ID CVE-2017-7228
Summary An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.
References
Vulnerable Configurations
  • Xen
    cpe:2.3:o:xen:xen
CVSS
Base: 7.2 (as of 11-04-2017 - 09:24)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout. CVE-2017-7228. Local exploit for Multiple platform. Tags: Local
file exploits/multiple/local/41870.txt
id EDB-ID:41870
last seen 2017-04-12
modified 2017-04-11
platform multiple
port
published 2017-04-11
reporter Exploit-DB
source https://www.exploit-db.com/download/41870/
title Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout
type local
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-907.NASL
    description CVE-2017-7228 (XSA-212) An insufficient check on XENMEM_exchange may allow PV guests to access all of system memory. For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-6. We recommend that you upgrade your xen packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 99601
    published 2017-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99601
    title Debian DLA-907-1 : xen security update
  • NASL family Misc.
    NASL id XEN_SERVER_XSA-212.NASL
    description According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an out-of-array memory access error in the memory_exchange() function in file common/memory.c due to improper checking of XENMEM_exchange input. An attacker on a 64-bit PV guest VM who has administrative privileges can exploit this issue to access arbitrary system memory locations, which can then be potentially used for further compromising the host. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 99399
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99399
    title Xen Hypervisor XENMEM_exchange Memory Disclosure (XSA-212)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3847.NASL
    description Jan Beulich and Jann Horn discovered multiple vulnerabilities in the Xen hypervisor, which may lead to privilege escalation, guest-to-host breakout, denial of service or information leaks. In additional to the CVE identifiers listed above, this update also addresses the vulnerabilities announced as XSA-213, XSA-214 and XSA-215.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100071
    published 2017-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100071
    title Debian DSA-3847-1 : xen - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_90BECF7C1ACF11E7970F002590263BF5.NASL
    description The Xen Project reports : The XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 99240
    published 2017-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99240
    title FreeBSD : xen-kernel -- broken check in memory_exchange() permits PV guest breakout (90becf7c-1acf-11e7-970f-002590263bf5)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1080-1.NASL
    description This update for xen fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026636). - CVE-2016-9603: A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99579
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99579
    title SUSE SLES12 Security Update : xen (SUSE-SU-2017:1080-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0153.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 103830
    published 2017-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103830
    title OracleVM 3.4 : xen (OVMSA-2017-0153)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1081-1.NASL
    description This update for xen fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2016-9603: A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026636). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99580
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99580
    title SUSE SLES11 Security Update : xen (SUSE-SU-2017:1081-1)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX222565.NASL
    description The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities : - A flaw exists when invoking the instruction emulator that is triggered during the handling of SYSCALL by single-stepping applications. A local attacker can exploit this to execute code with elevated privileges on the guest. (CVE-2016-10013) - An out-of-array memory access error exists in the memory_exchange() function within file common/memory.c due to improper checking of XENMEM_exchange input. An attacker on a 64-bit PV guest VM who has administrative privileges can exploit this issue to access arbitrary system memory locations, which can then be potentially used for further compromising the host. (CVE-2017-7228) - A memory leak issue exits due to improper cleanup being performed during guest destruction. An attacker on the guest can exploit this, by repeatedly rebooting, to exhaust memory on the host system, resulting in a denial of service condition.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 99377
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99377
    title Citrix XenServer multiple vulnerabilities (CTX222565)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0248.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 111992
    published 2018-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111992
    title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0095.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0095 for details.
    last seen 2019-02-21
    modified 2018-09-10
    plugin id 99976
    published 2017-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99976
    title OracleVM 3.3 : xen (OVMSA-2017-0095)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-492.NASL
    description This update for xen to version 4.7.2 fixes the following issues : These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). These non-security issues were fixed : - bsc#1015348: libvirtd didn't not start during boot - bsc#1014136: kdump couldn't dump a kernel on SLES12-SP2 with Xen hypervisor. - bsc#1026236: Fixed paravirtualized performance - bsc#1022555: Timeout in 'execution of /etc/xen/scripts/block add' - bsc#1029827: Forward port xenstored - bsc#1029128: Make xen to really produce xen.efi with gcc48 This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 99559
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99559
    title openSUSE Security Update : xen (openSUSE-2017-492)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0983-1.NASL
    description This update for xen to version 4.7.2 fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99302
    published 2017-04-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99302
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0983-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-054729AB08.NASL
    description Qemu: 9pfs: host memory leakage via v9fs_create [CVE-2017-7377] (#1437873) x86: broken check in memory_exchange() permits PV guest breakout [XSA-212, CVE-2017-7228] (#1438804) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-05
    plugin id 99256
    published 2017-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99256
    title Fedora 25 : xen (2017-054729ab08)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1058-1.NASL
    description This update for xen fixes the following security issues : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99507
    published 2017-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99507
    title SUSE SLES11 Security Update : xen (SUSE-SU-2017:1058-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0142.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 102835
    published 2017-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102835
    title OracleVM 3.4 : xen (OVMSA-2017-0142)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0094.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: xen commit=8ee9cbea8e71c968e602d5b4974601d283d61d28 - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86: correct create_bounce_frame (Boris Ostrovsky) [Orabug: 25927745] - x86: discard type information when stealing pages (Boris Ostrovsky) - multicall: deal with early exit conditions (Boris Ostrovsky) [Orabug: 25927612] - BUILDINFO: xen commit=66e33522666436a4b6c13fbaa77b4942876bb5f7 - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - kexec: Add spinlock for the whole hypercall. (Konrad Rzeszutek Wilk) - kexec: clear kexec_image slot when unloading kexec image (Bhavesh Davda) [Orabug: 25861731] - BUILDINFO: xen commit=337c8edcc582f8bfb1bcfcb5a475c5fc18ff2def - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - memory: properly check guest memory ranges in XENMEM_exchange handling (Jan Beulich) [Orabug: 25760559] (CVE-2017-7228) - xenstored: Log when the write transaction rate limit bites (Ian Jackson) [Orabug: 25745225] - xenstored: apply a write transaction rate limit (Ian Jackson) - BUILDINFO: xen commit=17b0cd2109c42553e9c8c34d3a2b8252abead104 - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - xm: Fix the error message displayed by 'xm create ...' (Venu Busireddy) [Orabug: 25721696] - xm: expand pci hidden devices tools (Venu Busireddy) [Orabug: 25721624] - BUILDINFO: xen commit=81f33e7316b476c319f42eb56ac58fc450804ded - BUILDINFO: QEMU upstream commit=2e4e0a805aeb448242b43399e0853b851bccde4e - BUILDINFO: QEMU traditional commit=d9ba4c53b14ebf9a0613b5638f90d95489622f0c - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - xend: fix vif device ID allocation (Zhigang Wang) [Orabug: 25692157] - BUILDINFO: xen commit=68930e8bbd9311ebd12fdb251362a2e1f9987fba - BUILDINFO: QEMU upstream commit=f663d3dd4e968756d33e29cb2c2c956cabbdd4ca - BUILDINFO: QEMU traditional commit=d9ba4c53b14ebf9a0613b5638f90d95489622f0c - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - xend: fix waitForSuspend (Zhigang Wang) [Orabug: 25638583] [Orabug: 25653480] - IOMMU: always call teardown callback (Oleksandr Tyshchenko) [Orabug: 25485193] - BUILDINFO: xen commit=9f3030e391274b89deb80c86a6343dac473916b3 - BUILDINFO: QEMU upstream commit=f663d3dd4e968756d33e29cb2c2c956cabbdd4ca - BUILDINFO: QEMU traditional commit=d9ba4c53b14ebf9a0613b5638f90d95489622f0c - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - one-off build
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 99975
    published 2017-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99975
    title OracleVM 3.4 : xen (OVMSA-2017-0094)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0096.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0096 for details.
    last seen 2019-02-21
    modified 2018-09-10
    plugin id 99977
    published 2017-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99977
    title OracleVM 3.2 : xen (OVMSA-2017-0096)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-03DC811BE6.NASL
    description Qemu: 9pfs: host memory leakage via v9fs_create [CVE-2017-7377] (#1437873) ---- add additional patch for [XSA-206] (#1436690) ---- xenstore denial of service via repeated update [XSA-206] (#1436690) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 99405
    published 2017-04-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99405
    title Fedora 24 : xen (2017-03dc811be6)
refmap via4
bid 97375
confirm
debian DSA-3847
exploit-db 41870
misc https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html
sectrack 1038223
Last major update 11-04-2017 - 21:59
Published 04-04-2017 - 10:59
Last modified 03-11-2017 - 21:29
Back to Top