Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-18421

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability.

Published

2019-10-31T14:15:10.730

Last Modified

2024-11-21T04:33:13.843

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:H/Au:S/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: SINGLE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Primary
CWE-362

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	xen	xen	≤ 4.12.1	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Operating System	opensuse	leap	15.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2019/10/31/3 Mailing List, Patch, Third Party Advisory ([email protected])
http://xenbits.xen.org/xsa/advisory-299.html Patch, Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/ ([email protected])
https://seclists.org/bugtraq/2020/Jan/21 Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202003-56 Third Party Advisory ([email protected])
https://www.debian.org/security/2020/dsa-4602 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2019/10/31/3 Mailing List, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://xenbits.xen.org/xsa/advisory-299.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2020/Jan/21 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202003-56 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2020/dsa-4602 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)