Lucene search

K
ubuntucveUbuntu.comUB:CVE-2019-18423
HistoryOct 31, 2019 - 12:00 a.m.

CVE-2019-18423

2019-10-3100:00:00
ubuntu.com
ubuntu.com
10

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.4%

An issue was discovered in Xen through 4.12.x allowing ARM guest OS users
to cause a denial of service via a XENMEM_add_to_physmap hypercall.
p2m->max_mapped_gfn is used by the functions
p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest
physical frame. The rest of the code in the two functions will assume that
there is a valid root table and check that with BUG_ON(). The function
p2m_get_root_pointer() will ignore the unused top bits of a guest physical
frame. This means that the function p2m_set_entry() will alias the frame.
However, p2m->max_mapped_gfn will be updated using the original frame. It
would be possible to set p2m->max_mapped_gfn high enough to cover a frame
that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry()
and p2m_resolve_translation_fault(). Additionally, the sanity check on
p2m->max_mapped_gfn is off-by-one allowing “highest mapped + 1” to be
considered valid. However, p2m_get_root_pointer() will return NULL. The
problem could be triggered with a specially crafted hypercall
XENMEM_add_to_physmap{, _batch} followed by an access to an address (via
hypercall or direct access) that passes the sanity check but cause
p2m_get_root_pointer() to return NULL. A malicious guest administrator may
cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen
version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86
systems are not affected.

Notes

Author Note
mdeslaur hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary
OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchxen< anyUNKNOWN
ubuntu18.04noarchxen< anyUNKNOWN

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.4%