CVE-2009-3525
First published: Fri Sep 25 2009(Updated: )
pyGrub bootloader used to boot Xen para-virtualized guests did not have support for password command as supported by normal grub. If this option was used in grub.conf, it did not restrict users with access to para-virtualized guest's console from booting guest or changing kernel boot parameters without providing configured password. This could allow user with access to VMs console to get root privileges on the guest's operating system. Upstream patches: ----------------- <a href="http://xenbits.xensource.com/xen-unstable.hg?rev/8f783adc0ee3">http://xenbits.xensource.com/xen-unstable.hg?rev/8f783adc0ee3</a> <a href="http://xenbits.xensource.com/staging/xen-unstable.hg?rev/a28c9c2fa8de">http://xenbits.xensource.com/staging/xen-unstable.hg?rev/a28c9c2fa8de</a> <a href="http://xenbits.xensource.com/xen-unstable.hg?rev/e513d565c8f1">http://xenbits.xensource.com/xen-unstable.hg?rev/e513d565c8f1</a> <a href="http://xenbits.xensource.com/xen-unstable.hg?rev/67f1b8b32585">http://xenbits.xensource.com/xen-unstable.hg?rev/67f1b8b32585</a> <a href="http://xenbits.xensource.com/xen-unstable.hg?rev/168f0cfeded0">http://xenbits.xensource.com/xen-unstable.hg?rev/168f0cfeded0</a> CVE Request: ------------ <a href="http://www.openwall.com/lists/oss-security/2009/09/25/1">http://www.openwall.com/lists/oss-security/2009/09/25/1</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xen Xen | =3.3.1 | |
| Xen Xen | =3.0.3 | |
| Xen Xen | =3.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=525740
- http://xenbits.xensource.com/xen-unstable.hg?rev/8f783adc0ee3
- http://www.openwall.com/lists/oss-security/2009/09/25/1
- https://bugzilla.redhat.com/show_bug.cgi?id=525740#c0
- http://www.redhat.com/support/errata/RHSA-2009-1472.html
- http://www.securityfocus.com/bid/36523
- http://www.securitytracker.com/id?1022950
- http://secunia.com/advisories/36908
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9466
- http://xenbits.xensource.com/staging/xen-unstable.hg?rev/a28c9c2fa8de
- http://xenbits.xensource.com/xen-unstable.hg?rev/e513d565c8f1
- http://xenbits.xensource.com/xen-unstable.hg?rev/67f1b8b32585
- http://xenbits.xensource.com/xen-unstable.hg?rev/168f0cfeded0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=518124
- https://rhn.redhat.com/errata/RHSA-2009-1472.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=525740#c3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=525740#c10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=525740#c7
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-3525
- agent/tags
- agent/trending
- vendor/xen
- canonical/xen xen
- version/xen xen/3.3.1
- version/xen xen/3.0.3
- version/xen xen/3.3.0