CVE-2018-12893
First published: Wed Jun 13 2018(Updated: )
An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xen | 4.11.4+107-gef32c7afa2-1 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.1+2-gb773c48e36-1 4.17.2+55-g0b56bed864-1 | |
| Xen xen-unstable | <=4.10.0 | |
| Debian GNU/Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1595958
- https://bugzilla.redhat.com/show_bug.cgi?id=1590979
- https://xenbits.xen.org/xsa/advisory-265.html
- https://security-tracker.debian.org/tracker/CVE-2018-12893
- http://www.openwall.com/lists/oss-security/2018/06/27/11
- http://www.securityfocus.com/bid/104572
- http://www.securitytracker.com/id/1041202
- http://xenbits.xen.org/xsa/advisory-265.html
- https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html
- https://security.gentoo.org/glsa/201810-06
- https://support.citrix.com/article/CTX235748
- https://www.debian.org/security/2018/dsa-4236
Frequently Asked Questions
What is the severity of CVE-2018-12893?
CVE-2018-12893 has a severity rating that indicates it can lead to a crash of the Xen hypervisor, impacting system stability.
How do I fix CVE-2018-12893?
To resolve CVE-2018-12893, you should upgrade to the fixed versions of Xen provided in the advisory which includes versions 4.11.4+107-gef32c7afa2-1, 4.14.6-1, and others.
Which systems are affected by CVE-2018-12893?
CVE-2018-12893 affects Xen hypervisor versions up to and including 4.10.x, as well as specific Debian distributions.
What are the implications of CVE-2018-12893 for virtualization?
CVE-2018-12893 allows a malicious PV guest to crash the Xen hypervisor, potentially disrupting all other guests on the same host.
Is there a workaround for CVE-2018-12893?
Currently, the best course of action for CVE-2018-12893 is to upgrade the affected Xen versions as no specific workaround has been documented.
- collector/security-tracker-debian
- agent/references
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-12893
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/xen
- canonical/xen xen-unstable
- version/xen xen-unstable/4.10.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0