Resource management error in Xen - CVE-2019-18423
Published: November 6, 2019
Vulnerability identifier: #VU22538
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green
CVE-ID: CVE-2019-18423
CWE-ID: CWE-399
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Xen Project
Affected software:
Xen
Xen
Detailed vulnerability description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to the p2m_get_root_pointer() function in Xen ignores the unused top bits of a guest physical frame. A remote administrator of a guest operating system can use a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. As a result, the attacker can crash the hypervisor from the guest operating system.
How to mitigate CVE-2019-18423
Applying the appropriate attached patch resolves this issue. xsa301-master-*.patch xen-unstable to Xen 4.12 xsa301-4.11-*.patch Xen 4.11 to Xen 4.8 $ sha256sum xsa301* c3f334d3de1fd7385a5b73edca1f979b6027595d8aa2a3fce451ee5a37d57662 xsa301.meta 1f6f76e0da4bd8cbce38a127d446593058a76565bade57672d6a00357fdc64fa xsa301-4.11-1.patch b1ea7b323f509a6150983ece24ecd38f3a9ea97a11360d7a36f715ebaf85e8b1 xsa301-4.11-2.patch 67fffdd5f827f783e8752ca779a3234d30f26df5c42844c5b2b4a34618d7a0c2 xsa301-4.11-3.patch 3dba13afd3449b85215058c596f6a60a255e5a11c6865cbcaa05e9768f535b46 xsa301-master-1.patch dbf952c2333807d5ee0fe4cccb069ddfda87e295c83a43ec46621b486b19f6e8 xsa301-master-2.patch ad544e5e2da130540d5475954b1512fc00743773cad382c4c0451fd91536287d xsa301-master-3.patch $