Lucene search

K
xen
Xen ProjectXSA-298
HistoryOct 31, 2019 - 12:00 p.m.

missing descriptor table limit checking in x86 PV emulation

2019-10-3112:00:00
Xen Project
xenbits.xen.org
58

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.014 Low

EPSS

Percentile

86.0%

ISSUE DESCRIPTION

When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don’t install any LDT by default).

IMPACT

32-bit PV guest user mode can elevate its privileges to that of the guest kernel.

VULNERABLE SYSTEMS

Xen versions from at least 3.2 onwards are affected.
Only 32-bit PV guest user mode can leverage this vulnerability.
HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability.
Arm systems are unaffected.

CPENameOperatorVersion
xenge3.2
How to protect your server from attacks?

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.014 Low

EPSS

Percentile

86.0%

Related for XSA-298