Main Vulnerability Database Vulnerabilities #VU63797

Incorrect authorization in Xen - CVE-2022-23033

Published: May 30, 2022 / Updated: May 30, 2022

Vulnerability identifier: #VU63797

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-23033

CWE-ID: CWE-863

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Xen

Software vendor:
Xen Project

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to guest_physmap_remove_page() function does not remove p2m mappings. A local user issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, can cause information leaks, Denial of Service (DoS), or escalate privileges on the system.

Remediation

Install updates from vendor's website.

External links

https://xenbits.xenproject.org/xsa/advisory-393.txt
http://www.openwall.com/lists/oss-security/2022/01/25/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/
https://www.debian.org/security/2022/dsa-5117

Incorrect authorization in Xen - CVE-2022-23033

Description

Remediation

External links

Please verify you're human