CVE-2017-15597 (GCVE-0-2017-15597)
Vulnerability from cvelistv5
Published
2017-10-30 14:00
Modified
2024-08-05 19:57
Severity ?
CWE
  • n/a
Summary
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.
References
cve@mitre.org http://www.openwall.com/lists/oss-security/2017/10/24/3 Issue Tracking, Mailing List, Mitigation, Third Party Advisory
cve@mitre.org http://www.securityfocus.com/bid/101564 Issue Tracking, Third Party Advisory, VDB Entry
cve@mitre.org http://www.securitytracker.com/id/1039653 Issue Tracking, Third Party Advisory, VDB Entry
cve@mitre.org http://xenbits.xen.org/xsa/advisory-236.html Issue Tracking, Patch, Vendor Advisory
cve@mitre.org https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html
cve@mitre.org https://support.citrix.com/article/CTX229057 Issue Tracking, Third Party Advisory
cve@mitre.org https://www.debian.org/security/2017/dsa-4050
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2017/10/24/3 Issue Tracking, Mailing List, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.securityfocus.com/bid/101564 Issue Tracking, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108 http://www.securitytracker.com/id/1039653 Issue Tracking, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108 http://xenbits.xen.org/xsa/advisory-236.html Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html
af854a3a-2127-422b-91ae-364da2661108 https://support.citrix.com/article/CTX229057 Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108 https://www.debian.org/security/2017/dsa-4050
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T19:57:27.292Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://xenbits.xen.org/xsa/advisory-236.html"
          },
          {
            "name": "101564",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101564"
          },
          {
            "name": "[oss-security] 20171024 Xen Security Advisory 236 (CVE-2017-15597) - pin count / page reference race in grant table code",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2017/10/24/3"
          },
          {
            "name": "DSA-4050",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2017/dsa-4050"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.citrix.com/article/CTX229057"
          },
          {
            "name": "1039653",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039653"
          },
          {
            "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-10-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-19T09:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://xenbits.xen.org/xsa/advisory-236.html"
        },
        {
          "name": "101564",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101564"
        },
        {
          "name": "[oss-security] 20171024 Xen Security Advisory 236 (CVE-2017-15597) - pin count / page reference race in grant table code",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2017/10/24/3"
        },
        {
          "name": "DSA-4050",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2017/dsa-4050"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.citrix.com/article/CTX229057"
        },
        {
          "name": "1039653",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039653"
        },
        {
          "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-15597",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://xenbits.xen.org/xsa/advisory-236.html",
              "refsource": "CONFIRM",
              "url": "http://xenbits.xen.org/xsa/advisory-236.html"
            },
            {
              "name": "101564",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101564"
            },
            {
              "name": "[oss-security] 20171024 Xen Security Advisory 236 (CVE-2017-15597) - pin count / page reference race in grant table code",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2017/10/24/3"
            },
            {
              "name": "DSA-4050",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2017/dsa-4050"
            },
            {
              "name": "https://support.citrix.com/article/CTX229057",
              "refsource": "CONFIRM",
              "url": "https://support.citrix.com/article/CTX229057"
            },
            {
              "name": "1039653",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039653"
            },
            {
              "name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-15597",
    "datePublished": "2017-10-30T14:00:00",
    "dateReserved": "2017-10-18T00:00:00",
    "dateUpdated": "2024-08-05T19:57:27.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-15597\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-10-30T14:29:00.847\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en Xen hasta las versiones 4.9.x. El c\u00f3digo copiado por la funci\u00f3n GRANT asum\u00eda que cualquier Grant Pin estar\u00eda acompa\u00f1ado de una referencia de p\u00e1gina adecuada. Sin embargo, otras fragmentos de c\u00f3digo no coincidieron con esta suposici\u00f3n. Cuando esta operaci\u00f3n de copia de autorizaci\u00f3n se realiza en una tabla grant de un dominio obsoleto, la suposici\u00f3n se vuelve err\u00f3nea. Un administrador invitado malicioso puede provocar la corrupci\u00f3n de la memoria del hipervisor, lo que probablemente resulte en el cierre inesperado del host y una denegaci\u00f3n de servicio. El escalado de privilegios y las fugas de informaci\u00f3n no pueden descartarse.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"},{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:rc7:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.9.0\",\"matchCriteriaId\":\"4FE0E8DB-FAAA-4516-88F5-594F625A008C\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2017/10/24/3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/101564\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039653\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://xenbits.xen.org/xsa/advisory-236.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://support.citrix.com/article/CTX229057\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2017/dsa-4050\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2017/10/24/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/101564\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039653\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://xenbits.xen.org/xsa/advisory-236.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.citrix.com/article/CTX229057\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2017/dsa-4050\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.