VuXML ID | Description |
79f401cd-27e6-11e5-a4a5-002590263bf5 | xen-tools -- Unmediated PCI command register access in qemu
The Xen Project reports:
HVM guests are currently permitted to modify the memory and I/O
decode bits in the PCI command register of devices passed through to
them. Unless the device is an SR-IOV virtual function, after
disabling one or both of these bits subsequent accesses to the MMIO
or I/O port ranges would - on PCI Express devices - lead to
Unsupported Request responses. The treatment of such errors is
platform specific.
Furthermore (at least) devices under control of the Linux pciback
driver in the host are handed to guests with the aforementioned bits
turned off. This means that such accesses can similarly lead to
Unsupported Request responses until these flags are set as needed by
the guest.
In the event that the platform surfaces aforementioned UR responses
as Non-Maskable Interrupts, and either the OS is configured to treat
NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to
treat these errors as fatal, the host would crash, leading to a
Denial of Service.
Discovery 2015-03-31 Entry 2015-07-11 xen-tools
ge 3.3 lt 4.5.0_6
CVE-2015-2756
http://xenbits.xen.org/xsa/advisory-126.html
|
e589ae90-4212-11e6-942d-bc5ff45d0f28 | xen-tools -- Unsanitised driver domain input in libxl device handling
The Xen Project reports:
libxl's device-handling code freely uses and trusts information
from the backend directories in xenstore.
A malicious driver domain can deny service to management tools.
Discovery 2016-06-02 Entry 2016-07-04 xen-tools
< 4.7.0_1
CVE-2016-4963
http://xenbits.xen.org/xsa/advisory-178.html
|
8cbd9c08-f8b9-11e6-ae1b-002590263bf5 | xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe
The Xen Project reports:
In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
cirrus_bitblt_cputovideo fails to check whether the specified
memory region is safe. A malicious guest administrator can cause
an out of bounds memory write, very likely exploitable as a
privilege escalation.
Discovery 2017-02-21 Entry 2017-02-22 xen-tools
< 4.7.1_4
CVE-2017-2620
http://xenbits.xen.org/xsa/advisory-209.html
|
0d732fd1-27e0-11e5-a4a5-002590263bf5 | xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends
The Xen Project reports:
When instantiating an emulated VGA device for an x86 HVM guest qemu
will by default enable a backend to expose that device, either SDL
or VNC depending on the version of qemu and the build time
configuration.
The libxl toolstack library does not explicitly disable these
default backends when they are not enabled, leading to an unexpected
backend running.
If either SDL or VNC is explicitly enabled in the guest
configuration then only the expected backends will be enabled.
This affects qemu-xen and qemu-xen-traditional differently.
If qemu-xen was compiled with SDL support then this would result in
an SDL window being opened if $DISPLAY is valid, or a failure to
start the guest if not.
If qemu-xen was compiled without SDL support then qemu would
instead start a VNC server listening on ::1 (IPv6 localhost) or
127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC
password will not be configured even if one is present in the guest
configuration.
qemu-xen-traditional will never start a vnc backend unless
explicitly configured. However by default it will start an SDL
backend if it was built with SDL support and $DISPLAY is valid.
Discovery 2015-03-13 Entry 2015-07-11 xen-tools
< 4.5.0_6
CVE-2015-2152
http://xenbits.xen.org/xsa/advisory-119.html
|
c0e76d33-8821-11e5-ab94-002590263bf5 | xen-tools -- populate-on-demand balloon size inaccuracy can crash guests
The Xen Project reports:
Guests configured with PoD might be unstable, especially under
load. In an affected guest, an unprivileged guest user might be
able to cause a guest crash, perhaps simply by applying load so
as to cause heavy memory pressure within the guest.
Discovery 2015-10-29 Entry 2015-11-11 xen-tools
ge 3.4 lt 4.5.1_2
CVE-2015-7972
http://xenbits.xen.org/xsa/advisory-153.html
|
e800cd4b-4212-11e6-942d-bc5ff45d0f28 | xen-tools -- Unrestricted qemu logging
The Xen Project reports:
When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen. This output is not
rate-limited in any way. The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.
The disk containing the logfile can be exhausted, possibly causing a
denial-of-service (DoS).
Discovery 2016-05-23 Entry 2016-07-04 xen-tools
< 4.7.0_2
CVE-2014-3672
http://xenbits.xen.org/xsa/advisory-180.html
|
301b04d7-881c-11e5-ab94-002590263bf5 | xen-tools -- libxl fails to honour readonly flag on disks with qemu-xen
The Xen Project reports:
Callers of libxl can specify that a disk should be read-only to the
guest. However, there is no code in libxl to pass this information
to qemu-xen (the upstream-based qemu); and indeed there is no way in
qemu to make a disk read-only.
The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated
devices inaccessible early in boot.
Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.
CDROM devices (that is, devices specified to be presented to the
guest as CDROMs, regardless of the nature of the backing storage on
the host) are not affected.
Discovery 2015-09-22 Entry 2015-11-11 xen-tools
ge 4.1 lt 4.5.1_1
CVE-2015-7311
http://xenbits.xen.org/xsa/advisory-142.html
|
ee99899d-4347-11e5-93ad-002590263bf5 | qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol
The Xen Project reports:
When unplugging an emulated block device the device was not fully
unplugged, meaning a second unplug attempt would attempt to unplug
the device a second time using a previously freed pointer.
An HVM guest which has access to an emulated IDE disk device may be
able to exploit this vulnerability in order to take over the qemu
process elevating its privilege to that of the qemu process.
Discovery 2015-08-03 Entry 2015-08-17 Modified 2015-08-19 qemu
qemu-devel
le 0.11.1_20
ge 0.12 le 2.3.0_2
qemu-sbruno
qemu-user-static
< 2.4.50.g20150814
xen-tools
< 4.5.1
CVE-2015-5166
http://xenbits.xen.org/xsa/advisory-139.html
http://git.qemu.org/?p=qemu.git;a=commit;h=260425ab405ea76c44dd59744d05176d4f579a52
|
f1deed23-27ec-11e5-a4a5-002590263bf5 | xen-tools -- xl command line config handling stack overflow
The Xen Project reports:
The xl command line utility mishandles long configuration values
when passed as command line arguments, with a buffer overrun.
A semi-trusted guest administrator or controller, who is intended
to be able to partially control the configuration settings for a
domain, can escalate their privileges to that of the whole host.
Discovery 2015-07-07 Entry 2015-07-11 xen-tools
ge 4.1 lt 4.5.0_8
CVE-2015-3259
http://xenbits.xen.org/xsa/advisory-137.html
|
e2fca11b-4212-11e6-942d-bc5ff45d0f28 | xen-tools -- Unsanitised guest input in libxl device handling code
The Xen Project reports:
Various parts of libxl device-handling code inappropriately use
information from (partially) guest controlled areas of xenstore.
A malicious guest administrator can cause denial of service by
resource exhaustion.
A malicious guest administrator can confuse and/or deny service to
management facilities.
A malicious guest administrator of a guest configured with channel
devices may be able to escalate their privilege to that of the
backend domain (i.e., normally, to that of the host).
Discovery 2016-06-02 Entry 2016-07-04 xen-tools
< 4.7.0_1
CVE-2016-4962
http://xenbits.xen.org/xsa/advisory-175.html
|
e6ce6f50-4212-11e6-942d-bc5ff45d0f28 | xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks
The Xen Project reports:
Qemu VGA module allows banked access to video memory using the
window at 0xa00000 and it supports different access modes with
different address calculations.
Qemu VGA module allows guest to edit certain registers in 'vbe'
and 'vga' modes.
A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process. If the system is not using stubdomains, this will be in
domain 0.
A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself. More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.
Discovery 2016-05-09 Entry 2016-07-04 xen-tools
< 4.7.0_2
CVE-2016-3710
CVE-2016-3712
http://xenbits.xen.org/xsa/advisory-179.html
|
47873d72-14eb-11e7-970f-002590263bf5 | xen-tools -- xenstore denial of service via repeated update
The Xen Project reports:
Unprivileged guests may be able to stall progress of the control
domain or driver domain, possibly leading to a Denial of Service
(DoS) of the entire host.
Discovery 2017-03-28 Entry 2017-03-30 xen-tools
< 4.7.2_1
http://xenbits.xen.org/xsa/advisory-206.html
|
405446f4-b1b3-11e5-9728-002590263bf5 | qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support
Prasad J Pandit, Red Hat Product Security Team, reports:
Qemu emulator built with the AMD PC-Net II Ethernet Controller
support is vulnerable to a heap buffer overflow flaw. While
receiving packets in the loopback mode, it appends CRC code to the
receive buffer. If the data size given is same as the receive buffer
size, the appended CRC code overwrites 4 bytes beyond this
's->buffer' array.
A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw
to crash the Qemu instance resulting in DoS or potentially execute
arbitrary code with privileges of the Qemu process on the host.
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets
from a remote host(non-loopback mode), fails to validate the
received data size, thus resulting in a buffer overflow issue. It
could potentially lead to arbitrary code execution on the host, with
privileges of the Qemu process. It requires the guest NIC to have
larger MTU limit.
A remote user could use this flaw to crash the guest instance
resulting in DoS or potentially execute arbitrary code on a remote
host with privileges of the Qemu process.
Discovery 2015-11-30 Entry 2016-01-03 Modified 2016-01-06 qemu
qemu-devel
< 2.5.0
qemu-sbruno
qemu-user-static
< 2.5.50.g20151224
xen-tools
< 4.5.2_1
CVE-2015-7504
CVE-2015-7512
http://www.openwall.com/lists/oss-security/2015/11/30/2
http://www.openwall.com/lists/oss-security/2015/11/30/3
http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7
http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343
https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7
https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343
http://xenbits.xen.org/xsa/advisory-162.html
|
d40c66cb-27e4-11e5-a4a5-002590263bf5 | xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible
The Xen Project reports:
The XEN_DOMCTL_memory_mapping hypercall allows long running
operations without implementing preemption.
This hypercall is used by the device model as part of the emulation
associated with configuration of PCI devices passed through to HVM
guests and is therefore indirectly exposed to those guests.
This can cause a physical CPU to become busy for a significant
period, leading to a host denial of service in some cases.
If a host denial of service is not triggered then it may instead be
possible to deny service to the domain running the device model,
e.g. domain 0.
This hypercall is also exposed more generally to all toolstacks.
However the uses of it in libxl based toolstacks are not believed
to open up any avenue of attack from an untrusted guest. Other
toolstacks may be vulnerable however.
The vulnerability is exposed via HVM guests which have a PCI device
assigned to them. A malicious HVM guest in such a configuration can
mount a denial of service attack affecting the whole system via its
associated device model (qemu-dm).
A guest is able to trigger this hypercall via operations which it
is legitimately expected to perform, therefore running the device
model as a stub domain does not offer protection against the host
denial of service issue. However it does offer some protection
against secondary issues such as denial of service against dom0.
Discovery 2015-03-31 Entry 2015-07-11 xen-kernel
< 4.5.0_3
xen-tools
< 4.5.0_6
CVE-2015-2752
http://xenbits.xen.org/xsa/advisory-125.html
|
59f79c99-ba4d-11e6-ae1b-002590263bf5 | xen-tools -- delimiter injection vulnerabilities in pygrub
The Xen Project reports:
pygrub, the boot loader emulator, fails to quote (or sanity check)
its results when reporting them to its caller.
A malicious guest administrator can obtain the contents of
sensitive host files (an information leak). Additionally, a
malicious guest administrator can cause files on the host to be
removed, causing a denial of service. In some unusual host
configurations, ability to remove certain files may be usable for
privilege escalation.
Discovery 2016-11-22 Entry 2016-12-04 xen-tools
< 4.7.1
CVE-2016-9379
CVE-2016-9380
ports/214936
https://xenbits.xen.org/xsa/advisory-198.html
|
2780e442-fc59-11e4-b18b-6805ca1d3bb1 | qemu, xen and VirtualBox OSE -- possible VM escape and code execution ("VENOM")
Jason Geffner, CrowdStrike Senior Security Researcher reports:
VENOM, CVE-2015-3456, is a security vulnerability in
the virtual floppy drive code used by many computer
virtualization platforms. This vulnerability may allow
an attacker to escape from the confines of an affected
virtual machine (VM) guest and potentially obtain
code-execution access to the host. Absent mitigation,
this VM escape could open access to the host system and
all other VMs running on that host, potentially giving
adversaries significant elevated access to the host's
local network and adjacent systems.
Discovery 2015-04-29 Entry 2015-05-17 Modified 2015-09-28 qemu
qemu-devel
< 0.11.1_19
ge 0.12 lt 2.3.0_1
qemu-sbruno
< 2.3.50.g20150501_1
virtualbox-ose
< 4.3.28
xen-tools
ge 4.5.0 lt 4.5.0_5
CVE-2015-3456
ports/200255
ports/200256
ports/200257
http://venom.crowdstrike.com/
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
http://xenbits.xen.org/xsa/advisory-133.html
|
cbe1a0f9-27e9-11e5-a4a5-002590263bf5 | xen-tools -- Guest triggerable qemu MSI-X pass-through error messages
The Xen Project reports:
Device model code dealing with guest PCI MSI-X interrupt management
activities logs messages on certain (supposedly) invalid guest
operations.
A buggy or malicious guest repeatedly invoking such operations may
result in the host disk to fill up, possibly leading to a Denial of
Service.
Discovery 2015-06-02 Entry 2015-07-11 xen-tools
ge 3.3 lt 4.5.0_6
CVE-2015-4105
http://xenbits.xen.org/xsa/advisory-130.html
|
58685e23-ba4d-11e6-ae1b-002590263bf5 | xen-tools -- qemu incautious about shared ring processing
The Xen Project reports:
The compiler can emit optimizations in qemu which can lead to
double fetch vulnerabilities. Specifically data on the rings shared
between qemu and the hypervisor (which the guest under control can
obtain mappings of) can be fetched twice (during which time the
guest can alter the contents) possibly leading to arbitrary code
execution in qemu.
Malicious administrators can exploit this vulnerability to take
over the qemu process, elevating its privilege to that of the qemu
process.
In a system not using a device model stub domain (or other
techniques for deprivileging qemu), malicious guest administrators
can thus elevate their privilege to that of the host.
Discovery 2016-11-22 Entry 2016-12-04 xen-tools
< 4.7.1
CVE-2016-9381
ports/214936
https://xenbits.xen.org/xsa/advisory-197.html
|
06574c62-5854-11e6-b334-002590263bf5 | xen-tools -- virtio: unbounded memory allocation issue
The Xen Project reports:
A guest can submit virtio requests without bothering to wait for
completion and is therefore not bound by virtqueue size...
A malicious guest administrator can cause unbounded memory
allocation in QEMU, which can cause an Out-of-Memory condition
in the domain running qemu. Thus, a malicious guest administrator
can cause a denial of service affecting the whole host.
Discovery 2016-07-27 Entry 2016-08-02 xen-tools
< 4.7.0_4
CVE-2016-5403
ports/211482
http://xenbits.xen.org/xsa/advisory-184.html
|
f06f20dc-4347-11e5-93ad-002590263bf5 | qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model
The Xen Project reports:
The QEMU model of the RTL8139 network card did not sufficiently
validate inputs in the C+ mode offload emulation. This results in
uninitialized memory from the QEMU process's heap being leaked to
the domain as well as to the network.
A guest may be able to read sensitive host-level data relating to
itself which resides in the QEMU process.
Such information may include things such as information relating to
real devices backing emulated devices or passwords which the host
administrator does not intend to share with the guest admin.
Discovery 2015-08-03 Entry 2015-08-17 Modified 2015-08-19 qemu
qemu-devel
le 0.11.1_20
ge 0.12 le 2.3.0_2
qemu-sbruno
qemu-user-static
< 2.4.50.g20150814
xen-tools
< 4.5.1
CVE-2015-5165
http://xenbits.xen.org/xsa/advisory-140.html
http://git.qemu.org/?p=qemu.git;a=commit;h=2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
|
af38cfec-27e7-11e5-a4a5-002590263bf5 | xen-tools -- Potential unintended writes to host MSI message data field via qemu
The Xen Project reports:
Logic is in place to avoid writes to certain host config space
fields when the guest must nevertheless be able to access their
virtual counterparts. A bug in how this logic deals with accesses
spanning multiple fields allows the guest to write to the host MSI
message data field.
While generally the writes write back the values previously read,
their value in config space may have got changed by the host between
the qemu read and write. In such a case host side interrupt handling
could become confused, possibly losing interrupts or allowing
spurious interrupt injection into other guests.
Certain untrusted guest administrators may be able to confuse host
side interrupt handling, leading to a Denial of Service.
Discovery 2015-06-02 Entry 2015-07-11 xen-tools
ge 3.3 lt 4.5.0_6
CVE-2015-4103
http://xenbits.xen.org/xsa/advisory-128.html
|
da451130-365d-11e5-a4a5-002590263bf5 | qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands
The Xen Project reports:
A heap overflow flaw was found in the way QEMU's IDE subsystem
handled I/O buffer access while processing certain ATAPI
commands.
A privileged guest user in a guest with CDROM drive enabled could
potentially use this flaw to execute arbitrary code on the host
with the privileges of the host's QEMU process corresponding to
the guest.
Discovery 2015-07-27 Entry 2015-08-04 Modified 2015-08-19 qemu
qemu-devel
le 0.11.1_20
ge 0.12 le 2.3.0_2
qemu-sbruno
qemu-user-static
< 2.4.50.g20150814
xen-tools
< 4.5.0_9
CVE-2015-5154
http://xenbits.xen.org/xsa/advisory-138.html
http://git.qemu.org/?p=qemu.git;a=commit;h=e40db4c6d391419c0039fe274c74df32a6ca1a28
|
acd5d037-1c33-11e5-be9c-6805ca1d3bb1 | qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)
The QEMU security team reports:
A guest which has access to an emulated PCNET network
device (e.g. with "model=pcnet" in their VIF configuration)
can exploit this vulnerability to take over the qemu
process elevating its privilege to that of the qemu
process.
Discovery 2015-04-10 Entry 2015-06-26 Modified 2015-07-11 qemu
qemu-devel
< 0.11.1_20
ge 0.12 lt 2.3.0_2
qemu-sbruno
< 2.3.50.g20150618_1
xen-tools
< 4.5.0_6
http://xenbits.xen.org/xsa/advisory-135.html
CVE-2015-3209
|
3d657340-27ea-11e5-a4a5-002590263bf5 | xen-tools -- Unmediated PCI register access in qemu
The Xen Project reports:
Qemu allows guests to not only read, but also write all parts of
the PCI config space (but not extended config space) of passed
through PCI devices not explicitly dealt with for (partial)
emulation purposes.
Since the effect depends on the specific purpose of the the config
space field, it's not possible to give a general statement about the
exact impact on the host or other guests. Privilege escalation,
host crash (Denial of Service), and leaked information all cannot be
excluded.
Discovery 2015-06-02 Entry 2015-07-11 xen-tools
ge 3.3 lt 4.5.0_6
CVE-2015-4106
http://xenbits.xen.org/xsa/advisory-131.html
|
a73aba9a-effe-11e6-ae1b-002590263bf5 | xen-tools -- oob access in cirrus bitblt copy
The Xen Project reports:
When doing bitblt copy backwards, qemu should negate the blit
width. This avoids an oob access before the start of video
memory.
A malicious guest administrator can cause an out of bounds memory
access, possibly leading to information disclosure or privilege
escalation.
Discovery 2017-02-10 Entry 2017-02-11 xen-tools
< 4.7.1_2
CVE-2017-2615
http://xenbits.xen.org/xsa/advisory-208.html
|
4db8a0f4-27e9-11e5-a4a5-002590263bf5 | xen-tools -- PCI MSI mask bits inadvertently exposed to guests
The Xen Project reports:
The mask bits optionally available in the PCI MSI capability
structure are used by the hypervisor to occasionally suppress
interrupt delivery. Unprivileged guests were, however, nevertheless
allowed direct control of these bits.
Interrupts may be observed by Xen at unexpected times, which may
lead to a host crash and therefore a Denial of Service.
Discovery 2015-06-02 Entry 2015-07-11 xen-tools
ge 3.3 lt 4.5.0_6
CVE-2015-4104
http://xenbits.xen.org/xsa/advisory-129.html
|
5d1d4473-b40d-11e5-9728-002590263bf5 | xen-tools -- libxl leak of pv kernel and initrd on error
The Xen Project reports:
When constructing a guest which is configured to use a PV
bootloader which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
However if building the domain subsequently fails these mappings
would not be released leading to a leak of virtual address space in
the calling process, as well as preventing the recovery of the
temporary disk files containing the kernel and initial ramdisk.
For toolstacks which manage multiple domains within the same
process, an attacker who is able to repeatedly start a suitable
domain (or many such domains) can cause an out-of-memory condition in the
toolstack process, leading to a denial of service.
Under the same circumstances an attacker can also cause files to
accumulate on the toolstack domain filesystem (usually under /var in
dom0) used to temporarily store the kernel and initial ramdisk,
perhaps leading to a denial of service against arbitrary other
services using that filesystem.
Discovery 2015-12-08 Entry 2016-01-06 xen-tools
ge 4.1 lt 4.5.2_1
CVE-2015-8341
ports/205841
http://xenbits.xen.org/xsa/advisory-160.html
|
af19ecd0-0f6a-11e7-970f-002590263bf5 | xen-tools -- Cirrus VGA Heap overflow via display refresh
The Xen Project reports:
A privileged user within the guest VM can cause a heap overflow in
the device model process, potentially escalating their privileges to
that of the device model process.
Discovery 2017-03-14 Entry 2017-03-23 xen-tools
< 4.7.2
CVE-2016-9603
http://xenbits.xen.org/xsa/advisory-211.html
|