Resource management error in Xen

#VU22538 Resource management error in Xen

Published: 2019-11-06

Vulnerability identifier: #VU22538

Vulnerability risk: Medium

CVSSv3.1: 5.4 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18423

CWE-ID: CWE-399

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to the p2m_get_root_pointer() function in Xen ignores the unused top bits of a guest physical frame. A remote administrator of a guest operating system can use a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. As a result, the attacker can crash the hypervisor from the guest operating system.

Mitigation

Applying the appropriate attached patch resolves this issue.

xsa301-master-*.patch  xen-unstable to Xen 4.12
xsa301-4.11-*.patch    Xen 4.11 to Xen 4.8

$ sha256sum xsa301*
c3f334d3de1fd7385a5b73edca1f979b6027595d8aa2a3fce451ee5a37d57662  xsa301.meta
1f6f76e0da4bd8cbce38a127d446593058a76565bade57672d6a00357fdc64fa  xsa301-4.11-1.patch
b1ea7b323f509a6150983ece24ecd38f3a9ea97a11360d7a36f715ebaf85e8b1  xsa301-4.11-2.patch
67fffdd5f827f783e8752ca779a3234d30f26df5c42844c5b2b4a34618d7a0c2  xsa301-4.11-3.patch
3dba13afd3449b85215058c596f6a60a255e5a11c6865cbcaa05e9768f535b46  xsa301-master-1.patch
dbf952c2333807d5ee0fe4cccb069ddfda87e295c83a43ec46621b486b19f6e8  xsa301-master-2.patch
ad544e5e2da130540d5475954b1512fc00743773cad382c4c0451fd91536287d  xsa301-master-3.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.12.1

External links
http://www.openwall.com/lists/oss-security/2019/10/31/4
http://xenbits.xen.org/xsa/advisory-301.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Xen

Debian update for xen

Resource management error in xen (Alpine package)

Multiple vulnerabilities in Xen