Permissions, Privileges, and Access Controls in Xen - CVE-2013-4554
Published: December 24, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42208
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-4554
CWE-ID: CWE-264
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Xen Project
Affected software:
Xen
Xen
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2.
How to mitigate CVE-2013-4554
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00059.html
- http://rhn.redhat.com/errata/RHSA-2014-0285.html
- http://security.gentoo.org/glsa/glsa-201407-03.xml
- http://www.openwall.com/lists/oss-security/2013/11/26/9