Lucene search

K
xenXen ProjectXSA-349
HistoryDec 15, 2020 - 12:00 p.m.

Frontends can trigger OOM in Backends by update a watched path

2020-12-1512:00:00
Xen Project
xenbits.xen.org
41

4.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

14.2%

ISSUE DESCRIPTION

Some OSes (such as Linux, FreeBSD, NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued.
As the queue is unbound, a guest may be able to trigger a OOM in the backend.

IMPACT

A malicious guest can trigger an OOM in backends.

VULNERABLE SYSTEMS

All systems with a FreeBSD, Linux, NetBSD dom0 are vulnerable.
All version of those OSes are vulnerable.

4.9 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

14.2%