ID CVE-2016-5242
Summary The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (NULL pointer dereference and host OS crash) by creating concurrent domains and holding references to them, related to VMID exhaustion.
References
Vulnerable Configurations
  • Xen Xen 4.6.1
    cpe:2.3:o:xen:xen:4.6.1
  • Xen Xen 4.6.0
    cpe:2.3:o:xen:xen:4.6.0
  • Xen 4.5.3
    cpe:2.3:o:xen:xen:4.5.3
  • Xen Xen 4.5.2
    cpe:2.3:o:xen:xen:4.5.2
  • Xen Xen 4.5.1
    cpe:2.3:o:xen:xen:4.5.1
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
  • Xen 4.4.4
    cpe:2.3:o:xen:xen:4.4.4
  • Xen Xen 4.4.3
    cpe:2.3:o:xen:xen:4.4.3
  • Xen Xen 4.4.2
    cpe:2.3:o:xen:xen:4.4.2
  • Xen Xen 4.4.1
    cpe:2.3:o:xen:xen:4.4.1
  • Xen 4.4.0 release candidate 1
    cpe:2.3:o:xen:xen:4.4.0:rc1
  • Xen 4.4.0
    cpe:2.3:o:xen:xen:4.4.0
CVSS
Base: 4.7 (as of 14-06-2016 - 09:37)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3633.NASL
    description Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2015-8338 Julien Grall discovered that Xen on ARM was susceptible to denial of service via long running memory operations. - CVE-2016-4480 Jan Beulich discovered that incorrect page table handling could result in privilege escalation inside a Xen guest instance. - CVE-2016-4962 Wei Liu discovered multiple cases of missing input sanitising in libxl which could result in denial of service. - CVE-2016-5242 Aaron Cornelius discovered that incorrect resource handling on ARM systems could result in denial of service. - CVE-2016-6258 Jeremie Boutoille discovered that incorrect pagetable handling in PV instances could result in guest to host privilege escalation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92614
    published 2016-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92614
    title Debian DSA-3633-1 : xen - security update (Bunker Buster)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-103752D2A9.NASL
    description Qemu: scsi: esp: OOB r/w access while processing ESP_FIFO [CVE-2016-5338] (#1343323) Qemu: scsi: megasas: information leakage in megasas_ctrl_get_info [CVE-2016-5337] (#1343909) ---- fix for CVE-2016-2858 doesn't build with qemu-xen enabled Unsanitised guest input in libxl device handling code [XSA-175, CVE-2016-4962] (#1342132) Unsanitised driver domain input in libxl device handling [XSA-178, CVE-2016-4963] (#1342131) arm: Host crash caused by VMID exhaust [XSA-181] (#1342530) Qemu: display: vmsvga: out-of-bounds read in vmsvga_fifo_read_raw() routine [CVE-2016-4454] (#1340741) Qemu: display: vmsvga: infinite loop in vmsvga_fifo_run() routine [CVE-2016-4453] (#1340746) Qemu: scsi: esp: OOB write when using non-DMA mode in get_cmd [CVE-2016-5238] (#1341931) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92059
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92059
    title Fedora 23 : xen (2016-103752d2a9)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-389BE30B95.NASL
    description fix for CVE-2016-2858 doesn't build with qemu-xen enabled Unsanitised guest input in libxl device handling code [XSA-175, CVE-2016-4962] (#1342132) Unsanitised driver domain input in libxl device handling [XSA-178, CVE-2016-4963] (#1342131) arm: Host crash caused by VMID exhaust [XSA-181] (#1342530) Qemu: display: vmsvga: out-of-bounds read in vmsvga_fifo_read_raw() routine [CVE-2016-4454] (#1340741) Qemu: display: vmsvga: infinite loop in vmsvga_fifo_run() routine [CVE-2016-4453] (#1340746) Qemu: scsi: esp: OOB write when using non-DMA mode in get_cmd [CVE-2016-5238] (#1341931) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 92081
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92081
    title Fedora 24 : xen (2016-389be30b95)
refmap via4
bid 91015
confirm http://xenbits.xen.org/xsa/advisory-181.html
debian DSA-3633
sectrack 1036035
Last major update 28-11-2016 - 15:23
Published 07-06-2016 - 10:06
Back to Top