668dd05fdf3d9b11cc96205785384f84ebcd1df4ae  xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
bcc54d2b0653e584c89c0d219d5cd82e94c2629033ea8f1b22dfd3f373267bf5  xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4829ba66647d344f1eaad632fddab4c8c51db513d1ae18385dec195b86e76936  xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch
7ad0b06d2748da4e4b317f4cc8c829c7fb451bf86ad778d97d231acff7cfd940  xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
225fec9475b5992338ce19da982a759b3a551c653dbbb280295b00018a107d28  xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
fa910f573bde107b90fef4568fa500bf875d7303ac93642ed8a135d639bf7f0e  xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
f5fcf8ab6940d85fe43de61463ff00bcf17a22b94da4f2b28fa45d714b0255d0  xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
e1e49d767f08889b518423935869332a40f87e824bb93a0c2707f1f99e9f0328  xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
c0f5ce00516491b1f3d2eccf25fbd67d409d855e3d4b423490f1bc37b4477e87  xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
4562543c497c17cc3a793f67a75824043ca3dea69ccc456bf9f5546825282f0e  xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
90bc777691225eb4c55804702c2cd7f2913317b13334c27b9437ee60be672cca  xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
7903c9599ee47dc05647e5ec7a6ce3fe5e6331b527551286897429e97cf56f61  xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
c1ae9bad93e11a4a9253265318b67b45865e566b17ddd7f167bb88197a9b700c  xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
49a21bd396ab4af6b82aaa38dac733f4fde806587b5b126cd656f725b9c8eee7  xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch
09df369fa52335e3e560af593d4e9843bab1da24aa1b4c905f9ea1ce8441af6e  xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d27f07eb0020181487ec9dda15c6331125d6b0505fdce1ae67c0a9b524159e11  xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
00c2fb77366c427e226315cfb1cda1c67ce495ec8a0b400ff30924bc399bf283  xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc88c216e438af9e1dddf1e5374fd1c78c9867e8908ba3016c72d999aebaea4b  xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
cc6416c6311be82a2b89d5b14ceb9ecc6cb92ce9286bb03b91083c661186d28d  xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
732fbb80a6fc6364945e1b6534c921d503e2369c3cd25f425096549b71f75fa0  xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
20e37b3712b66111193bed02b368aff2ee0e7896dd55b5e6c928fbc97ec618b3  xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
20bec098f3ad474093ce33e4ae5e8cee5ff9f8504107c8a4ff76f2731abbab13  xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
71addb8014eeb51a6adc4377aaa4b74ac611a28a6f62865f7020a536a1a9cbc5  xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
71bd7d75f7878571d4ea4351ea10f487a1c1a86765f67c85a25308d5df24a40e  xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
1e58d49f72c1eb158db08a17a3805e2144c0d468b6388a9a8795b67f80a699a5  xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch
67594f941f8cecbc0ff87dfedbdbd43f4e4234d049c1a5d62143153ae96954c1  xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
08179d90ea327bca328f3a45198c31166df2aa6fb459b148dd74c716c1d5bb88  xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
d37e7b4dd3c9d7da14a287d9fe6807f81d95bba8bdab79b729ed5aa3350fad70  xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
660fc01fb09aee7628d65d7893ec11bf77cfe79543e390656b59f0e60334d058  xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2dc6ad4233ec572ba21632ab80b6149541f3169affb792e31930e3f7c6e72fc6  xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
175fd90422bf00879de2129cd1a86bbdeb1c15ff344d286ab9634bc3f1512c03  xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
afa26c8850085412a787d7f0cb3031f15181ee2c9b3b1a9b4a007bff7404457f  xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
6f0502b2377db2115faf9c7bcbf35898013dcec74170950c3aa7a0586ff1e174  xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
787c3eeaadfed46947fb17773fa8f9e9efe891658d7460eaf5291a4ca6155123  xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
77341c4d0ab62fbb7090d2a6b60902467563ae470ac0807ef40a3ac791d2933a  xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
e489f49f8783fb388161365072da585c049e05d80306cf963cec5ecbb3bc67c7  xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch
17b9ae71c150747bff4d57eee8a918b1961e880e25ae2b9c0dbe933e005cb1a0  xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.12.1

External links

http://www.openwall.com/lists/oss-security/2019/10/31/3
http://xenbits.xen.org/xsa/advisory-299.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

EUVDB-ID: #VU22538

Risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18423

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to the p2m_get_root_pointer() function in Xen ignores the unused top bits of a guest physical frame. A remote administrator of a guest operating system can use a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. As a result, the attacker can crash the hypervisor from the guest operating system.

Mitigation

Applying the appropriate attached patch resolves this issue.

xsa301-master-*.patch  xen-unstable to Xen 4.12
xsa301-4.11-*.patch    Xen 4.11 to Xen 4.8

$ sha256sum xsa301*
c3f334d3de1fd7385a5b73edca1f979b6027595d8aa2a3fce451ee5a37d57662  xsa301.meta
1f6f76e0da4bd8cbce38a127d446593058a76565bade57672d6a00357fdc64fa  xsa301-4.11-1.patch
b1ea7b323f509a6150983ece24ecd38f3a9ea97a11360d7a36f715ebaf85e8b1  xsa301-4.11-2.patch
67fffdd5f827f783e8752ca779a3234d30f26df5c42844c5b2b4a34618d7a0c2  xsa301-4.11-3.patch
3dba13afd3449b85215058c596f6a60a255e5a11c6865cbcaa05e9768f535b46  xsa301-master-1.patch
dbf952c2333807d5ee0fe4cccb069ddfda87e295c83a43ec46621b486b19f6e8  xsa301-master-2.patch
ad544e5e2da130540d5475954b1512fc00743773cad382c4c0451fd91536287d  xsa301-master-3.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.12.1

External links

http://www.openwall.com/lists/oss-security/2019/10/31/4
http://xenbits.xen.org/xsa/advisory-301.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22537

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18424

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing assignment of PCI devices. A privileged user of a guest operating system can program the PCI device to directly access host memory. Once the PCI device is deassigned, the code will be written into host memory. A remote attacker can corrupt host memory and perform denial of service attack or escalate privileges on the system.

Mitigation

Applying the appropriate attached patchset should resolve this issue.
For Xen 4.9 and earlier at least the first patch of XSA-299
(whitespace cleanup) is also needed for XSA-302 to apply.

Unfortunately, at the time of writing, these patches have not been
tested to our satisfaction.

The patches are known to break on ARM.  ARM is not affected by the
issue, so do not apply these patches on ARM systems.  (On x86, there
is a latent bug but the patches are good to use.)

xsa302/*.patch         xen-unstable
xsa302-4.12/*.patch    Xen 4.12.x
xsa302-4.11/*.patch    Xen 4.11.x
xsa302-4.10/*.patch    Xen 4.10.x
xsa302-4.9/*.patch     Xen 4.9.x, Xen 4.8.x

$ sha256sum xsa302* xsa302*/*
d722d1bed2440a5d35f0fd041e4a77966b7d26980a0f874d38d48710db0b9ebd  xsa302.meta
703faced133ca21142f484acd8cf16578258e12ae0cf1413a5d9252f1e099465  xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch
edb4753b91fa66e2f4b51d0075d106fc28d8451241ba482a33c2db4be53f21d1  xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch
3c79107d8fd94807543443192fb31f3d188912c208f4dbda61f1f2ff92701afc  xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch
2a76add5a907baf0217e57e2a4dca91a6a8ce84c67b9ff87be1bcbb1f29efdc6  xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch
a75723160c52c2c65d563905d0904b587beda1cfb6ca3ee18fb70e79818d3faa  xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch
48b9dae7adbe2438dcaa00f969532d835061cb4a06ab2bf47ada2afb644de4c5  xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch
a21efa6cae14e87318ca3927f0ac310aee2dd1323f2dbf040c0fe80789d78712  xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch
0a95f750ad1d5eb1838b6488e4ac188acdc2e568eb21b26306d5af2980bffb58  xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch
11d7015960eab265b1f9ce372dd14597b6c4cc7907d77ed3eed14d161dd50e5c  xsa302/0001-passthrough-quarantine-PCI-devices.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.12.1

External links

http://www.openwall.com/lists/oss-security/2019/10/31/6
http://xenbits.xen.org/xsa/advisory-302.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource management error

EUVDB-ID: #VU22536

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18422

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack or possibly escalate privileges.

The vulnerability exists due to way Xen handles exceptions on ARM systems, without changing processor level. A local user can force a critical Xen code to run with interrupts erroneously enabled during exception entry that may lead to data corruption, denial of service and potential privilege escalation.

Note, the vulnerability affects ARM systems only.

Mitigation

Applying the appropriate attached patch resolves this issue.

xsa303/*.patch         xen-unstable .. Xen 4.9
xsa303-4.8/*.patch     Xen 4.8

$ sha256sum xsa303* xsa303*/*
66b3eb28cfa633999da7480a37cd919293eb87aa730e7bc58b12c47bcdb0c9c0  xsa303.meta
7769eee9b876cdb7dde2ec664d34a5067f9b639d5c543ee89ff2eda818f04cab  xsa303-4.8/0001-Revert-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY.patch
f1337aa8c4b38f4ab61e7206c7bd8f5c782583947d9b9e1e8c6f139db73ca2cb  xsa303-4.8/0002-xen-arm32-entry-Consolidate-DEFINE_TRAP_ENTRY-macros.patch
160ea6acfba85faf1cbb670b0a3873f025c0dab388f73018a22a61104e1a5fe1  xsa303-4.8/0003-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch
2cc1e3282263f03c6b9c6e05039f84173b8dbc893a2cd88f80ce2275ff7478d8  xsa303-4.8/0004-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
63c4a90c45ae28032e0149353cafd495cce5caa8c84ad022d21b8078710e996d  xsa303-4.8/0005-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
4da48a29aaad85a410021952b2b3cb4dae14365c688e724ed7fc80feea1334df  xsa303/0001-xen-arm32-entry-Split-__DEFINE_ENTRY_TRAP-in-two.patch
99773cbfb6f0df5f0c83477c9dcd39127cb361213455bd2cb1f6bcfe4566d5a2  xsa303/0002-xen-arm32-entry-Fold-the-macro-SAVE_ALL-in-the-macro.patch
9e8241c311aa8da7fcb1da09b9d8b5a55c26a10f02355e37e97d1e7a3b6db7be  xsa303/0003-xen-arm32-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
4c9bc0d0b27eff06f65f1a679263ffbcc8aa4c65117840284dc115ae49e7966d  xsa303/0004-xen-arm64-Don-t-blindly-unmask-interrupts-on-trap-wi.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.9.4

External links

http://www.openwall.com/lists/oss-security/2019/10/31/5
http://xenbits.xen.org/xsa/advisory-303.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###