Debian update for xen
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2018-8897 CVE-2018-10471 CVE-2018-10472 CVE-2018-10981 CVE-2018-10982 |
| CWE-ID | CWE-703 CWE-787 CWE-200 CWE-835 CWE-190 |
| Exploitation vector | Local network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU12450
Risk: Low
CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2018-8897
CWE-ID:
CWE-703 - Improper Check or Handling of Exceptional Conditions
Exploit availability: Yes
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper implementation of Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) on multiple system kernels, which results in an unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS. A local user can execute arbitrary code with elevated privileges.
Update the affected package to version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttp://www.debian.org/security/2018/dsa-4201
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Out-of-bounds write
EUVDB-ID: #VU12542
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10471
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists due to an unconditional write attempt of the value zero to an address near 2^64. An adjacent attacker can cause the service to crash or execute arbitrary code via unexpected INT 80 processing.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttp://www.debian.org/security/2018/dsa-4201
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU12543
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10472
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists in certain configurations due to improper information control. An adjacent attacker can read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot.
MitigationUpdate the affected package to version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttp://www.debian.org/security/2018/dsa-4201
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Infinite loop
EUVDB-ID: #VU12647
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10981
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The weakness exists due to a failure to reject invalid transitions between states. An adjacent attacker can submit a specially crafted request designed to force the QEMU device model on the system to switch the request between two states, trigger infinite loop and cause the service to crash.
Update the affected package to version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttp://www.debian.org/security/2018/dsa-4201
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU12648
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10982
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to cause DoS condition or gain elevated privileges on the target system.
The weakness exists due to an array overrun condition that occurs when the High Precision Event Timer (HPET) timer is configured to deliver interrupts in IO-APIC mode. An adjacent attacker who has the HPET timer configured to deliver interrupts in IO-APIC mode can cause the service to crash or gain root privileges.
Update the affected package to version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttp://www.debian.org/security/2018/dsa-4201
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
