SB2017062108 - Multiple vulnerabilities in Xen
Published: June 21, 2017
Security Bulletin ID
SB2017062108
Severity
Low
Patch available
YES
Number of vulnerabilities
11
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2017-10913)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to memory read and write by malicious backend. A local attacker can obtain potentially sensitive data or gain backend-to-frontend privileges.
Successful exploitation of the vulnerability results in privilege escalation.
2) Privilege escalation (CVE-ID: CVE-2017-10914)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to memory leak. A local attacker can probably cause reference counts to leak, obtain potentially sensitive data or gain host privileges.
Successful exploitation of the vulnerability results in privilege escalation.
3) Privilege escalation (CVE-ID: CVE-2017-10912)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to a flaw in the page transfer function (GNTTABOP_transfer). A local attacker on two guest systems (a PV and an HVM guest) can obtain potentially sensitive data or gain elevated privileges.
Successful exploitation of the vulnerability results in privilege escalation.
4) Information disclosure (CVE-ID: CVE-2017-10911)
The vulnerability allows a local attacker to obtain potentially sensitive information from another guest system or the host system.The weakness exists due to improper initialization of some fields of the block interface (blkif) response structure. A local attacker can read arbitrary files from stack memory.
Successful exploitation of the vulnerability results in information disclosure.
5) Privilege escalation (CVE-ID: CVE-2017-10915)
The vulnerability allows a local attacker to gain elevated privileges.The weakness exists due to race condition in shadow paging emulation. A local attacker on two quest systems can gain host privileges.
Successful exploitation of the vulnerability results in privilege escalation.
6) Denial of service (CVE-ID: CVE-2017-10917)
The vulnerability allows a local attacker on the guest system to cause DoS condition.The weakness exists due to access control flaw in the hypervisor in event channel polling. A local attacker can cause the target host system to crash.
Successful exploitation of the vulnerability results in denial of service.
7) Information disclosure (CVE-ID: CVE-2017-10916)
The vulnerability allows a local attacker to obtain potentially sensitive information on the host system.The weakness exists due to information leak. A local attacker on guest system that uses the Memory Protection Extensions (MPX) and Protection Key (PKU) features and manually context switch between vCPUs can obtain potentially sensitive control information about guest address space pointers on the target system.
Successful exploitation of the vulnerability results in information disclosure.
8) Denial of service (CVE-ID: CVE-2017-10923)
The vulnerability allows a local attacker to cause DoS condition on the host system.The weakness exists due to array access error. A local user on the guest system can send specially crafted software generated interrupts to vCPUS that use the MMIO register GICD_SGIR (GICv2) or System Register ICC_SGI1R (GICv3) and cause the hypervisor to crash.
Successful exploitation of the vulnerability results in denial of service.
9) Privilege escalation (CVE-ID: CVE-2017-10920)
The vulnerability allows a local attacker to gain elevated privileges.The weakness exists due to flaws in the mapping and unmapping of grant references. If a grant is mapped with both the GNTMAP_device_map and GNTMAP_host_map flags, but unmapped only with host_map, the device_map portion remains but the page reference counts are lowered as though it had been removed. This bug can be leveraged cause a page's reference counts and type counts to fall to zero while retaining writeable mappings to the page.
10) Denial of service (CVE-ID: CVE-2017-10919)
The vulnerability allows a local attacker to cause DoS condition on the host system.The weakness exists due to missing check. A local attacker can send a software generated interrupt to a vCPU or configure timers and cause the host system to crash.
Successful exploitation of the vulnerability results in denial of service.
11) Privilege escalation (CVE-ID: CVE-2017-10918)
The vulnerability allows a local attacker to gain elevated privileges.The weakness exists due to a memory allocation error in the physical-to-machine (P2M) mapping. A local attacker on the guest system can access restricted memory to gain elevated privileges on the host system.
Successful exploitation of the vulnerability results in privilege escalation.
Remediation
Install update from vendor's website.
References
- http://xenbits.xen.org/xsa/advisory-218.html
- http://xenbits.xen.org/xsa/advisory-217.html
- http://xenbits.xen.org/xsa/advisory-216.html
- http://xenbits.xen.org/xsa/advisory-219.html
- http://xenbits.xen.org/xsa/advisory-221.html
- http://xenbits.xen.org/xsa/advisory-220.html
- http://xenbits.xen.org/xsa/advisory-225.html
- http://xenbits.xen.org/xsa/advisory-224.html
- http://xenbits.xen.org/xsa/advisory-223.html
- http://xenbits.xen.org/xsa/advisory-222.html