SB2019110517 - Multiple vulnerabilities in Xen
Published: November 5, 2019 Updated: November 6, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-18420)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the VCPUOP_initialise hypercall in Xen. A remote user on a guest operating system can run a specially crafted program and perform a denial of service attack against the host operating system.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-18425)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to missing descriptor table limit checking in x86 PV emulation. A remote unprivileged user of a guest operating system can escalate privileges within the same guest system.
Note, only 32-bit PV guest is affected.
3) Race condition (CVE-ID: CVE-2019-18421)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a race condition when handling restartable PV type change operations. A remote administrator of a guest operating system can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
4) Resource management error (CVE-ID: CVE-2019-18423)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to the p2m_get_root_pointer() function in Xen ignores the unused top bits of a guest physical frame. A remote administrator of a guest operating system can use a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. As a result, the attacker can crash the hypervisor from the guest operating system.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-18424)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing assignment of PCI devices. A privileged user of a guest operating system can program the PCI device to directly access host memory. Once the PCI device is deassigned, the code will be written into host memory. A remote attacker can corrupt host memory and perform denial of service attack or escalate privileges on the system.
6) Resource management error (CVE-ID: CVE-2019-18422)
The vulnerability allows a local user to perform a denial of service (DoS) attack or possibly escalate privileges.
The vulnerability exists due to way Xen handles exceptions on ARM systems, without changing processor level. A local user can force a critical Xen code to run with interrupts erroneously enabled during exception entry that may lead to data corruption, denial of service and potential privilege escalation.
Note, the vulnerability affects ARM systems only.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2019/10/31/1
- http://xenbits.xen.org/xsa/advisory-296.html
- http://www.openwall.com/lists/oss-security/2019/10/31/2
- http://xenbits.xen.org/xsa/advisory-298.html
- http://www.openwall.com/lists/oss-security/2019/10/31/3
- http://xenbits.xen.org/xsa/advisory-299.html
- http://www.openwall.com/lists/oss-security/2019/10/31/4
- http://xenbits.xen.org/xsa/advisory-301.html
- http://www.openwall.com/lists/oss-security/2019/10/31/6
- http://xenbits.xen.org/xsa/advisory-302.html
- http://www.openwall.com/lists/oss-security/2019/10/31/5
- http://xenbits.xen.org/xsa/advisory-303.html