#VU32301 Information disclosure in Xen - CVE-2016-3158

Vulnerability identifier: #VU32301

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-3158

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Xen
Server applications / Virtualization software

Vendor: Xen Project

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Xen: 4.24

---

External links
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181699.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181729.html
https://support.citrix.com/article/CTX209443
https://www.debian.org/security/2016/dsa-3554
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.securityfocus.com/bid/85714
https://www.securitytracker.com/id/1035435
https://xenbits.xen.org/xsa/advisory-172.html
https://xenbits.xen.org/xsa/xsa172.patch
https://xenbits.xen.org/xsa/xsa172-4.3.patch

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.