SB2017082005 - Gentoo update for Xen

Description

This security bulletin contains information about 20 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-10911)

The vulnerability allows a local attacker to obtain potentially sensitive information from another guest system or the host system.

The weakness exists due to improper initialization of some fields of the block interface (blkif) response structure. A local attacker can read arbitrary files from stack memory.

Successful exploitation of the vulnerability results in information disclosure.

2) Privilege escalation (CVE-ID: CVE-2017-10912)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to improper handling of page transfer. A local OS attacker can gain host privileges on the target system.

Successful exploitation of the vulnerability results in privilege escalation.

3) Privilege escalation (CVE-ID: CVE-2017-10912)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to a flaw in the page transfer function (GNTTABOP_transfer). A local attacker on two guest systems (a PV and an HVM guest) can obtain potentially sensitive data or gain elevated privileges.

Successful exploitation of the vulnerability results in privilege escalation.

4) Privilege escalation (CVE-ID: CVE-2017-10913)

The vulnerability allows a backend attacker to gain frontend privileges.

The weakness exists due to improper mapping of information in certain cases of concurrent unmap calls by the grant-table feature in Xen. A backend attacker can read arbitrary files on the system or gain frontend privileges.

Successful exploitation of the vulnerability results in privilege escalation.

5) Privilege escalation (CVE-ID: CVE-2017-10913)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to memory read and write by malicious backend. A local attacker can obtain potentially sensitive data or gain backend-to-frontend privileges.

Successful exploitation of the vulnerability results in privilege escalation.

6) Race condition (CVE-ID: CVE-2017-10914)

The vulnerability allows a local attacker to cause DoS conditions.

The weakness exists due to a race condition in the grant-table feature. A local attacker can trigger double free error and memory consumption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

7) Privilege escalation (CVE-ID: CVE-2017-10914)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to memory leak. A local attacker can probably cause reference counts to leak, obtain potentially sensitive data or gain host privileges.

Successful exploitation of the vulnerability results in privilege escalation.

8) Privilege escalation (CVE-ID: CVE-2017-10915)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to a race condition when managing page references by the shadow-paging feature.. A local OS attacker can gain Xen privileges on the target system.

Successful exploitation of the vulnerability results in privilege escalation.

9) Privilege escalation (CVE-ID: CVE-2017-10915)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to race condition in shadow paging emulation. A local attacker on two quest systems can gain host privileges.

Successful exploitation of the vulnerability results in privilege escalation.

10) Information disclosure (CVE-ID: CVE-2017-10916)

The vulnerability allows a local attacker to obtain potentially sensitive information on the host system.

The weakness exists due to information leak. A local attacker on guest system that uses the Memory Protection Extensions (MPX) and Protection Key (PKU) features and manually context switch between vCPUs can obtain potentially sensitive control information about guest address space pointers on the target system.

Successful exploitation of the vulnerability results in information disclosure.

11) Null pointer dereference (CVE-ID: CVE-2017-10917)

The vulnerability allows a local attacker to cause DoS conditions.

The weakness exists due to improper validation of the port numbers of polled event channel ports. A local attacker can trigger NULL pointer dereference and cause the system to crash.

Successful exploitation of the vulnerability results in denial of service.

12) Denial of service (CVE-ID: CVE-2017-10917)

The vulnerability allows a local attacker on the guest system to cause DoS condition.

The weakness exists due to access control flaw in the hypervisor in event channel polling. A local attacker can cause the target host system to crash.

Successful exploitation of the vulnerability results in denial of service.

13) Privilege escalation (CVE-ID: CVE-2017-10918)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to improper validation of memory allocations during certain P2M operations. A local OS attacker can gain host privileges on the target system.

Successful exploitation of the vulnerability results in privilege escalation.

14) Privilege escalation (CVE-ID: CVE-2017-10918)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to a memory allocation error in the physical-to-machine (P2M) mapping. A local attacker on the guest system can access restricted memory to gain elevated privileges on the host system.

Successful exploitation of the vulnerability results in privilege escalation.

15) Denial of service (CVE-ID: CVE-2017-10919)

The vulnerability allows a local attacker to cause DoS condition on the host system.

The weakness exists due to missing check. A local attacker can send a software generated interrupt to a vCPU or configure timers and cause the host system to crash.

Successful exploitation of the vulnerability results in denial of service.

16) Memory corruption (CVE-ID: CVE-2017-10920)

The vulnerability allows a local attacker to cause DoS conditions.

The weakness exists due to improper handling of a GNTMAP_device_map and GNTMAP_host_map mapping by the grant-table feature, when followed by only a GNTMAP_host_map unmapping. A local attacker can trigger count mismanagement and memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

17) Privilege escalation (CVE-ID: CVE-2017-10920)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to flaws in the mapping and unmapping of grant references. If a grant is mapped with both the GNTMAP_device_map and GNTMAP_host_map flags, but unmapped only with host_map, the device_map portion remains but the page reference counts are lowered as though it had been removed. This bug can be leveraged cause a page's reference counts and type counts to fall to zero while retaining writeable mappings to the page.

18) Memory corruption (CVE-ID: CVE-2017-10921)

The vulnerability allows a local attacker to cause DoS conditions.

The weakness exists due to improper ensuring of sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map mapping by the grant-table feature. A local attacker can trigger count mismanagement and memory corruption and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

19) Memory corruption (CVE-ID: CVE-2017-10922)

The vulnerability allows a local attacker to cause DoS conditions.

The weakness exists due to improper handling of MMIO region grant references by the grant-table feature. A local attacker can trigger loss of grant trackability and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

20) Denial of service (CVE-ID: CVE-2017-10923)

The vulnerability allows a local attacker to cause DoS condition on the host system.

The weakness exists due to array access error. A local user on the guest system can send specially crafted software generated interrupts to vCPUS that use the MMIO register GICD_SGIR (GICv2) or System Register ICC_SGI1R (GICv3) and cause the hypervisor to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201708-03