CVE-2019-19578

Published: Dic 11, 2019 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2019-9195 Aliases: GSD-2019-19578

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

HIGH 7,2

Source: [email protected]

Access Vector: local

Access Complexity: low

Authentication: none

Confidentiality: complete

Integrity: complete

Availability: complete

Description

AI Translation Available

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. 'Linear pagetables' is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the 'depth' of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some 'linear_pt_entry' counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable.

AI Generated Translation

È stata scoperta una vulnerabilità in Xen fino alla versione 4.12.x che consente agli utenti delle guest OS x86 PV di causare un denial of service tramite catene degeneri di pagetables lineari, a causa di una correzione errata per CVE-2017-15595. "Linear pagetables" è una tecnica che prevede di puntare una pagetable su se stessa, o su un'altra pagetable dello stesso o di livello superiore. Xen supporta in modo limitato le linear pagetables: una pagina può puntare a se stessa, oppure puntare a un'altra pagetable dello stesso livello (ad esempio, L2 a L2, L3 a L3, e così via). XSA-240 ha introdotto una restrizione aggiuntiva che limita la "profondità" di tali catene consentendo alle pagine di *puntare a* altre pagine dello stesso livello, o *essere puntate da* altre pagine dello stesso livello, ma non entrambe le cose contemporaneamente. Per implementare questa restrizione, si tiene traccia del numero di volte in cui una pagina punta o viene puntata da un'altra pagetable, per evitare che entrambe le condizioni si verifichino simultaneamente. Sfortunatamente, il commit originale che ha introdotto questa logica resetta questo conteggio durante il ripristino della validazione di una pagetable parzialmente validata, eliminando erroneamente alcuni conteggi di "linear_pt_entry". Se un attaccante riuscisse a manipolare questa situazione, potrebbe creare loop o altre catene arbitrarie di pagetables lineari, come descritto in XSA-240. Una guest PV malintenzionata o con bug può causare il crash dell'hypervisor, provocando un Denial of Service (DoS) che interessa l'intero host. Non si può escludere la possibilità di escalation dei privilegi e perdite di informazioni. Tutte le versioni di Xen sono vulnerabili. Sono interessati solo i sistemi x86. I sistemi Arm non sono interessati. Solo le guest x86 PV possono sfruttare la vulnerabilità. Le guest x86 HVM e PVH non sono vulnerabili. Solo i sistemi che hanno abilitato le linear pagetables sono vulnerabili. I sistemi che hanno disabilitato le linear pagetables, impostando CONFIG_PV_LINEAR_PT=n durante la compilazione dell'hypervisor, o aggiungendo pv-linear-pt=false sulla riga di comando, non sono vulnerabili.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0013

Percentile

0,3th

Updated

EPSS Score Trend (Last 90 Days)

682

Incorrect Calculation

Draft

Abstraction: Pillar Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Integrity Confidentiality Access Control

Potential Impacts:

Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Other) Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

Operating System

Xen by Xen

Product Information

Vendor Xen

Product Xen

Version Range Affected

To 4.12.1 (inclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Fedora by Fedoraproject

Product Information

Vendor Fedoraproject

Product Fedora

Version 31

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

http://lists.opensuse.org/opensuse-security-announce/2020-0…

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://seclists.org/bugtraq/2020/Jan/21

https://security.gentoo.org/glsa/202003-56

https://www.debian.org/security/2020/dsa-4602

https://xenbits.xen.org/xsa/advisory-309.html

Patch Vendor Advisory

https://xenbits.xen.org/xsa/advisory-309.html

http://lists.opensuse.org/opensuse-security-announce/2020-0…

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://lists.fedoraproject.org/archives/list/package-annou…

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…

https://seclists.org/bugtraq/2020/Jan/21

https://security.gentoo.org/glsa/202003-56

https://www.debian.org/security/2020/dsa-4602

https://xenbits.xen.org/xsa/advisory-309.html

Patch Vendor Advisory

https://xenbits.xen.org/xsa/advisory-309.html

CVE-2019-19578

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Incorrect Calculation

Common Consequences

Applicable Platforms

Xen by Xen

Product Information

Fedora by Fedoraproject

Product Information

Iscriviti alla newsletter