SB2018082104 - Multiple vulnerabilities in Xen

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Denial of service (CVE-ID: CVE-2018-15469)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to improper implementation of version 2 of grant tables in the affected software, in the hypervisor or in Linux. An adjacent attacker can request version 2 grant tables, trigger a BUG() check and cause the service to crash.

2) Memory corruption (CVE-ID: CVE-2018-15470)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to the affected software fails to enforce the quota-maxentity setting. An adjacent attacker can write an excessive number of XenStore entries, trigger unbounded memory usage and cause the service to crash.

3) Path traversal (CVE-ID: CVE-2018-14007)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to path traversal. An adjacent attacker can conduct directory traversal attack and read arbitrary files from the dom0 filesystem  including the pool secret /etc/xensource/ptoken which grants the attacker full administrator.

4) Integer overflow (CVE-ID: CVE-2018-15471)

The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.

The vulnerability exists in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c due to integer overflow when handling malicious input. An adjacent attacker can supply a malicious or buggy frontend request to set or change mapping of requests to request queues, cause the (usually privileged) backend to make out of bounds memory accesses and gain access to arbitrary data, cause the service to crash or gain elevated privileges.

5) Denial of service (CVE-ID: CVE-2018-15468)

The vulnerability allows an adjacent administrative attacker to cause DoS condition on the target system.

The vulnerability exists due to the DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not when Branch Trace Store is not virtualised by the processor. An adjacent attacker can lock up the entire host, choose any MSR_DEBUGCTL setting it likes and cause the service to crash.

6) Side-channel attack (CVE-ID: CVE-2018-3646)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information.

The vulnerability exists due to an error in systems with microprocessors utilizing speculative execution and address translations. An adjacent attacker with guest OS privilege can trigger terminal page fault, conduct side-channel attack and gain access to potentially sensitive information residing in the L1 data cache.

7) Side-channel attack (CVE-ID: CVE-2018-3620)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to an error in systems with microprocessors utilizing speculative execution and address translations . A local attacker can trigger terminal page fault, conduct side-channel attack and gain access to potentially sensitive information residing in the L1 data cache.

Remediation

Install update from vendor's website.

References

• http://xenbits.xen.org/xsa/advisory-268.html
• http://xenbits.xen.org/xsa/advisory-272.html
• http://xenbits.xen.org/xsa/advisory-271.html
• http://xenbits.xen.org/xsa/advisory-270.html
• http://xenbits.xen.org/xsa/advisory-269.html
• http://xenbits.xen.org/xsa/advisory-273.html