ID CVE-2017-17044
Summary An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.
References
Vulnerable Configurations
  • Xen 4.9.1
    cpe:2.3:o:xen:xen:4.9.1
CVSS
Base: 4.9
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
nessus via4
  • NASL family Misc.
    NASL id XEN_SERVER_XSA-246.NASL
    description According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an infinite loop guest-to-host denial of service vulnerability. This issue only affects x86 systems that have 2MiB or 1GiB HAP pages enabled. ARM systems are not affected. x86 PV VMs can not trigger this vulnerability. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 104898
    published 2017-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104898
    title Xen Hypervisor Infinite Loop Guest-to-Host DoS (XSA-246)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0176.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=b90f0a4fa66aea67e743c393ba307612a2fec379 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - p2m: Check return value of p2m_set_entry when decreasing reservation (George Dunlap) [Orabug: 27216264] (CVE-2017-17045) - p2m: Always check to see if removing a p2m entry actually worked (George Dunlap) [Orabug: 27216264] (CVE-2017-17045) - x86/pod: prevent infinite loop when shattering large pages (Julien Grall) [Orabug: 27216261] (CVE-2017-17044) - xen/physmap: Do not permit a guest to populate PoD pages for itself (Elena Ufimtseva) [Orabug: 27216261] (CVE-2017-17044) - xend/pxm: Include pxm in XenStore when hotplugging PCI devices (Konrad Rzeszutek Wilk) [Orabug: 27206706] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=2f4972e50ebd2a470b19bfdb1fc6ce91e77614e0 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: assign vcpus to nodes by interleaving (Elena Ufimtseva) - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=c9c2df2dc87e18c9dcf584aedf859ab50b62883a - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: disable vNUMA if fail to find vcpus for pinning (Elena Ufimtseva) [Orabug: 27091931] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=fe4d54f49f8cf07f9e9d8077b7c85d287fb5c90c - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap (Andrew Cooper) [Orabug: 27148184] (CVE-2017-15592) (CVE-2017-15592) - x86: don't wrongly trigger linear page table assertion (Jan Beulich) [Orabug: 27148179] (CVE-2017-15595) - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=b67a2d04c74002cceabfa76612a27fd1cf3f2b29 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: fix cpus assignment in manual vNUMA mode. (Elena Ufimtseva)
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 105249
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105249
    title OracleVM 3.4 : xen (OVMSA-2017-0176)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX230138.NASL
    description The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX230138 advisory.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 105083
    published 2017-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105083
    title Citrix XenServer Multiple Vulnerabilities (CTX230138)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-4BFCD57172.NASL
    description xen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 105869
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105869
    title Fedora 27 : xen (2017-4bfcd57172)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0005.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0005 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 105717
    published 2018-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105717
    title OracleVM 3.4 : xen (OVMSA-2018-0005) (Meltdown) (Spectre)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0248.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111992
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111992
    title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-16A414B3C5.NASL
    description another patch related to the [XSA-240, CVE-2017-15595] issue xen: various flaws (#1525018) x86 PV guests may gain access to internally used page [XSA-248] broken x86 shadow mode refcount overflow check [XSA-249] improper x86 shadow mode refcount error handling [XSA-250] improper bug check in x86 log-dirty handling [XSA-251] ---- xen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 105511
    published 2018-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105511
    title Fedora 26 : xen (2017-16a414b3c5)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0177.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Due to the history performance reason, we decide to disable PoD feature in old OVM product.XSA-246,XSA-247 [bug 27121016] (CVE-2017-17044, CVE-2017-17045) - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff 'libxl: disallow PCI device assignment for HVM guest when PoD is enabled') which a toolstack might wish to explicitly prohibit (in this case, because the two simply don't function in combination). In such cases, the guest mustn't be able to subvert the configuration chosen by the toolstack. Conflict: xen/common/memory.c - x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change in behaviour for sh_guest_wrmap, where it had to cope with no shadow linear mapping being present. As the name suggests, guest_vtable is a mapping of the guests pagetable, not Xen's pagetable, meaning that it isn't the pagetable we need to check for the shadow linear slot in. The practical upshot is that a shadow HVM vcpu which switches into 4-level paging mode, with an L4 pagetable that contains a mapping which aliases Xen's SH_LINEAR_PT_VIRT_START will fool the safety check for whether a SHADOW_LINEAR mapping is present. As the check passes (when it should have failed), Xen subsequently falls over the missing mapping with a pagefault such as: (XEN) Pagetable walk from ffff8140a0503880: (XEN) L4[0x102] = 000000046c218063 ffffffffffffffff (XEN) L3[0x102] = 000000046c218063 ffffffffffffffff (XEN) L2[0x102] = 000000046c218063 ffffffffffffffff (XEN) L1[0x103] = 0000000000000000 ffffffffffffffff This is part of XSA-243. (CVE-2017-15592)
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 105250
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105250
    title OracleVM 3.3 : xen (OVMSA-2017-0177)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0178.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff 'libxl: disallow PCI device assignment for HVM guest when PoD is enabled') which a toolstack might wish to explicitly prohibit (in this case, because the two simply don't function in combination). In such cases, the guest mustn't be able to subvert the configuration chosen by the toolstack. Conflict: xen/common/memory.c - Due to the history performance reason, we decide to disable PoD feature in old OVM product. Please don't set maxmem>memory XSA-246,XSA-247 [bug 27120669] (CVE-2017-17044, CVE-2017-17045) - x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change in behaviour for sh_guest_wrmap, where it had to cope with no shadow linear mapping being present. As the name suggests, guest_vtable is a mapping of the guests pagetable, not Xen's pagetable, meaning that it isn't the pagetable we need to check for the shadow linear slot in. The practical upshot is that a shadow HVM vcpu which switches into 4-level paging mode, with an L4 pagetable that contains a mapping which aliases Xen's SH_LINEAR_PT_VIRT_START will fool the safety check for whether a SHADOW_LINEAR mapping is present. As the check passes (when it should have failed), Xen subsequently falls over the missing mapping with a pagefault such as: (XEN) Pagetable walk from ffff8140a0503880: (XEN) L4[0x102] = 000000046c218063 ffffffffffffffff (XEN) L3[0x102] = 000000046c218063 ffffffffffffffff (XEN) L2[0x102] = 000000046c218063 ffffffffffffffff (XEN) L1[0x103] = 0000000000000000 ffffffffffffffff This is part of XSA-243. (CVE-2017-15592) - dpci: Fix a race during unbinding of MSI interrupt The check of hvm_irq_dpci->mapping and read of flags are not protected in same critical area, so the unbind of MSI interrupt may intercepts between them. Like below scene: CPU0 CPU1 ---- ---- hvm_do_IRQ_dpci !test_bit(mirq, dpci->mapping)) return 0 spin_lock(&d->event_lock) hvm_irq_dpci->mirq[machine_gsi].flags = 0 clear_bit(machine_gsi, hvm_irq_dpci->mapping) spin_unlock(&d->event_lock) hvm_dirq_assist spin_lock(&d->event_lock) if ( pt_irq_need_timer(hvm_irq_dpci->mirq[pirq].flags)) set_timer spin_unlock(&d->event_lock) Then set_timer is mistakenly called which access uninitialized timer struct. Then page fault happen and a backtrace like below: (XEN) Xen call trace: (XEN) [] set_timer+0x92/0x170 (XEN) [] hvm_dirq_assist+0x1c3/0x1e0 (XEN) [] do_tasklet_work_percpu+0x7f/0x120 (XEN) [] __do_softirq+0x65/0x90 (XEN) [] process_softirqs+0x6/0x10 (XEN) (XEN) Pagetable walk from 0000000000000008: (XEN) L4[0x000] = 0000002104cc1067 0000000000289430 (XEN) L3[0x000] = 000000212ecd8067 00000000002b3447 (XEN) L2[0x000] = 0000000000000000 ffffffffffffffff (XEN) (XEN) **************************************** (XEN) Panic on CPU 41: (XEN) FATAL PAGE FAULT (XEN) [error_code=0002] (XEN) Faulting linear address: 0000000000000008 (XEN) **************************************** This issue is OVM3.2 only as OVM3.3 or above already has similar fix in pt_pirq_iterate
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 105251
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105251
    title OracleVM 3.2 : xen (OVMSA-2017-0178)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201801-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-201801-14 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could potentially execute arbitrary code with the privileges of the Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 106038
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106038
    title GLSA-201801-14 : Xen: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4050.NASL
    description Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 104819
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104819
    title Debian DSA-4050-1 : xen - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1559.NASL
    description Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts3-0+deb8u1. We recommend that you upgrade your xen packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-10-31
    plugin id 118503
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118503
    title Debian DLA-1559-1 : xen security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1230.NASL
    description Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code. For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-11. We recommend that you upgrade your xen packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 105621
    published 2018-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105621
    title Debian DLA-1230-1 : xen security update
refmap via4
bid
  • 102008
  • 102129
  • 105954
confirm
gentoo GLSA-201801-14
mlist
  • [debian-lts-announce] 20180105 [SECURITY] [DLA 1230-1] xen security update
  • [debian-lts-announce] 20181030 [SECURITY] [DLA 1559-1] xen security update
sectrack 1039878
Last major update 28-11-2017 - 18:29
Published 28-11-2017 - 18:29
Last modified 20-11-2018 - 06:29
Back to Top