Xen ProjectXSA-339x86 pv guest kernel DoS via SYSENTER
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2.1 Low
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
14.1%
ISSUE DESCRIPTION
The SYSENTER instruction leaves various state sanitization activities to software. One of Xen’s sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest.
This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc).
IMPACT
Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service.
VULNERABLE SYSTEMS
All versions of Xen from 3.2 onwards are vulnerable.
Only x86 systems are vulnerable. ARM platforms are not vulnerable.
Only x86 systems which support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable.
Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability.
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2.1 Low
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
14.1%