#VU22537 Permissions, Privileges, and Access Controls in Xen - CVE-2019-18424

Cybersecurity Help s.r.o.

Published: 2019-11-05

Vulnerability identifier: #VU22537

Vulnerability risk: Low

CVSSv4.0: 2 [CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-18424

CWE-ID: CWE-264

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing assignment of PCI devices. A privileged user of a guest operating system can program the PCI device to directly access host memory. Once the PCI device is deassigned, the code will be written into host memory. A remote attacker can corrupt host memory and perform denial of service attack or escalate privileges on the system.

Mitigation

Applying the appropriate attached patchset should resolve this issue.
For Xen 4.9 and earlier at least the first patch of XSA-299
(whitespace cleanup) is also needed for XSA-302 to apply.

Unfortunately, at the time of writing, these patches have not been
tested to our satisfaction.

The patches are known to break on ARM.  ARM is not affected by the
issue, so do not apply these patches on ARM systems.  (On x86, there
is a latent bug but the patches are good to use.)

xsa302/*.patch         xen-unstable
xsa302-4.12/*.patch    Xen 4.12.x
xsa302-4.11/*.patch    Xen 4.11.x
xsa302-4.10/*.patch    Xen 4.10.x
xsa302-4.9/*.patch     Xen 4.9.x, Xen 4.8.x

$ sha256sum xsa302* xsa302*/*
d722d1bed2440a5d35f0fd041e4a77966b7d26980a0f874d38d48710db0b9ebd  xsa302.meta
703faced133ca21142f484acd8cf16578258e12ae0cf1413a5d9252f1e099465  xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch
edb4753b91fa66e2f4b51d0075d106fc28d8451241ba482a33c2db4be53f21d1  xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch
3c79107d8fd94807543443192fb31f3d188912c208f4dbda61f1f2ff92701afc  xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch
2a76add5a907baf0217e57e2a4dca91a6a8ce84c67b9ff87be1bcbb1f29efdc6  xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch
a75723160c52c2c65d563905d0904b587beda1cfb6ca3ee18fb70e79818d3faa  xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch
48b9dae7adbe2438dcaa00f969532d835061cb4a06ab2bf47ada2afb644de4c5  xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch
a21efa6cae14e87318ca3927f0ac310aee2dd1323f2dbf040c0fe80789d78712  xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch
0a95f750ad1d5eb1838b6488e4ac188acdc2e568eb21b26306d5af2980bffb58  xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch
11d7015960eab265b1f9ce372dd14597b6c4cc7907d77ed3eed14d161dd50e5c  xsa302/0001-passthrough-quarantine-PCI-devices.patch
$

Vulnerable software versions

Xen: 4.8.0 - 4.12.1

External links
https://www.openwall.com/lists/oss-security/2019/10/31/6
https://xenbits.xen.org/xsa/advisory-302.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Xen

Debian update for xen

Permissions, Privileges, and Access Controls in xen (Alpine package)

OpenSUSE Linux update for xen

Multiple vulnerabilities in Xen