SB2020010324 - Permissions, Privileges, and Access Controls in xen (Alpine package)
Published: January 3, 2020
Security Bulletin ID
SB2020010324
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-19579)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to an error within the PCI device assignment process that allows usage of alternative methods in Xen. A remote attacker with access to the guest OS and a physical device can gain write data into memory on the host operating system.
Successful exploitation of the vulnerability may allow a remote attacker to escalate privileges on the host operating system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=29678cb92eeeb6dc96ec2e86481345797474ddb8
- https://git.alpinelinux.org/aports/commit/?id=58d7b94f0134f00815145d95ee720d36d645c72e
- https://git.alpinelinux.org/aports/commit/?id=5b04af6c9b65512ad9ff6f687e8651189bd186c5
- https://git.alpinelinux.org/aports/commit/?id=8d6c01f17f4285e0142442bb8afcce72f4bd280b
- https://git.alpinelinux.org/aports/commit/?id=4e803597c91a0cf312e53ce62458e81f5294c6e9