The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Xen

computer vulnerability alert CVE-2018-7541

Xen: denial of service via a change of page table type

Synthesis of the vulnerability

A privileged attacker in a guest system can request a change of page table type to Xen without unmapping related pages, in order to make the host crash.
Impacted products: XenServer, Debian, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 27/02/2018.
Identifiers: CERTFR-2018-AVI-102, CERTFR-2018-AVI-145, CERTFR-2018-AVI-171, CTX232096, CTX232655, CVE-2018-7541, DLA-1300-1, DSA-4131-1, FEDORA-2018-0746dac335, FEDORA-2018-c553a586c8, openSUSE-SU-2018:1274-1, SUSE-SU-2018:0678-1, SUSE-SU-2018:0909-1, SUSE-SU-2018:1184-1, VIGILANCE-VUL-25386, XSA-255.

Description of the vulnerability

A privileged attacker in a guest system can request a change of page table type to Xen without unmapping related pages, in order to make the host crash.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2018-7540

Xen: denial of service via the L3/L4 page table management

Synthesis of the vulnerability

A privileged attacker in a guest system can make interrupt processing too long by requesting Xen to change the L3/L4 page tables, in order to trigger a denial of service.
Impacted products: XenServer, Debian, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 27/02/2018.
Identifiers: CERTFR-2018-AVI-102, CERTFR-2018-AVI-145, CERTFR-2018-AVI-171, CTX232096, CTX232655, CVE-2018-7540, DLA-1300-1, DSA-4131-1, FEDORA-2018-0746dac335, FEDORA-2018-c553a586c8, openSUSE-SU-2018:1274-1, SUSE-SU-2018:0678-1, SUSE-SU-2018:0909-1, SUSE-SU-2018:1184-1, VIGILANCE-VUL-25385, XSA-252.

Description of the vulnerability

A privileged attacker in a guest system can make interrupt processing too long by requesting Xen to change the L3/L4 page tables, in order to trigger a denial of service.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2017-8903

Xen: page table corruption via the IRET hypercall

Synthesis of the vulnerability

A privileged attacker in the guest system can generate a memory corruption via the IRET hypercall of Xen, in order to get hight privileges on the host system.
Impacted products: XenServer, Debian, Fedora, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 2/4.
Creation date: 02/05/2017.
Revision date: 09/05/2017.
Identifiers: 1231, CERTFR-2017-AVI-137, CTX223291, CVE-2017-8903, DLA-964-1, FEDORA-2017-5ae70ac6a5, FEDORA-2017-c9d71f0860, SUSE-SU-2017:1146-1, VIGILANCE-VUL-22622, XSA-213.

Description of the vulnerability

The Xen product offers a way to chain hypervisor calls.

The IRET hypercall make the processor returns from guest kernel to guest user program. The next hypercalls in a chain will then use the wrong page table.

A privileged attacker in the guest system can therefore generate a memory corruption via the IRET hypercall of Xen, in order to get hight privileges on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2017-8905

Xen: memory corruption via the fallback exception handler

Synthesis of the vulnerability

An attacker, inside a guest system, can generate a memory corruption via the exception handler of Xen, in order to trigger a denial of service, and possibly to run code on the host system.
Impacted products: XenServer, Debian, Fedora, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 02/05/2017.
Identifiers: CERTFR-2017-AVI-137, CTX223291, CVE-2017-8905, DLA-964-1, FEDORA-2017-c9d71f0860, SUSE-SU-2017:1715-1, SUSE-SU-2017:1770-1, SUSE-SU-2017:1795-1, SUSE-SU-2017:1812-1, VIGILANCE-VUL-22627, XSA-215.

Description of the vulnerability

The Xen product offers a fallback exception handling mechanism.

However, when returning to the guest user process, the stack cleanup is wrong.

An attacker, inside a guest system, can therefore generate a memory corruption via the exception handler of Xen, in order to trigger a denial of service, and possibly to run code on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-8904

Xen: segment table corruption in inter-guest communication

Synthesis of the vulnerability

A privileged attacker, inside a guest system, can tamper with the segment table via Xen communication support, in order to escalate his privileges on the host system.
Impacted products: XenServer, Debian, Fedora, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 2/4.
Creation date: 02/05/2017.
Identifiers: CERTFR-2017-AVI-137, CTX223291, CVE-2017-8904, DLA-964-1, FEDORA-2017-5ae70ac6a5, FEDORA-2017-c9d71f0860, SUSE-SU-2017:1146-1, VIGILANCE-VUL-22625, XSA-214.

Description of the vulnerability

The Xen product offers to exchange memory page between guest for communication purposes.

However, there is no restriction about the content of the pages being exchanged. A guest system can send a page containing a segment table, which is the data structure used by the processor to define access rights to the virtual memory.

A privileged attacker, inside a guest system, can therefore tamper with the segment table via Xen communication support, in order to escalate his privileges on the host system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2016-10013

Xen: privilege escalation via SYSCALL

Synthesis of the vulnerability

An attacker can trigger a debug trap on a SYSCALL instruction in a guest system managed by Xen, in order to get guest operating system privileges on non Linux systems.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 2/4.
Creation date: 20/12/2016.
Identifiers: CERTFR-2016-AVI-424, CTX222565, CVE-2016-10013, DLA-783-1, DSA-3847-1, FEDORA-2016-92e3ea2d1b, FEDORA-2016-bc02bff7f5, openSUSE-SU-2017:0005-1, openSUSE-SU-2017:0007-1, openSUSE-SU-2017:0008-1, SUSE-SU-2016:3207-1, SUSE-SU-2016:3208-1, SUSE-SU-2016:3221-1, SUSE-SU-2016:3241-1, SUSE-SU-2017:0718-1, VIGILANCE-VUL-21423, XSA-204.

Description of the vulnerability

Processing the interrupts, exceptions and traps is part of the job of the hypervisor Xen.

A user program like a debugger in a guest system can define the conditions that trigger debug traps. However, Xen wrongly handles one of these traps when it applies to a SYSCALL instruction, which triggers a privilege transition as part of the processing of system calls.

An attacker can therefore trigger a debug trap on a SYSCALL instruction in a guest system managed by Xen, in order to get guest operating system privileges on non Linux systems.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2016-9932

Xen: information disclosure via CMPXCHG8B

Synthesis of the vulnerability

A local attacker, inside a guest system, can use an instruction CMPXCHG8B, in order to fetch some bytes of Xen' stack, on the host system.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 14/12/2016.
Identifiers: CERTFR-2016-AVI-418, CERTFR-2016-AVI-428, CTX219378, CVE-2016-9932, DLA-964-1, DSA-3847-1, FEDORA-2016-1b868c23a9, FEDORA-2016-bcbae0781f, openSUSE-SU-2017:0005-1, openSUSE-SU-2017:0007-1, openSUSE-SU-2017:0008-1, SUSE-SU-2016:3207-1, SUSE-SU-2016:3208-1, SUSE-SU-2016:3221-1, SUSE-SU-2016:3241-1, SUSE-SU-2017:0718-1, VIGILANCE-VUL-21386, XSA-200.

Description of the vulnerability

The Xen product can emulate x86 instructions.

Some instructions may be modified with an operand size prefix that states the length of the memory access. Thus prefix should not be taken into account for the instruction CMPXCHG8B. However, some parts of the hypervisor do use it.

A local attacker, inside a guest system, can therefore use an instruction CMPXCHG8B, in order to fetch some bytes of Xen' stack, on the host system.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2016-7777

Xen: information disclosure via HVM CR0.TS/EM

Synthesis of the vulnerability

An attacker can use CR0.TS/EM on Xen x86 HVM, in order to obtain sensitive information on the current system.
Impacted products: XenServer, Debian, Fedora, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 04/10/2016.
Identifiers: CERTFR-2016-AVI-328, CTX217363, CVE-2016-7777, DLA-699-1, DSA-3729-1, FEDORA-2016-4c407cd849, FEDORA-2016-689f240960, openSUSE-SU-2016:3134-1, openSUSE-SU-2017:0007-1, openSUSE-SU-2017:0008-1, SUSE-SU-2016:3044-1, SUSE-SU-2016:3067-1, SUSE-SU-2016:3083-1, SUSE-SU-2016:3156-1, SUSE-SU-2016:3174-1, SUSE-SU-2016:3273-1, VIGILANCE-VUL-20762, XSA-190.

Description of the vulnerability

The Xen product can manage x86 HVM guest systems.

However, an attacker can raise a Device Not Available Exception while CR0.EM or CR0.TS are set, which can be used to read a register of another task on the same VM.

An attacker can therefore use CR0.TS/EM on Xen x86 HVM, in order to obtain sensitive information on the current system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2016-5403

QEMU: denial of service via virtqueue_pop

Synthesis of the vulnerability

An attacker, who is privileged in a guest system, can force an error in virtqueue_pop() of QEMU, in order to trigger a denial of service on the host system.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, QEMU, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Xen.
Severity: 1/4.
Creation date: 28/07/2016.
Identifiers: CERTFR-2016-AVI-274, CVE-2016-5403, DLA-573-1, DLA-574-1, FEDORA-2016-0049aa6e5d, FEDORA-2016-01cc766201, openSUSE-SU-2016:2494-1, openSUSE-SU-2016:2497-1, openSUSE-SU-2016:2642-1, RHSA-2016:1585-01, RHSA-2016:1606-01, RHSA-2016:1943-01, SUSE-SU-2016:2093-1, SUSE-SU-2016:2100-1, SUSE-SU-2016:2533-1, SUSE-SU-2016:2589-1, SUSE-SU-2016:2725-1, USN-3047-1, USN-3047-2, USN-3125-1, VIGILANCE-VUL-20235, XSA-184.

Description of the vulnerability

The QEMU product implements the support of virtio.

However, a large VirtQueueElement object forces a large memory allocation in the virtqueue_pop() function.

An attacker, who is privileged in a guest system, can therefore force an error in virtqueue_pop() of QEMU, in order to trigger a denial of service on the host system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2016-6259

Xen: denial of service via Intel SMAP

Synthesis of the vulnerability

An attacker, who is in a guest system on a Intel processor with SMAP can trigger a denial of service on the Xen host system.
Impacted products: XenServer, Fedora, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 26/07/2016.
Identifiers: CTX214954, CVE-2016-6259, FEDORA-2016-0049aa6e5d, FEDORA-2016-01cc766201, openSUSE-SU-2016:2494-1, SUSE-SU-2016:2093-1, SUSE-SU-2016:2473-1, VIGILANCE-VUL-20225, XSA-183.

Description of the vulnerability

The Xen product can be installed on an Intel processor (Broadwell or later) supporting SMAP (Supervisor Mode Access Prevention).

However, the compat_create_bounce_frame() function does not whistelist its userspace accesses, which generates a fatal error.

An attacker, who is in a guest system on a Intel processor with SMAP can therefore trigger a denial of service on the Xen host system.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Xen: