Vulnerabilities > CVE-2013-4553 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in XEN
Attack vector
ADJACENT_NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | Xen
| 23 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0372-1.NASL description The SUSE Linux Enterprise Server 11 Service Pack 2 LTSS Xen hypervisor and toolset has been updated to fix various security issues and several bugs. The following security issues have been addressed : XSA-88: CVE-2014-1950: Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. (bnc#861256) XSA-87: CVE-2014-1666: The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. (bnc#860302) XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests. (bnc#860163) XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) Also the following non-security bugs have been fixed : - Boot Failure with xen kernel in UEFI mode with error last seen 2020-06-05 modified 2015-05-20 plugin id 83613 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83613 title SUSE SLES11 Security Update : Xen (SUSE-SU-2014:0372-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0085.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/HVM: only allow ring 0 guest code to make hypercalls Anything else would allow for privilege escalation. This is CVE-2013-4554 / XSA-76. (CVE-2013-4554) - x86: restrict XEN_DOMCTL_getmemlist Coverity ID 1055652 (See the code comment.) This is CVE-2013-4553 / XSA-74. (CVE-2013-4553) - gnttab: update version 1 of xsa73-4.1.patch to version 3 Version 1 of xsa73-4.1.patch had an error: bool_t drop_dom_ref = (e->tot_pages-- == 0) should have been: bool_t drop_dom_ref = (e->tot_pages-- == 1) Consolidate error handling. Backported to Xen-4.1 (CVE-2013-4494) - Xen: Spread boot time page scrubbing across all available CPU last seen 2020-06-01 modified 2020-06-02 plugin id 79523 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79523 title OracleVM 3.2 : xen (OVMSA-2013-0085) NASL family SuSE Local Security Checks NASL id SUSE_11_XEN-201311-131127.NASL description The Xen hypervisor and tool-suite have been updated to fix security issues and bugs : - XSA-73: A lock order reversal between page allocation and grant table locks could lead to host crashes or even host code execution. (CVE-2013-4494) - XSA-74: A lock order reversal between page_alloc_lock and mm_rwlock could lead to deadlocks. (CVE-2013-4553) - XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests which might lead to Hypervisor escalation under specific circumstances. (CVE-2013-4554) - XSA-78: Insufficient TLB flushing in VT-d (iommu) code could lead to access of memory that was revoked. (CVE-2013-6375) - XSA-75: A host crash due to guest VMX instruction execution was fixed. Non-security bugs have also been fixed:. (CVE-2013-4551) - It is possible to start a VM twice on the same node. (bnc#840997) - In HP last seen 2020-06-05 modified 2013-12-20 plugin id 71562 published 2013-12-20 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71562 title SuSE 11.3 Security Update : Xen (SAT Patch Number 8588) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-271.NASL description Xen was updated to fix various bugs and security issues : Update to Xen version 4.2.4 c/s 26280. - bnc#861256 - CVE-2014-1950: xen: XSA-88: use-after-free in xc_cpupool_getinfo() under memory pressure. (fix included with update) - bnc#863297: xend/pvscsi: recognize also SCSI CDROM devices - bnc#858496 - CVE-2014-1642: Xen: XSA-83: Out-of-memory condition yielding memory corruption during IRQ setup - bnc#860163 - xen: XSA-84: integer overflow in several XSM/Flask hypercalls (CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894) - bnc#860165 - CVE-2014-1895: xen: XSA-85: Off-by-one error in FLASK_AVC_CACHESTAT hypercall - bnc#860300 - CVE-2014-1896: xen: XSA-86: libvchan failure handling malicious ring indexes - bnc#860302 - CVE-2014-1666: xen: XSA-87: PHYSDEVOP_(prepare,release)_msix exposed to unprivileged guests - bnc#858311 - Server is not booting in kernel XEN after latest updates - (XEN) setup 0000:00:18.0 for d0 failed (-19) - bnc#858496 - CVE-2014-1642: Xen: XSA-83: Out-of-memory condition yielding memory corruption during IRQ setup - bnc#853049 - CVE-2013-6885: xen: XSA-82: Guest triggerable AMD CPU erratum may cause host hang - bnc#853048 - CVE-2013-6400: xen: XSA-80: IOMMU TLB flushing may be inadvertently suppressed - bnc#831120 - CVE-2013-2212: xen: XSA-60: Excessive time to disable caching with HVM guests with PCI passthrough - bnc#848014 - [HP HPS] Xen hypervisor panics on 8-blades nPar with 46-bit memory addressing - bnc#833251 - [HP BCS SLES11 Bug]: In HPs UEFI x86_64 platform and with xen environment, in booting stage ,xen hypervisor will panic. - pygrub: Support (/dev/xvda) style disk specifications - bnc#849667 - CVE-2014-1895: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock - bnc#849668 - CVE-2013-4554: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests - bnc#842417 - In HPs UEFI x86_64 platform and sles11sp3 with xen environment, dom0 will soft lockup on multiple blades nPar. - bnc#848014 - [HP HPS] Xen hypervisor panics on 8-blades nPar with 46-bit memory addressing - bnc#846849 - Soft lockup with PCI passthrough and many VCPUs - bnc#833483 - Boot Failure with xen kernel in UEFI mode with error last seen 2020-06-05 modified 2014-06-13 plugin id 75312 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75312 title openSUSE Security Update : xen (openSUSE-SU-2014:0483-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0446-1.NASL description The SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs. The following security issues have been addressed : XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests. (bnc#860163) XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766) XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596) XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618) XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to last seen 2020-06-05 modified 2015-05-20 plugin id 83616 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83616 title SUSE SLES11 Security Update : Xen (SUSE-SU-2014:0446-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-23251.NASL description Disaggregated domain management security status update, IOMMU TLB flushing may be inadvertently suppressed Lock order reversal between page_alloc_lock and mm_rwlock, Hypercalls exposed to privilege rings 1 and 2 of HVM guests Insufficient TLB flushing in VT-d (iommu) code Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-23 plugin id 71590 published 2013-12-23 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71590 title Fedora 20 : xen-4.3.1-6.fc20 (2013-23251) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0068.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 84140 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84140 title OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3006.NASL description Multiple security issues have been discovered in the Xen virtualisation solution which may result in information leaks or denial of service. last seen 2020-03-17 modified 2014-08-19 plugin id 77240 published 2014-08-19 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77240 title Debian DSA-3006-1 : xen - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-272.NASL description Xen was updated to fix security issues and bugs. Update to bug fix release Xen 4.3.2 c/s 27404 - CVE-2013-6885: xen: XSA-82: A guest triggerable AMD CPU erratum may cause host hangs. - CVE-2013-6400: xen: XSA-80: IOMMU TLB flushing may be inadvertently suppressed, potentially leaking information to other guests. - CVE-2013-2212: xen: XSA-60: Excessive time to disable caching with HVM guests with PCI passthrough - pygrub: Support (/dev/xvda) style disk specifications last seen 2020-06-05 modified 2014-06-13 plugin id 75313 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75313 title openSUSE Security Update : xen (openSUSE-SU-2014:0482-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201407-03.NASL description The remote host is affected by the vulnerability described in GLSA-201407-03 (Xen: Multiple Vunlerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A remote attacker can utilize multiple vectors to execute arbitrary code, cause Denial of Service, or gain access to data on the host. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 76544 published 2014-07-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76544 title GLSA-201407-03 : Xen: Multiple Vunlerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2013-22325.NASL description Lock order reversal between page_alloc_lock and mm_rwlock, Hypercalls exposed to privilege rings 1 and 2 of HVM guests, Insufficient TLB flushing in VT-d (iommu) code Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-08 plugin id 71248 published 2013-12-08 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71248 title Fedora 19 : xen-4.2.3-10.fc19 (2013-22325) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-968.NASL description Xen was updated to 4.3.1 and also to fix various security issues and bugs : - bnc#851749 - Xen service file does not call xend properly xend.service - Add missing requires to pciutils package for xend-tools - bnc#851386 - xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code - Make -devel package depend on libuuid-devel, since libxl.h includes uuid.h - bnc#849667 - CVE-2013-4553: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock - bnc#849665 - CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution - bnc#849668 - CVE-2013-4554: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests - bnc#848657 - xen: CVE-2013-4494: XSA-73: Lock order reversal between page allocation and grant table locks - Update to Xen 4.3.1 - bnc#845520 - CVE-2013-4416: xen: ocaml xenstored mishandles oversized message replies last seen 2020-06-05 modified 2014-06-13 plugin id 75232 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75232 title openSUSE Security Update : xen (openSUSE-SU-2013:1876-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0088.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/HVM: only allow ring 0 guest code to make hypercalls XSA-76 (Jan Beulich) [17822325] (CVE-2013-4554) - x86: restrict XEN_DOMCTL_getmemlist XSA-74 (Jan Beulich) [17821907] (CVE-2013-4553) - gnttab: correct locking order reversal XSA-73 (Andrew Cooper) [orabug 17768955] (CVE-2013-4494) last seen 2020-06-01 modified 2020-06-02 plugin id 79525 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79525 title OracleVM 2.2 : xen (OVMSA-2013-0088) NASL family Fedora Local Security Checks NASL id FEDORA_2013-22312.NASL description Lock order reversal between page_alloc_lock and mm_rwlock, Hypercalls exposed to privilege rings 1 and 2 of HVM guests, Insufficient TLB flushing in VT-d (iommu) code Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-12-08 plugin id 71247 published 2013-12-08 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71247 title Fedora 18 : xen-4.2.3-10.fc18 (2013-22312) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0087.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/HVM: only allow ring 0 guest code to make hypercalls Anything else would allow for privilege escalation. This is CVE-2013-4554 / XSA-76. (CVE-2013-4554) - x86: restrict XEN_DOMCTL_getmemlist Coverity ID 1055652 (See the code comment.) This is CVE-2013-4553 / XSA-74. (CVE-2013-4553) - gnttab: correct locking order reversal Coverity ID 1087189 Correct a lock order reversal between a domains page allocation and grant table locks. This is CVE-2013-4494 / XSA-73. Consolidate error handling. Backported to Xen-4.1 (CVE-2013-4494) last seen 2020-06-01 modified 2020-06-02 plugin id 79524 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79524 title OracleVM 3.1 : xen (OVMSA-2013-0087)
References
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00059.html
- http://security.gentoo.org/glsa/glsa-201407-03.xml
- http://www.debian.org/security/2014/dsa-3006
- http://www.openwall.com/lists/oss-security/2013/11/26/8