The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Xen: denials of service via netback

Synthesis of the vulnerability 

A local attacker, who is located in a Xen guest system, can trigger two denials of service via netback.
Vulnerable software: XenDesktop, XenServer, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity of this announce: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 05/02/2013.
Références of this computer vulnerability: BID-57743, BID-57744, CERTA-2013-AVI-098, CERTA-2013-AVI-158, CERTA-2013-AVI-259, CERTA-2013-AVI-375, CERTA-2013-AVI-496, CTX136540, CTX138633, CVE-2013-0216, CVE-2013-0217, MDVSA-2013:176, openSUSE-SU-2013:0395-1, openSUSE-SU-2013:0396-1, openSUSE-SU-2013:0925-1, RHSA-2013:0747-01, SUSE-SU-2013:0674-1, SUSE-SU-2013:0759-1, SUSE-SU-2013:0759-2, SUSE-SU-2013:0786-1, SUSE-SU-2019:14051-1, VIGILANCE-VUL-12379, XSA-39.

Description of the vulnerability 

The netback driver of Xen is located in the kernel of Dom0, and it is connected to virtual network devices of DomU systems. It is impacted by two vulnerabilities.

An attacker can trigger a large loop. [severity:1/4; BID-57743, CVE-2013-0216]

An attacker can trigger a memory leak. [severity:1/4; BID-57744, CVE-2013-0217]

A local attacker, who is located in a Xen guest system, can therefore trigger two denials of service via netback.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness announce impacts software or systems such as XenDesktop, XenServer, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this security alert is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability.

Solutions for this threat 

Xen: patch for netback.
A patch is available in information sources.

Citrix XenServer: hotfix.
A hotfix is available in information sources.

Citrix XenClient XT: versions 2.1.3 and 3.1.4.
Versions 2.1.3 and 3.1.4 are fixed:
  http://www.citrix.com/downloads/xenclient/product-software/xenclient-xt-213.html
  http://www.citrix.com/downloads/xenclient/product-software/xenclient-xt-314.html

Mandriva: new kernel packages.
New packages are available:
  kernel-server-3.4.47-1.1.mbs1

openSUSE 11.4: new kernel-3.0.74 packages (10/06/2013).
New packages are available:
  kernel-3.0.74-34.1

openSUSE 12.1: new kernel packages.
New packages are available:
  kernel-3.1.10-1.19.1

openSUSE 12.2: new kernel packages (05/03/2013).
New packages are available:
  kernel-3.4.33-2.24.1

RHEL 5: new kernel packages (17/04/2013).
New packages are available:
  kernel-2.6.18-348.4.1.el5

SUSE LE 10: new kernel packages.
New packages are available:
  kernel-2.6.16.60-0.101.1

SUSE LE 11: new kernel packages 3.0.74.
New packages are available:
  kernel-3.0.74-0.6.6.2

SUSE LE 11 SP4: new kernel packages.
New packages are available:
  SUSE LE 11 SP4: kernel 3.0.101-108.90.1

SUSE LE Real Time: new kernel-rt packages.
New packages are available:
  kernel-rt-3.0.74.rt98-0.6.2.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity announces. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.