The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Xen: denial of service via x86 Software Interrupts

Synthesis of the vulnerability 

An attacker in a HVM guest system can generate software interrupts on Xen, in order to trigger a denial of service.
Vulnerable systems: XenServer, Debian, Fedora, openSUSE, Unix (platform) ~ not comprehensive.
Severity of this threat: 1/4.
Creation date: 23/09/2014.
Références of this weakness: CERTFR-2014-AVI-402, CTX200218, CVE-2014-7156, DSA-3041-1, FEDORA-2014-12000, FEDORA-2014-12036, openSUSE-SU-2014:1279-1, openSUSE-SU-2014:1281-1, VIGILANCE-VUL-15392, XSA-106.

Description of the vulnerability 

The Xen product emulates x86 software interrupts.

However, the x86_emulate.c file does not check if users in a HVM guest system are allowed to generate these interruptions.

An attacker in a HVM guest system can therefore generate software interrupts on Xen, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as XenServer, Debian, Fedora, openSUSE, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this cybersecurity announce is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

Xen: patch for x86 Software Interrupts.
A patch is available in information sources.

Citrix XenServer: patch.
A patch is available in information sources.

Debian: new xen packages.
New packages are available:
  Debian 7: xen 4.1.4-3+deb7u3

Fedora: new xen packages.
New packages are available:
  Fedora 19: xen 4.2.5-3.fc19
  Fedora 20: xen 4.3.3-3.fc20

openSUSE: new xen packages.
New packages are available:
  openSUSE 12.3: xen 4.2.4_04-1.32.1
  openSUSE 13.1: xen 4.3.2_02-27.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity announce. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.