The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer weakness note CVE-2014-7156

Xen: denial of service via x86 Software Interrupts

Synthesis of the vulnerability

An attacker in a HVM guest system can generate software interrupts on Xen, in order to trigger a denial of service.
Severity of this threat: 1/4.
Creation date: 23/09/2014.
Références of this weakness: CERTFR-2014-AVI-402, CTX200218, CVE-2014-7156, DSA-3041-1, FEDORA-2014-12000, FEDORA-2014-12036, openSUSE-SU-2014:1279-1, openSUSE-SU-2014:1281-1, VIGILANCE-VUL-15392, XSA-106.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Xen product emulates x86 software interrupts.

However, the x86_emulate.c file does not check if users in a HVM guest system are allowed to generate these interruptions.

An attacker in a HVM guest system can therefore generate software interrupts on Xen, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

This security bulletin impacts software or systems such as XenServer, Debian, Fedora, openSUSE, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this cybersecurity announce is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat

Xen: patch for x86 Software Interrupts.
A patch is available in information sources.

Citrix XenServer: patch.
A patch is available in information sources.

Debian: new xen packages.
New packages are available:
  Debian 7: xen 4.1.4-3+deb7u3

Fedora: new xen packages.
New packages are available:
  Fedora 19: xen 4.2.5-3.fc19
  Fedora 20: xen 4.3.3-3.fc20

openSUSE: new xen packages.
New packages are available:
  openSUSE 12.3: xen 4.2.4_04-1.32.1
  openSUSE 13.1: xen 4.3.2_02-27.1
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a cybersecurity announce. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities.