#VU22539 Race condition in Xen


Published: 2019-11-06

Vulnerability identifier: #VU22539

Vulnerability risk: Medium

CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18421

CWE-ID: CWE-362

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a race condition when handling restartable PV type change operations. A remote administrator of a guest operating system can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Mitigation

Applying the appropriate attached patch resolves this issue.

xsa299/*.patch           xen-unstable
xsa299-4.12/*.patch      Xen 4.12.x
xsa299-4.11/*.patch      Xen 4.11.x
xsa299-4.10/*.patch      Xen 4.10.x
xsa299-4.9/*.patch       Xen 4.9.x
xsa299-4.8/*.patch       Xen 4.8.x

$ sha256sum xsa299* xsa299*/*
687fb0f3273a424726edb4d249b79cfc45d1ef7000610405b11eaac49baecaa8  xsa299.meta
6c8f46e57f61a5e1e2e5e628a32e4c9ae144218ce475309811bb9900d3fdda48  xsa299-4.8/0001-x86-mm-Clean-up-trailing-whitespace.patch
3409e71ed7bc199bcda33892ea6f70fe257c4f3906d74b4a6f4352415daeedb0  xsa299-4.8/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
1179fe0f1a591c542478bf8614501f8ddb67e342d7d452f6bff3b6a999f2b20f  xsa299-4.8/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc0352a1d82079c4072cc3871d0d397f7abb3c0480dfc3c5c542091d2ec7d7b0  xsa299-4.8/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2b96857ef3e0f8259df7ad01600f1c30ca234668d6f26744c2ae0d3d7dded090  xsa299-4.8/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
fe119a8255e23a86845fa1ac5f93afa25acdaff705061c172ea9e0589b0bc1a4  xsa299-4.8/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
562415d5fdb4e173443a2aa211094743a722ef1fe5a2d19c59cb3d329e101984  xsa299-4.8/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
454296ac46ea5feea8866101e7c953bf6dbd37a5275f7b006eeb6d22cbae387d  xsa299-4.8/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
f203a70da67f304c2ede516ef989b58ace6774eeee4eca919631c75f09860ba3  xsa299-4.8/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
1f4877c10ead99c51d822d29ebaed9774cdb97cca869fe1a1ccf905540e291c7  xsa299-4.8/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
733d260d731cce9902d66dc5b42ae9d10a319acda6dadcc426b6dfeba6e917da  xsa299-4.8/0011-x86-mm-Fix-nested-de-validation-on-error.patch
cd105c15e2fd915644cb7d31000df60e51d1054a807b575d5436ccb87c1e9a18  xsa299-4.8/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d8db456679e652f5a33a0a448d379e3a88b0cf7ce1415ee46007873cfb6f49b7  xsa299-4.9/0001-x86-mm-Clean-up-trailing-whitespace.patch
e54df901b5f13d70643938ff365a09a43725637511251efc3ac55c45b80016f5  xsa299-4.9/0002-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
8da540f32ff77f5871f646a6ef2847bc3adc2aecfa4698dcec4335b72e758616  xsa299-4.9/0003-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
e97044ffb5edcc7f1094dd47e365f2f29971cacf784d8aaa9a0e42f770ca899d  xsa299-4.9/0004-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
53977fd090d488f484e6191c6b68cbc59f771d8cf4aeb230b7b9f8ddc891a58e  xsa299-4.9/0005-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
d10b9d434d341ac380e8a9c6fc4b3ddec8baf8dec9d565c2e66867f8d05497ba  xsa299-4.9/0006-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7e01debdbe59cfa734e63b5c9d5c2799aa25f961f0d065ce8c8bdb64d577b164  xsa299-4.9/0007-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
12f0732907547367645db6300cff959f15118b91503165dc2c66083769ac7e56  xsa299-4.9/0008-x86-mm-Always-retain-a-general-ref-on-partial.patch
06044bf56130dd845e08ed9af75f4aade186d48b1cea88d7862026bbe0bf51af  xsa299-4.9/0009-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
2fea704a716d6ff8a589fba7bf5d71443e2b52f41f591f8173d50dcb3ba9a94b  xsa299-4.9/0010-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4bcfd94bdd77726e8ea1069081f5f544705b22752a185ee4e1f58c730a902b74  xsa299-4.9/0011-x86-mm-Fix-nested-de-validation-on-error.patch
580fa03182e40f122e3d21a5c71183b6a9500eae2afba490cf43514b75e15062  xsa299-4.9/0012-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
c3bde8f42e75c0f98c22938267f947d4729e7372510dededa3750699ac8cb2f5  xsa299-4.10/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
0794fd0d20d71367977926f2393e354d4a43452a51f421616fa413acd68bf24a  xsa299-4.10/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
0591cd2fa566fcec43e2aa6e1cfb92629c816e55c7548b2534c5a7a84505cd06  xsa299-4.10/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
736966986c43bcdfcbf337fc87af6f430458bad5d105b33f7dfa0a1eb72f2416  xsa299-4.10/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
416db71e950838dbf5d024ae9ba8bb6e6685314608543fd8df0516db7786b811  xsa299-4.10/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
7d84aaf129401faa863565df084e776413dd07ec440c1a67db961b8a147651a4  xsa299-4.10/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
59d37dc3cfd811bcbbedb72ca9d80eb2d460dce4e373e581c88fdb6b874b4111  xsa299-4.10/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
746156888f0dc4a75164cd668dd05fdf3d9b11cc96205785384f84ebcd1df4ae  xsa299-4.10/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
bcc54d2b0653e584c89c0d219d5cd82e94c2629033ea8f1b22dfd3f373267bf5  xsa299-4.10/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
4829ba66647d344f1eaad632fddab4c8c51db513d1ae18385dec195b86e76936  xsa299-4.10/0010-x86-mm-Fix-nested-de-validation-on-error.patch
7ad0b06d2748da4e4b317f4cc8c829c7fb451bf86ad778d97d231acff7cfd940  xsa299-4.10/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
225fec9475b5992338ce19da982a759b3a551c653dbbb280295b00018a107d28  xsa299-4.11/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
fa910f573bde107b90fef4568fa500bf875d7303ac93642ed8a135d639bf7f0e  xsa299-4.11/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
f5fcf8ab6940d85fe43de61463ff00bcf17a22b94da4f2b28fa45d714b0255d0  xsa299-4.11/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
e1e49d767f08889b518423935869332a40f87e824bb93a0c2707f1f99e9f0328  xsa299-4.11/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
c0f5ce00516491b1f3d2eccf25fbd67d409d855e3d4b423490f1bc37b4477e87  xsa299-4.11/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
4562543c497c17cc3a793f67a75824043ca3dea69ccc456bf9f5546825282f0e  xsa299-4.11/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
90bc777691225eb4c55804702c2cd7f2913317b13334c27b9437ee60be672cca  xsa299-4.11/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
7903c9599ee47dc05647e5ec7a6ce3fe5e6331b527551286897429e97cf56f61  xsa299-4.11/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
c1ae9bad93e11a4a9253265318b67b45865e566b17ddd7f167bb88197a9b700c  xsa299-4.11/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
49a21bd396ab4af6b82aaa38dac733f4fde806587b5b126cd656f725b9c8eee7  xsa299-4.11/0010-x86-mm-Fix-nested-de-validation-on-error.patch
09df369fa52335e3e560af593d4e9843bab1da24aa1b4c905f9ea1ce8441af6e  xsa299-4.11/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
d27f07eb0020181487ec9dda15c6331125d6b0505fdce1ae67c0a9b524159e11  xsa299-4.12/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
00c2fb77366c427e226315cfb1cda1c67ce495ec8a0b400ff30924bc399bf283  xsa299-4.12/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
bc88c216e438af9e1dddf1e5374fd1c78c9867e8908ba3016c72d999aebaea4b  xsa299-4.12/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
cc6416c6311be82a2b89d5b14ceb9ecc6cb92ce9286bb03b91083c661186d28d  xsa299-4.12/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
732fbb80a6fc6364945e1b6534c921d503e2369c3cd25f425096549b71f75fa0  xsa299-4.12/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
20e37b3712b66111193bed02b368aff2ee0e7896dd55b5e6c928fbc97ec618b3  xsa299-4.12/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
20bec098f3ad474093ce33e4ae5e8cee5ff9f8504107c8a4ff76f2731abbab13  xsa299-4.12/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
71addb8014eeb51a6adc4377aaa4b74ac611a28a6f62865f7020a536a1a9cbc5  xsa299-4.12/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
71bd7d75f7878571d4ea4351ea10f487a1c1a86765f67c85a25308d5df24a40e  xsa299-4.12/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
1e58d49f72c1eb158db08a17a3805e2144c0d468b6388a9a8795b67f80a699a5  xsa299-4.12/0010-x86-mm-Fix-nested-de-validation-on-error.patch
67594f941f8cecbc0ff87dfedbdbd43f4e4234d049c1a5d62143153ae96954c1  xsa299-4.12/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
08179d90ea327bca328f3a45198c31166df2aa6fb459b148dd74c716c1d5bb88  xsa299/0001-x86-mm-L1TF-checks-don-t-leave-a-partial-entry.patch
d37e7b4dd3c9d7da14a287d9fe6807f81d95bba8bdab79b729ed5aa3350fad70  xsa299/0002-x86-mm-Don-t-re-set-PGT_pinned-on-a-partially-de-val.patch
660fc01fb09aee7628d65d7893ec11bf77cfe79543e390656b59f0e60334d058  xsa299/0003-x86-mm-Separate-out-partial_pte-tristate-into-indivi.patch
2dc6ad4233ec572ba21632ab80b6149541f3169affb792e31930e3f7c6e72fc6  xsa299/0004-x86-mm-Use-flags-for-_put_page_type-rather-than-a-bo.patch
175fd90422bf00879de2129cd1a86bbdeb1c15ff344d286ab9634bc3f1512c03  xsa299/0005-x86-mm-Rework-get_page_and_type_from_mfn-conditional.patch
afa26c8850085412a787d7f0cb3031f15181ee2c9b3b1a9b4a007bff7404457f  xsa299/0006-x86-mm-Have-alloc_l-23-_table-clear-partial_flags-wh.patch
6f0502b2377db2115faf9c7bcbf35898013dcec74170950c3aa7a0586ff1e174  xsa299/0007-x86-mm-Always-retain-a-general-ref-on-partial.patch
787c3eeaadfed46947fb17773fa8f9e9efe891658d7460eaf5291a4ca6155123  xsa299/0008-x86-mm-Collapse-PTF_partial_set-and-PTF_partial_gene.patch
77341c4d0ab62fbb7090d2a6b60902467563ae470ac0807ef40a3ac791d2933a  xsa299/0009-x86-mm-Properly-handle-linear-pagetable-promotion-fa.patch
e489f49f8783fb388161365072da585c049e05d80306cf963cec5ecbb3bc67c7  xsa299/0010-x86-mm-Fix-nested-de-validation-on-error.patch
17b9ae71c150747bff4d57eee8a918b1961e880e25ae2b9c0dbe933e005cb1a0  xsa299/0011-x86-mm-Don-t-drop-a-type-ref-unless-you-held-a-ref-t.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.12.1


External links
http://www.openwall.com/lists/oss-security/2019/10/31/3
http://xenbits.xen.org/xsa/advisory-299.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability