Vulnerability identifier: #VU22538
Vulnerability risk: Medium
CVSSv3.1: 5.4 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-399
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Xen
Server applications /
Virtualization software
Vendor: Xen Project
Description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to the p2m_get_root_pointer() function in Xen ignores the unused top bits of a guest physical frame. A remote administrator of a guest operating system can use a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. As a result, the attacker can crash the hypervisor from the guest operating system.
Mitigation
Applying the appropriate attached patch resolves this issue. xsa301-master-*.patch xen-unstable to Xen 4.12 xsa301-4.11-*.patch Xen 4.11 to Xen 4.8 $ sha256sum xsa301* c3f334d3de1fd7385a5b73edca1f979b6027595d8aa2a3fce451ee5a37d57662 xsa301.meta 1f6f76e0da4bd8cbce38a127d446593058a76565bade57672d6a00357fdc64fa xsa301-4.11-1.patch b1ea7b323f509a6150983ece24ecd38f3a9ea97a11360d7a36f715ebaf85e8b1 xsa301-4.11-2.patch 67fffdd5f827f783e8752ca779a3234d30f26df5c42844c5b2b4a34618d7a0c2 xsa301-4.11-3.patch 3dba13afd3449b85215058c596f6a60a255e5a11c6865cbcaa05e9768f535b46 xsa301-master-1.patch dbf952c2333807d5ee0fe4cccb069ddfda87e295c83a43ec46621b486b19f6e8 xsa301-master-2.patch ad544e5e2da130540d5475954b1512fc00743773cad382c4c0451fd91536287d xsa301-master-3.patch $
Vulnerable software versions
Xen: 4.8.0 - 4.12.1
External links
http://www.openwall.com/lists/oss-security/2019/10/31/4
http://xenbits.xen.org/xsa/advisory-301.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.