Vulnerability identifier: #VU22539
Vulnerability risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-362
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Xen
Server applications /
Virtualization software
Vendor: Xen Project
Description
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a race condition when handling restartable PV type change operations. A remote administrator of a guest operating system can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
Mitigation
Applying the appropriate attached patch resolves this issue. xsa299/*.patch xen-unstable xsa299-4.12/*.patch Xen 4.12.x xsa299-4.11/*.patch Xen 4.11.x xsa299-4.10/*.patch Xen 4.10.x xsa299-4.9/*.patch Xen 4.9.x xsa299-4.8/*.patch Xen 4.8.x $ sha256sum xsa299* xsa299*/* 687fb0f3273a424726edb4d249b79cfc45d1ef7000610405b11eaac49baecaa8 xsa299.meta 6c8f46e57f61a5e1e2e5e628a32e4c9ae144218ce475309811bb9900d3fdda48 xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch 3409e71ed7bc199bcda33892ea6f70fe257c4f3906d74b4a6f4352415daeedb0 xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 1179fe0f1a591c542478bf8614501f8ddb67e342d7d452f6bff3b6a999f2b20f xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch bc0352a1d82079c4072cc3871d0d397f7abb3c0480dfc3c5c542091d2ec7d7b0 xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 2b96857ef3e0f8259df7ad01600f1c30ca234668d6f26744c2ae0d3d7dded090 xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch fe119a8255e23a86845fa1ac5f93afa25acdaff705061c172ea9e0589b0bc1a4 xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 562415d5fdb4e173443a2aa211094743a722ef1fe5a2d19c59cb3d329e101984 xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 454296ac46ea5feea8866101e7c953bf6dbd37a5275f7b006eeb6d22cbae387d xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch f203a70da67f304c2ede516ef989b58ace6774eeee4eca919631c75f09860ba3 xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 1f4877c10ead99c51d822d29ebaed9774cdb97cca869fe1a1ccf905540e291c7 xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 733d260d731cce9902d66dc5b42ae9d10a319acda6dadcc426b6dfeba6e917da xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch cd105c15e2fd915644cb7d31000df60e51d1054a807b575d5436ccb87c1e9a18 xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch d8db456679e652f5a33a0a448d379e3a88b0cf7ce1415ee46007873cfb6f49b7 xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch e54df901b5f13d70643938ff365a09a43725637511251efc3ac55c45b80016f5 xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 8da540f32ff77f5871f646a6ef2847bc3adc2aecfa4698dcec4335b72e758616 xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch e97044ffb5edcc7f1094dd47e365f2f29971cacf784d8aaa9a0e42f770ca899d xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 53977fd090d488f484e6191c6b68cbc59f771d8cf4aeb230b7b9f8ddc891a58e xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch d10b9d434d341ac380e8a9c6fc4b3ddec8baf8dec9d565c2e66867f8d05497ba xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 7e01debdbe59cfa734e63b5c9d5c2799aa25f961f0d065ce8c8bdb64d577b164 xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 12f0732907547367645db6300cff959f15118b91503165dc2c66083769ac7e56 xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch 06044bf56130dd845e08ed9af75f4aade186d48b1cea88d7862026bbe0bf51af xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 2fea704a716d6ff8a589fba7bf5d71443e2b52f41f591f8173d50dcb3ba9a94b xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 4bcfd94bdd77726e8ea1069081f5f544705b22752a185ee4e1f58c730a902b74 xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch 580fa03182e40f122e3d21a5c71183b6a9500eae2afba490cf43514b75e15062 xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch c3bde8f42e75c0f98c22938267f947d4729e7372510dededa3750699ac8cb2f5 xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 0794fd0d20d71367977926f2393e354d4a43452a51f421616fa413acd68bf24a xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch 0591cd2fa566fcec43e2aa6e1cfb92629c816e55c7548b2534c5a7a84505cd06 xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 736966986c43bcdfcbf337fc87af6f430458bad5d105b33f7dfa0a1eb72f2416 xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch 416db71e950838dbf5d024ae9ba8bb6e6685314608543fd8df0516db7786b811 xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 7d84aaf129401faa863565df084e776413dd07ec440c1a67db961b8a147651a4 xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 59d37dc3cfd811bcbbedb72ca9d80eb2d460dce4e373e581c88fdb6b874b4111 xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 746156888f0dc4a75164cd668dd05fdf3d9b11cc96205785384f84ebcd1df4ae xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch bcc54d2b0653e584c89c0d219d5cd82e94c2629033ea8f1b22dfd3f373267bf5 xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 4829ba66647d344f1eaad632fddab4c8c51db513d1ae18385dec195b86e76936 xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch 7ad0b06d2748da4e4b317f4cc8c829c7fb451bf86ad778d97d231acff7cfd940 xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch 225fec9475b5992338ce19da982a759b3a551c653dbbb280295b00018a107d28 xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch fa910f573bde107b90fef4568fa500bf875d7303ac93642ed8a135d639bf7f0e xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch f5fcf8ab6940d85fe43de61463ff00bcf17a22b94da4f2b28fa45d714b0255d0 xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch e1e49d767f08889b518423935869332a40f87e824bb93a0c2707f1f99e9f0328 xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch c0f5ce00516491b1f3d2eccf25fbd67d409d855e3d4b423490f1bc37b4477e87 xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 4562543c497c17cc3a793f67a75824043ca3dea69ccc456bf9f5546825282f0e xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 90bc777691225eb4c55804702c2cd7f2913317b13334c27b9437ee60be672cca xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 7903c9599ee47dc05647e5ec7a6ce3fe5e6331b527551286897429e97cf56f61 xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch c1ae9bad93e11a4a9253265318b67b45865e566b17ddd7f167bb88197a9b700c xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 49a21bd396ab4af6b82aaa38dac733f4fde806587b5b126cd656f725b9c8eee7 xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch 09df369fa52335e3e560af593d4e9843bab1da24aa1b4c905f9ea1ce8441af6e xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch d27f07eb0020181487ec9dda15c6331125d6b0505fdce1ae67c0a9b524159e11 xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch 00c2fb77366c427e226315cfb1cda1c67ce495ec8a0b400ff30924bc399bf283 xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch bc88c216e438af9e1dddf1e5374fd1c78c9867e8908ba3016c72d999aebaea4b xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch cc6416c6311be82a2b89d5b14ceb9ecc6cb92ce9286bb03b91083c661186d28d xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch 732fbb80a6fc6364945e1b6534c921d503e2369c3cd25f425096549b71f75fa0 xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch 20e37b3712b66111193bed02b368aff2ee0e7896dd55b5e6c928fbc97ec618b3 xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 20bec098f3ad474093ce33e4ae5e8cee5ff9f8504107c8a4ff76f2731abbab13 xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 71addb8014eeb51a6adc4377aaa4b74ac611a28a6f62865f7020a536a1a9cbc5 xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 71bd7d75f7878571d4ea4351ea10f487a1c1a86765f67c85a25308d5df24a40e xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch 1e58d49f72c1eb158db08a17a3805e2144c0d468b6388a9a8795b67f80a699a5 xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch 67594f941f8cecbc0ff87dfedbdbd43f4e4234d049c1a5d62143153ae96954c1 xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch 08179d90ea327bca328f3a45198c31166df2aa6fb459b148dd74c716c1d5bb88 xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch d37e7b4dd3c9d7da14a287d9fe6807f81d95bba8bdab79b729ed5aa3350fad70 xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch 660fc01fb09aee7628d65d7893ec11bf77cfe79543e390656b59f0e60334d058 xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch 2dc6ad4233ec572ba21632ab80b6149541f3169affb792e31930e3f7c6e72fc6 xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch 175fd90422bf00879de2129cd1a86bbdeb1c15ff344d286ab9634bc3f1512c03 xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch afa26c8850085412a787d7f0cb3031f15181ee2c9b3b1a9b4a007bff7404457f xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch 6f0502b2377db2115faf9c7bcbf35898013dcec74170950c3aa7a0586ff1e174 xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch 787c3eeaadfed46947fb17773fa8f9e9efe891658d7460eaf5291a4ca6155123 xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch 77341c4d0ab62fbb7090d2a6b60902467563ae470ac0807ef40a3ac791d2933a xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch e489f49f8783fb388161365072da585c049e05d80306cf963cec5ecbb3bc67c7 xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch 17b9ae71c150747bff4d57eee8a918b1961e880e25ae2b9c0dbe933e005cb1a0 xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch $
Vulnerable software versions
Xen: 4.8.0 - 4.12.1
External links
http://www.openwall.com/lists/oss-security/2019/10/31/3
http://xenbits.xen.org/xsa/advisory-299.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.