8.8
CWE
120
Advisory Published
CVE Published
Updated

CVE-2017-12137

First published: Wed Aug 02 2017(Updated: )

ISSUE DESCRIPTION ================= When mapping a grant reference, a guest must inform Xen of where it would like the grant mapped. For PV guests, this is done by nominating an existing linear address, or an L1 pagetable entry, to be altered. Neither of these PV paths check for alignment of the passed parameter. The linear address path suitably truncates the linear address when calculating the L1 entry to use, but the path which uses a directly nominated L1 entry performs no checks. This causes Xen to make an incorrectly-aligned update to a pagetable, which corrupts both the intended entry and the subsequent entry with values which are largely guest controlled. If the misaligned value crosses a page boundary, then an arbitrary other heap page is corrupted. IMPACT ====== A PV guest can elevate its privilege to that of the host. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 systems are vulnerable. Any system running untrusted PV guests is vulnerable. The vulnerability is exposed to PV stub qemu serving as the device model for HVM guests. Our default assumption is that an HVM guest has compromised its PV stub qemu. By extension, it is likely that the vulnerability is exposed to HVM guests which are served by a PV stub qemu. MITIGATION ========== Running only HVM guests, served by a dom0-based qemu, will avoid this vulnerability. External References: <a href="http://xenbits.xen.org/xsa/advisory-227.html">http://xenbits.xen.org/xsa/advisory-227.html</a>

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Xen Xen
Citrix XenServer=6.0.2
Citrix XenServer=6.2.0
Citrix XenServer=6.5
Citrix XenServer=7.0
Citrix XenServer=7.1
Citrix XenServer=7.2
Debian Debian Linux=8.0
Debian Debian Linux=9.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203