Main Vulnerability Database Vulnerabilities #VU32626

Information disclosure in Xen - CVE-2013-4361

Published: October 1, 2013 / Updated: July 28, 2020

Vulnerability identifier: #VU32626

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2013-4361

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Xen Project

Affected software:
Xen

Detailed vulnerability description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction.

How to mitigate CVE-2013-4361

Install update from vendor's website.

Sources

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00009.html
http://security.gentoo.org/glsa/glsa-201407-03.xml
http://www.debian.org/security/2014/dsa-3006
http://www.openwall.com/lists/oss-security/2013/09/30/3

Information disclosure in Xen - CVE-2013-4361

Detailed vulnerability description

How to mitigate CVE-2013-4361

Sources

Please verify you're human