7.5 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
6.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:S/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.1%
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table entry of a passed through device. This is used/updated on (intercepted) accesses to the page(s) containing the MSI-X table.
There may be space on the final page not covered by any MSI-X table entry, but memory for state tracking is allocated only for existing table entries. Therefore bounds checks are required to avoid accessing/corrupting unrelated heap memory. Such a check is present for the read path, but was missing for the write path.
A malicious administrator of a guest which has access to a passed through PCI device which is MSI-X capable can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process.
In a system not using a device model stub domain (or other techniques for deprivileging qemu), the malicious guest administrator can thus elevate their privilege to that of the host.
Xen systems running x86 HVM guests with “qemu-xen-traditional”, but without stubdomains, which have been passed through an MSI-X capable physical PCI device are vulnerable.
The default configuration is NOT vulnerable from Xen 4.3 onwards (because it uses a newer upstream qemu version).
Systems running only PV guests are NOT vulnerable.
Only systems using PCI passthrough are vulnerable.
Systems using “qemu-xen-traditional” stubdomain device models (for example, by specifying “device_model_stubdomain_override=1” in xl’s domain configuration files) are NOT vulnerable.
Only the traditional “qemu-xen-traditional” device model is vulnerable. Upstream qemu device models (“qemu-xen”) are NOT vulnerable.
ARM systems are NOT vulnerable.
7.5 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
6.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:S/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.1%