Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•77 views

x86 segment base write emulation lacking canonical address checks

ISSUE DESCRIPTION Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against GP faults havi...

6CVSS2.1AI score0.00428EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•77 views

arm: various unimplemented hypercalls log without rate limiting

ISSUE DESCRIPTION The HYPERVISORphysdevop hypercall and most suboperations of the HYPERVISORhvmop hypercall are not currently implemented by Xen on ARM and when called will log the use to the hypervisor console. However these guest accessible log messages are not rate-limited. IMPACT A malicious...

2.1CVSS8.8AI score0.00391EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/01/22 11:49 a.m.•77 views

Nested HVM exposes host to being driven out of memory by guest

ISSUE DESCRIPTION Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded...

4.7CVSS0.8AI score0.00373EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•76 views

Xenstore: guests can let run xenstored out of memory

ISSUE DESCRIPTION Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service DoS of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the...

6.5CVSS1.6AI score0.00245EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/04/14 12:0 p.m.•76 views

multiple xenoprof issues

ISSUE DESCRIPTION Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. This is CVE-2020-11740. Furthermore, for guests for which "active" profiling was enabled by the administrator, the xenoprof code use...

8.8CVSS0.7AI score0.00434EPSS
Exploits0
Xen Project
Xen Project
•added 2017/05/02 12:0 p.m.•76 views

grant transfer allows PV guest to elevate privileges

ISSUE DESCRIPTION The GNTTABOPtransfer operation allows one guest to transfer a page to another guest. The internal processing of this, however, does not include zapping the previous type of the page being transferred. This makes it possible for a PV guest to transfer a page previously used as pa...

8.8CVSS1.4AI score0.00421EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/11/30 6:0 a.m.•76 views

heap buffer overflow vulnerability in pcnet emulator

ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: The AMD PC-Net II emulatorhw/net/pcnet.c, while receiving packets in loopback mode, appends CRC code to the receive buffer. If the data size given is same as the buffer size4096, the appended CRC code overwrites 4...

8.8CVSS8.8AI score0.00642EPSS
Exploits1
Xen Project
Xen Project
•added 2015/11/10 12:1 a.m.•76 views

x86: CPU lockup during exception delivery

ISSUE DESCRIPTION When a benign exception occurs while delivering another benign exception, it is architecturally specified that these would be delivered sequentially. There are, however, cases where this results in an infinite loop inside the CPU, which in the virtualized case can be broken only...

10CVSS6.1AI score0.02501EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•76 views

x86: Long latency populate-on-demand operation is not preemptible

ISSUE DESCRIPTION When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory...

4.9CVSS7.1AI score0.00436EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/11/08 4:20 p.m.•76 views

Host crash due to guest VMX instruction execution

ISSUE DESCRIPTION Permission checks on the emulation paths intended for guests using nested virtualization for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT A...

5.7CVSS0.00803EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/12/11 12:0 p.m.•75 views

Further issues with restartable PV type change operations

ISSUE DESCRIPTION XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. IMPACT A malicious PV guest administrator may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS Al...

6.6CVSS0.8AI score0.01187EPSS
Exploits0
Xen Project
Xen Project
•added 2017/02/21 12:0 p.m.•75 views

cirrus_bitblt_cputovideo does not check if memory region is safe

ISSUE DESCRIPTION In CIRRUSBLTMODEMEMSYSSRC mode the bitblit copy routine cirrusbitbltcputovideo fails to check wethehr the specified memory region is safe. IMPACT A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABL...

9.9CVSS2.5AI score0.03559EPSS
Exploits0
Xen Project
Xen Project
•added 2014/12/08 12:0 p.m.•75 views

p2m lock starvation

ISSUE DESCRIPTION The current read/write lock implementation is read-biased, which allows a consistent stream of readers to starve writers indefinitely. There are certain rwlocks where guests are capable of applying arbitrary read pressure. IMPACT A malicious guest administrator can deny service ...

4.7CVSS8.9AI score0.00398EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/10/29 12:0 p.m.•76 views

ocaml xenstored mishandles oversized message replies

ISSUE DESCRIPTION The Ocaml xenstored implementation "oxenstored" cannot correctly handle a message reply larger than XENSTOREPAYLOADSIZE when communicating with a client domain via the shared ring mechanism. When this situation occurs the connection to the client domain will be shutdown and cann...

5.2CVSS1.1AI score0.0055EPSS
Exploits0
Xen Project
Xen Project
•added 2016/03/16 7:0 p.m.•74 views

I/O port access privilege escalation in x86-64 Linux

ISSUE DESCRIPTION IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 for 64-bit ones; 32-bit ones run at privilege level 1, to compensate for this the context switching of EFLAGS.IOPL requires the guest ...

7.8CVSS1.3AI score0.00513EPSS
Exploits0
Xen Project
Xen Project
•added 2015/07/27 12:0 p.m.•74 views

QEMU heap overflow flaw while processing certain ATAPI commands.

ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use thi...

7.2CVSS7.4AI score0.0063EPSS
Exploits0
Xen Project
Xen Project
•added 2015/06/02 12:0 p.m.•74 views

Unmediated PCI register access in qemu

ISSUE DESCRIPTION Qemu allows guests to not only read, but also write all parts of the PCI config space but not extended config space of passed through PCI devices not explicitly dealt with for partial emulation purposes. IMPACT Since the effect depends on the specific purpose of the the config...

4.6CVSS7.5AI score0.00483EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/03/05 12:0 p.m.•74 views

Information leak via internal x86 system device emulation

ISSUE DESCRIPTION Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor sta...

2.1CVSS6.5AI score0.00414EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/04/18 3:16 p.m.•74 views

grant table hypercall acquire/release imbalance

ISSUE DESCRIPTION When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses as if for a transitive grant and releases an unrelated grant reference. IMPACT A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a...

6.9CVSS1AI score0.00349EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/09/25 4:5 p.m.•73 views

x86/AMD: Divide speculative information leak

ISSUE DESCRIPTION In the Zen1 microarchitecure, there is one divider in the pipeline which services uops from both threads. In the case of DE, the latched result from the previous DIV to execute will be forwarded speculatively. This is a covert channel that allows two threads to communicate witho...

5.5CVSS6AI score0.12405EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/12/20 12:0 p.m.•73 views

Guest can force Linux netback driver to hog large amounts of kernel memory

ISSUE DESCRIPTION Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side ...

6.5CVSS0.3AI score0.00332EPSS
Exploits0
Xen Project
Xen Project
•added 2014/02/12 12:0 p.m.•73 views

use-after-free in xc_cpupool_getinfo() under memory pressure

ISSUE DESCRIPTION If xccpumapalloc fails then xccpupoolgetinfo will free and incorrectly return the then-free pointer to the result structure. IMPACT An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential...

4.6CVSS5.2AI score0.00384EPSS
Exploits0
Xen Project
Xen Project
•added 2013/11/26 12:0 p.m.•73 views

Lock order reversal between page_alloc_lock and mm_rwlock

ISSUE DESCRIPTION The locks pagealloclock and mmrwlock are not always taken in the same order. This raises the possibility of deadlock. The incorrect order occurs only in the implementation of the deprecated domctl hypercall XENDOMCTLgetmemlist. IMPACT A malicious guest administrator may be able ...

5.2CVSS1.5AI score0.00565EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/03/12 5:6 p.m.•72 views

GhostRace: Speculative Race Conditions

ISSUE DESCRIPTION Researchers at VU Amsterdam and IBM Research have discovered GhostRace; an analysis of the behaviour of synchronisation primitives under speculative execution. Synchronisation primitives are typically formed as an unbounded loop which waits until a resource is available to be...

5.7CVSS7AI score0.01231EPSS
Exploits0
Xen Project
Xen Project
•added 2023/04/25 12:0 p.m.•72 views

x86 shadow paging arbitrary pointer dereference

ISSUE DESCRIPTION In environments where host assisted address translation is necessary but Hardware Assisted Paging HAP is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest...

7.8CVSS6.5AI score0.00264EPSS
Exploits0
Xen Project
Xen Project
•added 2021/06/08 5:0 p.m.•72 views

Guest triggered use-after-free in Linux xen-netback

ISSUE DESCRIPTION A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux...

7.8CVSS2.2AI score0.00361EPSS
Exploits0
Xen Project
Xen Project
•added 2013/11/26 12:0 p.m.•72 views

Hypercalls exposed to privilege rings 1 and 2 of HVM guests

ISSUE DESCRIPTION The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful...

5.2CVSS2.2AI score0.00612EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/09/30 10:4 a.m.•72 views

Memory accessible by 64-bit PV guests under live migration

ISSUE DESCRIPTION On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to...

5.4CVSS0.4AI score0.00611EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/04/18 12:0 p.m.•72 views

Several access permission issues with IRQs for unprivileged guests

ISSUE DESCRIPTION Various IRQ related access control operations may not have the intended effect, thus potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. IMPACT Malicious or buggy stub domains kernels can mount a denial of service...

4.7CVSS2.3AI score0.00372EPSS
Exploits0
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•72 views

XENMEM_exchange may overwrite hypervisor memory

ISSUE DESCRIPTION The handler for XENMEMexchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT A malicious guest administrator can cause Xen to crash. If the out of address space bounds acce...

6.9CVSS1.4AI score0.00406EPSS
Exploits4Affected Software1
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•71 views

blkif responses leak backend stack data

ISSUE DESCRIPTION The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the internal or trailing padding field. IMPACT A malicious...

6.5CVSS1.4AI score0.00445EPSS
Exploits0
Xen Project
Xen Project
•added 2015/03/10 12:0 p.m.•71 views

Hypervisor memory corruption due to x86 emulator flaw

ISSUE DESCRIPTION Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. IMPACT A malicious gues...

7.2CVSS7.1AI score0.0057EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/11/18 12:0 p.m.•71 views

Missing privilege level checks in x86 emulation of far branches

ISSUE DESCRIPTION The emulation of far branch instructions CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax incompletely performs privilege checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory...

1.9CVSS9AI score0.00413EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/04/05 12:0 p.m.•70 views

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues

ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR" for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose...

7.8CVSS1.3AI score0.00344EPSS
Exploits0
Xen Project
Xen Project
•added 2021/05/04 12:0 p.m.•70 views

x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests

ISSUE DESCRIPTION 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different...

5.5CVSS0.5AI score0.00375EPSS
Exploits0
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•70 views

PCI passthrough code reading back hardware registers

ISSUE DESCRIPTION Code paths in Xen's MSI handling have been identified which act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for device...

7.8CVSS1.6AI score0.00373EPSS
Exploits0
Xen Project
Xen Project
•added 2016/11/29 2:48 p.m.•70 views

ARM guests may induce host asynchronous abort

ISSUE DESCRIPTION Depending on how the hardware and firmware have been integrated, guest-triggered asynchronous aborts SError on ARMv8 may be received by the hypervisor. The current action is to crash the host. A guest might trigger an asynchronous abort when accessing memory mapped hardware in a...

6.5CVSS0.3AI score0.00471EPSS
Exploits0
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•70 views

x86 task switch to VM86 mode mis-handled

ISSUE DESCRIPTION LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. IMPACT On SVM AMD hardware: a malicious unprivileged guest process can escalate its...

7.8CVSS1.4AI score0.00448EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•70 views

arm: Host crash when preempting a multicall

ISSUE DESCRIPTION Early versions of Xen on ARM did not support "multicall" functionality the ability to perform multiple operations via a single hypercall and therefore stubbed out the functionality needed to support preemption of multicalls in a manner which crashed the host. When multicall...

4.9CVSS8.9AI score0.00395EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/11/27 11:25 a.m.•70 views

Excessive checking in compatibility mode hypercall argument translation

ISSUE DESCRIPTION The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed,...

4.7CVSS8.9AI score0.00432EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/06/03 12:0 p.m.•70 views

Vulnerabilities in HVM MSI injection

ISSUE DESCRIPTION The implementation of the HVM control operation HVMOPinjectmsi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de-...

5.5CVSS6.4AI score0.00719EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/08 6:0 p.m.•69 views

x86: Multiple speculative security issues

ISSUE DESCRIPTION 1 Researchers have discovered that on some AMD CPUs, the implementation of IBPB Indirect Branch Prediction Barrier does not behave according to the specification. Specifically, IBPB fails to properly flush the RAS Return Address Stack, also RSB - Return Stack Buffer - in Intel...

6.5CVSS6.9AI score0.00772EPSS
Exploits0
Xen Project
Xen Project
•added 2020/04/14 12:0 p.m.•69 views

Bad continuation handling in GNTTABOP_copy

ISSUE DESCRIPTION Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 / XSA-226 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular the status fields...

8.8CVSS1.2AI score0.00452EPSS
Exploits0
Xen Project
Xen Project
•added 2015/12/17 12:0 p.m.•69 views

qemu-dm buffer overrun in MSI-X handling

ISSUE DESCRIPTION "qemu-xen-traditional" aka qemu-dm tracks state for each MSI-X table entry of a passed through device. This is used/updated on intercepted accesses to the pages containing the MSI-X table. There may be space on the final page not covered by any MSI-X table entry, but memory for...

7.5CVSS8AI score0.004EPSS
Exploits0
Xen Project
Xen Project
•added 2014/05/14 10:44 a.m.•69 views

input handling vulnerabilities loading guest kernel on ARM

ISSUE DESCRIPTION When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM CVE-2014-3714. Furthermore when checking a 32-bit...

3.3CVSS6.5AI score0.00411EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/04/18 12:0 p.m.•69 views

Xen PV DoS vulnerability with SYSENTER

ISSUE DESCRIPTION The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest which...

1.9CVSS0.4AI score0.00372EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/06/09 12:0 p.m.•68 views

x86 pv: Insufficient care with non-coherent mappings

ISSUE DESCRIPTION Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's...

7.2CVSS0.7AI score0.00494EPSS
Exploits3Affected Software1
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•68 views

guest 32-bit ELF symbol table load leaking host data

ISSUE DESCRIPTION Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load kernel symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused...

6.5CVSS0.9AI score0.00386EPSS
Exploits0
Xen Project
Xen Project
•added 2015/09/22 10:0 a.m.•68 views

libxl fails to honour readonly flag on disks with qemu-xen

ISSUE DESCRIPTION Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen the upstream-based qemu; and indeed there is no way in qemu to make a disk read-only. The vulnerability is exploitable only via...

3.6CVSS7.3AI score0.00417EPSS
Exploits0
Xen Project
Xen Project
•added 2014/09/23 12:0 p.m.•68 views

Missing privilege level checks in x86 emulation of software interrupts

ISSUE DESCRIPTION The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory operand implicit for the affected instructions lives in...

3.3CVSS4.9AI score0.00849EPSS
Exploits0Affected Software1
Total number of security vulnerabilities482