Xen ProjectXSA-137xl command line config handling stack overflow
6.8 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:S/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.2%
ISSUE DESCRIPTION
The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun.
VULNERABLE SYSTEMS
Systems built on top of xl which pass laundered or checked (but otherwise untrusted) configuration values onto xl’s command line, without restricting their length, are vulnerable.
We are not presently aware of any publicly distributed production software which exposes the xl vulnerability. However it is sufficiently simple to create such an arrangement that it might be done locally in an attempt to grant partial management access to particular domains.
Systems using the libxl library directly, without using xl, are not vulnerable. Systems using toolstacks other than xl are not vulnerable. Systems where only fully trusted input is ever presented to the xl command line are not vulnerable.
The vulnerability exists on x86 and ARM.
The vulnerability was introduced in Xen 4.1 and affects all subsequent Xen releases.
IMPACT
A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can escalate their privileges to that of the whole host.
Related
6.8 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:S/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.2%