ID CVE-2018-12891
Summary An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86 HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability.
References
Vulnerable Configurations
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Xen 4.10.1
    cpe:2.3:o:xen:xen:4.10.1
CVSS
Base: 4.9
Impact:
Exploitability:
CWE CWE-399
CAPEC
nessus via4
  • NASL family Misc.
    NASL id XEN_SERVER_XSA-264.NASL
    description According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a local denial of service vulnerability. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 111379
    published 2018-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111379
    title Xen Project x86 Paravirtualization Local DoS (XSA-264)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2081-2.NASL
    description This update for xen fixes the following issues : Security issues fixed : CVE-2018-12891: Fix preemption checks bypass in x86 PV MM handling (XSA-264) (bsc#1097521). CVE-2018-12892: Fix libxl failure to honour readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). CVE-2018-12893: Fix #DB exception safety check that could be triggered by a guest (XSA-265) (bsc#1097522). CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). CVE-2018-3665: Fix lazy FP Save/Restore (XSA-267) (bsc#1095242). Bug fixes: bsc#1027519: Update to Xen 4.7.6 bug fix only release. bsc#1087289: Xen BUG at sched_credit.c:1663. bsc#1094725: `virsh blockresize` does not work with Xen qdisks. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118277
    published 2018-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118277
    title SUSE SLES12 Security Update : xen (SUSE-SU-2018:2081-2)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-803.NASL
    description This update for xen fixes the following issues : Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1087289: Fix xen scheduler crash. This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 111565
    published 2018-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111565
    title openSUSE Security Update : xen (openSUSE-2018-803)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4236.NASL
    description Multiple vulnerabilities have been discovered in the Xen hypervisor : - CVE-2018-12891 It was discovered that insufficient validation of PV MMU operations may result in denial of service. - CVE-2018-12892 It was discovered that libxl fails to honour the 'readonly' flag on HVM-emulated SCSI disks. - CVE-2018-12893 It was discovered that incorrect implementation of debug exception checks could result in denial of service.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110787
    published 2018-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110787
    title Debian DSA-4236-1 : xen - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2528-1.NASL
    description This update for xen fixes the following issues: These security issue were fixed : - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). - CVE-2018-12617: An integer overflow that could cause a segmentation fault in qmp_guest_file_read() with g_malloc() in qemu-guest-agent was fixed (bsc#1098744) - CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (bsc#1095242) - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1092631) - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (bsc#1074562) - CVE-2018-12891: Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. (bsc#1097521) - CVE-2018-12893: One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. (bsc#1097522) - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (bsc#1096224) - CVE-2018-10982: An issue was discovered in Xen allowed x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. (bsc#1090822) - CVE-2018-10981: An issue was discovered in Xen that allowed x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. (bsc#1090823) Following bugs were fixed : - After updating to kernel 3.0.101-0.47.106.32-xen system crashes in check_bugs() (bsc#1097206) - bsc#1079730 - in xen-kmp, unplug emulated devices after migration This is required since xen-4.10 and/or qemu-2.10 because the state of unplug is not propagated from one dom0 to another. Without this unplug qemu's block-backend will be unable to open qcow2 disks on the receiving dom0 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 112147
    published 2018-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112147
    title SUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201810-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could cause a Denial of Service condition or disclose sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-10-31
    plugin id 118506
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118506
    title GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-A7862A75F5.NASL
    description preemption checks bypassed in x86 PV MM handling [XSA-264, CVE-2018-12891] (#1595959) x86: #DB exception safety check can be triggered by a guest [XSA-265, CVE-2018-12893] (#1595958) libxl fails to honour readonly flag on HVM emulated SCSI disks [XSA-266, CVE-2018-12892] (#1595957) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120682
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120682
    title Fedora 28 : xen (2018-a7862a75f5)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX235748.NASL
    description The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 111378
    published 2018-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111378
    title Citrix XenServer Multiple Vulnerabilities (CTX235748)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2059-1.NASL
    description This update for xen fixes the following issues: Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1087289: Fix xen scheduler crash. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111348
    published 2018-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111348
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:2059-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-1A467757CE.NASL
    description preemption checks bypassed in x86 PV MM handling [XSA-264, CVE-2018-12891] x86: #DB exception safety check can be triggered by a guest [XSA-265, CVE-2018-12893] libxl fails to honour readonly flag on HVM emulated SCSI disks [XSA-266, CVE-2018-12892] ---- Speculative register leakage from lazy FPU context switching [XSA-267, CVE-2018-3665] fix for change in iasl output Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 111236
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111236
    title Fedora 27 : xen (2018-1a467757ce)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2069-1.NASL
    description This update for xen fixes the following issues: Security issues fixed : - CVE-2018-12617: Fix integer overflow that causes segmentation fault in qmp_guest_file_read() with g_malloc() (bsc#1098744). - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1079730: Fix failed 'write' lock. - bsc#1027519: Add upstream patches from January. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111371
    published 2018-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111371
    title SUSE SLES12 Security Update : xen (SUSE-SU-2018:2069-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1577.NASL
    description Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts4-0+deb8u1. We recommend that you upgrade your xen packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 118892
    published 2018-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118892
    title Debian DLA-1577-1 : xen security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2081-1.NASL
    description This update for xen fixes the following issues: Security issues fixed : - CVE-2018-12891: Fix preemption checks bypass in x86 PV MM handling (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl failure to honour readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix #DB exception safety check that could be triggered by a guest (XSA-265) (bsc#1097522). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-3665: Fix lazy FP Save/Restore (XSA-267) (bsc#1095242). Bug fixes : - bsc#1027519: Update to Xen 4.7.6 bug fix only release. - bsc#1087289: Xen BUG at sched_credit.c:1663. - bsc#1094725: `virsh blockresize` does not work with Xen qdisks. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111433
    published 2018-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111433
    title SUSE SLES12 Security Update : xen (SUSE-SU-2018:2081-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2037-1.NASL
    description This update for xen fixes the following issues: Security issues fixed : - CVE-2018-12617: Fix integer overflow that causes segmentation fault in qmp_guest_file_read() with g_malloc() (bsc#1098744). - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1079730: Fix failed 'write' lock. - bsc#1027519: Add upstream patches from January. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111261
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111261
    title SUSE SLES11 Security Update : xen (SUSE-SU-2018:2037-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1981-1.NASL
    description This update for xen fixes the following issues: Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen. - bsc#1087289: Fix xen scheduler crash. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 120050
    published 2019-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120050
    title SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2018:1981-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-766.NASL
    description This update for xen fixes the following issues : Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen. - bsc#1087289: Fix xen scheduler crash. This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 111418
    published 2018-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111418
    title openSUSE Security Update : xen (openSUSE-2018-766)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2056-1.NASL
    description This update for xen fixes the following issues: Security issues fixed : - CVE-2018-12617: Fix integer overflow that causes segmentation fault in qmp_guest_file_read() with g_malloc() (bsc#1098744). - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1079730: Fix failed 'write' lock. - bsc#1027519: Add upstream patches from January. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 111346
    published 2018-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111346
    title SUSE SLES12 Security Update : xen (SUSE-SU-2018:2056-1)
refmap via4
bid 104570
confirm
debian DSA-4236
gentoo GLSA-201810-06
mlist
  • [debian-lts-announce] 20181112 [SECURITY] [DLA 1577-1] xen security update
  • [oss-security] 20180627 Xen Security Advisory 264 (CVE-2018-12891) - preemption checks bypassed in x86 PV MM handling
sectrack 1041201
Last major update 02-07-2018 - 13:29
Published 02-07-2018 - 13:29
Last modified 29-03-2019 - 12:24
Back to Top