Vulnerabilities > CVE-2015-4163 - Local Denial of Service vulnerability in Xen
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version. <a href="http://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 11 |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_80E846FF27EB11E5A4A5002590263BF5.NASL description The Xen Project reports : With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued this hypercall without a prior GNTTABOP_setup_table or GNTTABOP_set_version. The effect is a possible NULL pointer dereferences. However, this cannot be exploited to elevate privileges of the attacking domain, as the maximum memory address that can be wrongly accessed this way is bounded to far below the start of hypervisor memory. Malicious or buggy guest domain kernels can mount a denial of service attack which, if successful, can affect the whole system. last seen 2020-06-01 modified 2020-06-02 plugin id 84706 published 2015-07-14 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84706 title FreeBSD : xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior (80e846ff-27eb-11e5-a4a5-002590263bf5) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1045-1.NASL description Xen was updated to fix seven security vulnerabilities : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bnc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bnc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bnc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bnc#931628) CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior. (XSA-134, bnc#932790) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bnc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bnc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84190 published 2015-06-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84190 title SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:1045-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-434.NASL description Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn last seen 2020-06-05 modified 2015-06-23 plugin id 84333 published 2015-06-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84333 title openSUSE Security Update : xen (openSUSE-2015-434) (Venom) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1042-1.NASL description Xen was updated to fix seven security issues and one non-security bug. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (bnc#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (bnc#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (bnc#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (bnc#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (bnc#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bnc#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (bnc#932996) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84146 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84146 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1042-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0067.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/traps: loop in the correct direction in compat_iret This is XSA-136. (CVE-2015-4164) - pcnet: force the buffer access to be in bounds during tx 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption. Fix this by only allowing to queue maximum sizeof(buffer) bytes. This is CVE-2015-3209. (CVE-2015-3209) - pcnet: fix Negative array index read From: Gonglei s->xmit_pos maybe assigned to a negative value (-1), but in this branch variable s->xmit_pos as an index to array s->buffer. Let last seen 2020-06-01 modified 2020-06-02 plugin id 84139 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84139 title OracleVM 3.3 : xen (OVMSA-2015-0067) NASL family Fedora Local Security Checks NASL id FEDORA_2015-9978.NASL description Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209]. GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163]. vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164]. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-25 plugin id 84379 published 2015-06-25 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84379 title Fedora 21 : xen-4.4.2-6.fc21 (2015-9978) NASL family Fedora Local Security Checks NASL id FEDORA_2015-9965.NASL description Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209] (#1230537) GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163] vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164] Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-25 plugin id 84378 published 2015-06-25 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84378 title Fedora 20 : xen-4.3.4-6.fc20 (2015-9965) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201604-03.NASL description The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 90380 published 2016-04-07 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90380 title GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0248.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 111992 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111992 title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3286.NASL description Multiple security issues have been found in the Xen virtualisation solution : - CVE-2015-3209 Matt Tait discovered a flaw in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 84169 published 2015-06-15 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84169 title Debian DSA-3286-1 : xen - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1157-1.NASL description Xen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84469 published 2015-06-30 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84469 title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1157-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-435.NASL description Xen was updated to fix eight vulnerabilities. The following vulnerabilities were fixed : - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) last seen 2020-06-05 modified 2015-06-23 plugin id 84334 published 2015-06-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84334 title openSUSE Security Update : xen (openSUSE-2015-435) NASL family Fedora Local Security Checks NASL id FEDORA_2015-10001.NASL description stubs-32.h is back, so revert to previous behaviour. Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209]. GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163]. vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164]. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-06-25 plugin id 84374 published 2015-06-25 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84374 title Fedora 22 : xen-4.5.0-11.fc22 (2015-10001)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html
- http://support.citrix.com/article/CTX201145
- http://www.debian.org/security/2015/dsa-3286
- http://www.securityfocus.com/bid/75141
- http://www.securitytracker.com/id/1032568
- http://xenbits.xen.org/xsa/advisory-134.html
- https://security.gentoo.org/glsa/201604-03
- https://support.citrix.com/article/CTX206006