ID CVE-2015-2751
Summary Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations.
References
Vulnerable Configurations
  • Xen Xen 4.3.0
    cpe:2.3:o:xen:xen:4.3.0
  • Xen 4.3.1
    cpe:2.3:o:xen:xen:4.3.1
  • Xen Xen 4.3.2
    cpe:2.3:o:xen:xen:4.3.2
  • Xen 4.4.0
    cpe:2.3:o:xen:xen:4.4.0
  • Xen 4.4.0 release candidate 1
    cpe:2.3:o:xen:xen:4.4.0:rc1
  • Xen Xen 4.4.1
    cpe:2.3:o:xen:xen:4.4.1
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
  • Fedora 20
    cpe:2.3:o:fedoraproject:fedora:20
  • Fedora 21
    cpe:2.3:o:fedoraproject:fedora:21
CVSS
Base: 7.1 (as of 23-08-2016 - 11:36)
Impact:
Exploitability:
CWE CWE-17
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0923-1.NASL
    description XEN was updated to fix two security issues and bugs. Security issues fixed : - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. - CVE-2015-2751: Xen, when using toolstack disaggregation, allowed remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. - CVE-2015-2752: The XEN_DOMCTL_memory_mapping hypercall in Xen, when using a PCI passthrough device, was not preemptable, which allowed local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. Bugs fixed : - xentop: Fix memory leak on read failure Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83757
    published 2015-05-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83757
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:0923-1) (Venom)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-5208.NASL
    description Long latency MMIO mapping operations are not preemptible [XSA-125, CVE-2015-2752] Unmediated PCI command register access in qemu [XSA-126, CVE-2015-2756] Certain domctl operations may be abused to lock up the host [XSA-127, CVE-2015-2751] update to xen-4.4.2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 82729
    published 2015-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82729
    title Fedora 21 : xen-4.4.2-2.fc21 (2015-5208)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-5402.NASL
    description Long latency MMIO mapping operations are not preemptible [XSA-125, CVE-2015-2752] Unmediated PCI command register access in qemu [XSA-126, CVE-2015-2756] Certain domctl operations may be abused to lock up the host [XSA-127, CVE-2015-2751] update to xen-4.3.4 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 82730
    published 2015-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82730
    title Fedora 20 : xen-4.3.4-2.fc20 (2015-5402)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_103A47D527E711E5A4A5002590263BF5.NASL
    description The Xen Project reports : XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not really correct: Their (mis-)use may result in host lockups. As a result, the potential security benefits of toolstack disaggregation are not always fully realised. Domains deliberately given partial management control may be able to deny service to the entire host. As a result, in a system designed to enhance security by radically disaggregating the management, the security may be reduced. But, the security will be no worse than a non-disaggregated design.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84694
    published 2015-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84694
    title FreeBSD : xen-kernel -- Certain domctl operations may be abused to lock up the host (103a47d5-27e7-11e5-a4a5-002590263bf5)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0248.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111992
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111992
    title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0057.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. XSA-133 (CVE-2015-3456) - fdc: force the fifo access to be in bounds of the allocated buffer During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. XSA-133 (CVE-2015-3456) - domctl: don't allow a toolstack domain to call domain_pause on itself These DOMCTL subops were accidentally declared safe for disaggregation in the wake of XSA-77. This is XSA-127. (CVE-2015-2751) - xen: limit guest control of PCI command register Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. Conflicts: tools/qemu-xen-traditional-dir/hw/pass-through.c (CVE-2015-2756) - xen: limit guest control of PCI command register Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. (CVE-2015-2756) - Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) Said hypercall for large BARs can take quite a while. As such we can require that the hypercall MUST break up the request in smaller values. Another approach is to add preemption to it - whether we do the preemption using hypercall_create_continuation or returning EAGAIN to userspace (and have it re-invocate the call) - either way the issue we cannot easily solve is that in 'map_mmio_regions' if we encounter an error we MUST call 'unmap_mmio_regions' for the whole BAR region. Since the preemption would re-use input fields such as nr_mfns, first_gfn, first_mfn - we would lose the original values - and only undo what was done in the current round (i.e. ignoring anything that was done prior to earlier preemptions). Unless we re-used the return value as 'EAGAIN|nr_mfns_done<<10' but that puts a limit (since the return value is a long) on the amount of nr_mfns that can provided. This patch sidesteps this problem by : - Setting an hard limit of nr_mfns having to be 64 or less. - Toolstack adjusts correspondingly to the nr_mfn limit. - If the there is an error when adding the toolstack will call the remove operation to remove the whole region. The need to break this hypercall down is for large BARs can take more than the guest (initial domain usually) time-slice. This has the negative result in that the guest is locked out for a long duration and is unable to act on any pending events. We also augment the code to return zero if nr_mfns instead of trying to the hypercall. Suggested-by: Jan Beulich This is CVE-2015-2752 / XSA-125. (CVE-2015-2752)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 83482
    published 2015-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83482
    title OracleVM 3.3 : xen (OVMSA-2015-0057) (Venom)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201504-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-201504-04 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-04-17
    plugin id 82734
    published 2015-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82734
    title GLSA-201504-04 : Xen: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-434.NASL
    description Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn't display disk statistics for VMs using qdisks - boo#919098: L3: XEN blktap device intermittently fails to connect - boo#882089: Windows 2012 R2 fails to boot up with greater than 60 vcpus - boo#903680: Problems with detecting free loop devices on Xen guest startup - boo#861318: xentop reports 'Found interface vif101.0 but domain 101 does not exist.' - boo#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work - boo#912011: high ping latency after upgrade to latest SLES11SP3 on xen Dom0 - boo#906689: let systemd schedule xencommons after network-online.target and remote-fs.target so that xendomains has access to remote shares The following functionality was enabled or enhanced : - Enable spice support in qemu for x86_64 - Add Qxl vga support - Enhancement to virsh/libvirtd 'send-key' command (FATE#317240) - Add domain_migrate_constraints_set API to Xend's http interface (FATE#317239)
    last seen 2019-02-21
    modified 2015-10-22
    plugin id 84333
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84333
    title openSUSE Security Update : xen (openSUSE-2015-434) (Venom)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-5295.NASL
    description Long latency MMIO mapping operations are not preemptible [XSA-125, CVE-2015-2752] Unmediated PCI command register access in qemu [XSA-126, CVE-2015-2756] Certain domctl operations may be abused to lock up the host [XSA-127, CVE-2015-2751] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 82952
    published 2015-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82952
    title Fedora 22 : xen-4.5.0-7.fc22 (2015-5295)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0701-1.NASL
    description Xen was updated 4.4.2_01 to address three security issues and functional bugs. The following vulnerabilities were fixed : - Long latency MMIO mapping operations are not preemptible (XSA-125, CVE-2015-2752, bnc#922705) - Unmediated PCI command register access in qemu (XSA-126, CVE-2015-2756, bnc#922706) - Certain domctl operations may be abused to lock up the host (XSA-127, CVE-2015-2751, bnc#922709) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83714
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83714
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:0701-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-435.NASL
    description Xen was updated to fix eight vulnerabilities. The following vulnerabilities were fixed : - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996)
    last seen 2019-02-21
    modified 2015-06-23
    plugin id 84334
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84334
    title openSUSE Security Update : xen (openSUSE-2015-435)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1479-2.NASL
    description xen was updated to fix the following security issues : - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712, XSA-140) - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709, XSA-139) - CVE-2015-2751: Certain domctl operations could have be used to lock up the host (bsc#922709, XSA-127) - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137) - CVE-2015-4164: DoS through iret hypercall handler (bsc#932996, XSA-136) - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85792
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85792
    title SUSE SLED11 Security Update : xen (SUSE-SU-2015:1479-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1479-1.NASL
    description xen was updated to fix the following security issues : - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712, XSA-140) - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709, XSA-139) - CVE-2015-2751: Certain domctl operations could have be used to lock up the host (bsc#922709, XSA-127) - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137) - CVE-2015-4164: DoS through iret hypercall handler (bsc#932996, XSA-136) - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85791
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85791
    title SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1479-1)
refmap via4
bid 73443
confirm http://xenbits.xen.org/xsa/advisory-127.html
fedora
  • FEDORA-2015-5208
  • FEDORA-2015-5295
  • FEDORA-2015-5402
gentoo GLSA-201504-04
sectrack 1031997
suse SUSE-SU-2015:0923
Last major update 02-01-2017 - 21:59
Published 01-04-2015 - 10:59
Last modified 30-10-2018 - 12:26
Back to Top