Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2021-AVI-694
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Citrix Hypervisor. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Citrix | Citrix Hypervisor | Citrix Hypervisor 8.2 LTSR sans le correctif de sécurité XS82E032 | ||
| Citrix | Citrix Hypervisor | Citrix Hypervisor 7.1 LTSR CU2 sans le correctif de sécurité XS71ECU2066 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Citrix Hypervisor 8.2 LTSR sans le correctif de s\u00e9curit\u00e9 XS82E032",
"product": {
"name": "Citrix Hypervisor",
"vendor": {
"name": "Citrix",
"scada": false
}
}
},
{
"description": "Citrix Hypervisor 7.1 LTSR CU2 sans le correctif de s\u00e9curit\u00e9 XS71ECU2066",
"product": {
"name": "Citrix Hypervisor",
"vendor": {
"name": "Citrix",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-28694",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28694"
},
{
"name": "CVE-2021-28698",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28698"
},
{
"name": "CVE-2021-28699",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28699"
},
{
"name": "CVE-2021-28701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28701"
},
{
"name": "CVE-2021-28697",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28697"
}
],
"initial_release_date": "2021-09-10T00:00:00",
"last_revision_date": "2021-09-10T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-694",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-09-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Citrix Hypervisor.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Citrix Hypervisor",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Citrix CTX325319 du 07 septembre 2021",
"url": "https://support.citrix.com/article/CTX325319"
}
]
}
CVE-2021-28697 (GCVE-0-2021-28697)
Vulnerability from cvelistv5
Published
2021-08-27 18:37
Modified
2024-08-03 21:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- unknown
Summary
grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-379.txt"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "xen-unstable"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"lessThan": "4.12",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.13.x",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of 4.14.x",
"versionType": "custom"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"lessThan": "4.12",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.11.x",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of 4.12.x",
"versionType": "custom"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.15.x"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to elevate its privileges to that of the\nhost, cause host or guest Denial of Service (DoS), or cause information\nleaks."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:12:18",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-379.txt"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2021-28697",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "xen-unstable"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "4.12"
},
{
"version_affected": "\u003e=",
"version_value": "4.13.x"
},
{
"version_affected": "!\u003e",
"version_value": "4.14.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "4.12"
},
{
"version_affected": "\u003e=",
"version_value": "4.11.x"
},
{
"version_affected": "!\u003e",
"version_value": "4.12.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.15.x"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and\nolder are not affected.\n\nOnly x86 HVM and PVH guests permitted to use grant table version 2\ninterfaces can leverage this vulnerability. x86 PV guests cannot\nleverage this vulnerability. On Arm, grant table v2 use is explicitly\nunsupported."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to elevate its privileges to that of the\nhost, cause host or guest Denial of Service (DoS), or cause information\nleaks."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-379.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-379.txt"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Running only PV guests will avoid this vulnerability.\n\nSuppressing use of grant table v2 interfaces for HVM or PVH guests will\nalso avoid this vulnerability."
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2021-28697",
"datePublished": "2021-08-27T18:37:41",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-08-03T21:47:33.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28698 (GCVE-0-2021-28698)
Vulnerability from cvelistv5
Published
2021-08-27 18:32
Modified
2024-08-03 21:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- unknown
Summary
long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of "cooperating" guests may, however, cause the effects to be more severe.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-380.txt"
},
{
"name": "[oss-security] 20210901 Xen Security Advisory 380 v3 (CVE-2021-28698) - long running loops in grant table handling",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/2"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.14.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"lessThan": "4.12",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.15.x",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of xen-unstable",
"versionType": "custom"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.13.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.11.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.12.x"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Andrew Cooper of Citrix.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren\u0027t in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of \"cooperating\" guests may, however, cause the effects to be more severe."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:06:44",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-380.txt"
},
{
"name": "[oss-security] 20210901 Xen Security Advisory 380 v3 (CVE-2021-28698) - long running loops in grant table handling",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/2"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2021-28698",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.14.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "4.12"
},
{
"version_affected": "\u003e=",
"version_value": "4.15.x"
},
{
"version_affected": "!\u003e",
"version_value": "xen-unstable"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.13.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.11.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.12.x"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "All Xen versions from at least 3.2 onwards are vulnerable in principle.\n\nSystems running with default settings are generally believed to not be\nvulnerable."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Andrew Cooper of Citrix."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren\u0027t in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of \"cooperating\" guests may, however, cause the effects to be more severe."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-380.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-380.txt"
},
{
"name": "[oss-security] 20210901 Xen Security Advisory 380 v3 (CVE-2021-28698) - long running loops in grant table handling",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/2"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "The problem can be avoided by reducing the number of grant mappings Xen\nwould allow guests to establish. For example, setting\n\"gnttab_max_maptrack_frames=256\" on the Xen command line (available\nfrom Xen 4.5 onwards) or \"max_maptrack_frames=256\" in the xl domain\nconfigurations (available from Xen 4.10 onwards) may be low enough for\nall hardware Xen is able to run on. Note that except for driver\ndomains, guests don\u0027t normally have a need to establish grant mappings,\ni.e. they may be okay to run with \"max_maptrack_frames=0\" in their xl\ndomain configurations.\n\n- From Xen 4.14 onwards it is also possible to alter the system wide upper\nbound of the number of grant mappings Xen would allow guests to\nestablish by writing to the /params/gnttab_max_maptrack_frames\nhypervisor file system node. Note however that changing the value this\nway will only affect guests yet to be created on the respective host."
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2021-28698",
"datePublished": "2021-08-27T18:32:13",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-08-03T21:47:33.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28699 (GCVE-0-2021-28699)
Vulnerability from cvelistv5
Published
2021-08-27 18:21
Modified
2024-08-03 21:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- unknown
Summary
inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-382.txt"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"lessThan": "4.12",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.11.x",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of xen-unstable",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system. Privilege escalation\nand information leaks cannot be ruled out."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:12:37",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-382.txt"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2021-28699",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "4.12"
},
{
"version_affected": "\u003e=",
"version_value": "4.11.x"
},
{
"version_affected": "!\u003e",
"version_value": "xen-unstable"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "All Xen versions from 4.10 onwards are affected. Xen versions 4.9 and\nolder are not affected.\n\nOnly 32-bit x86 guests permitted to use grant table version 2 interfaces\ncan leverage this vulnerability. 64-bit x86 guests cannot leverage this\nvulnerability, but note that HVM and PVH guests are free to alter their\nbitness as they see fit. On Arm, grant table v2 use is explicitly\nunsupported.\n\nOnly guests permitted to have 8177 or more grant table frames can\nleverage this vulnerability."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system. Privilege escalation\nand information leaks cannot be ruled out."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-382.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-382.txt"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "The problem can be avoided by not increasing too much the number of\ngrants Xen would allow guests to establish. The limit is controlled by\nthe \"gnttab_max_frames\" Xen command line option and the\n\"max_grant_frames\" xl domain configuration setting.\n\n- From Xen 4.14 onwards it is also possible to alter the system wide upper\nbound of the number of grants Xen would allow guests to establish by\nwriting to the /params/gnttab_max_frames hypervisor file system node.\nNote however that changing the value this way will only affect guests\nyet to be created on the respective host.\n\nSuppressing use of grant table v2 interfaces for 32-bit x86 guests will\nalso avoid this vulnerability."
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2021-28699",
"datePublished": "2021-08-27T18:21:40",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-08-03T21:47:33.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28701 (GCVE-0-2021-28701)
Vulnerability from cvelistv5
Published
2021-09-08 13:02
Modified
2024-08-03 21:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- unknown
Summary
Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.200Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-384.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://xenbits.xen.org/xsa/advisory-384.html"
},
{
"name": "[oss-security] 20210908 Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in XENMAPSPACE_grant_table handling",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/08/2"
},
{
"name": "FEDORA-2021-11577e5229",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU/"
},
{
"name": "FEDORA-2021-fed53cbc7d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-5a0c7bc619",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"lessThan": "4.12",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.15.x",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of xen-unstable",
"versionType": "custom"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.11.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"lessThan": "4.12",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.12.x",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of 4.14.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Julien Grall of Amazon.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to elevate its privileges to that of the\nhost, cause host or guest Denial of Service (DoS), or cause information\nleaks."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:11:46",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-384.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://xenbits.xen.org/xsa/advisory-384.html"
},
{
"name": "[oss-security] 20210908 Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in XENMAPSPACE_grant_table handling",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/08/2"
},
{
"name": "FEDORA-2021-11577e5229",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU/"
},
{
"name": "FEDORA-2021-fed53cbc7d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-5a0c7bc619",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2021-28701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "4.12"
},
{
"version_affected": "\u003e=",
"version_value": "4.15.x"
},
{
"version_affected": "!\u003e",
"version_value": "xen-unstable"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.11.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "4.12"
},
{
"version_affected": "\u003e=",
"version_value": "4.12.x"
},
{
"version_affected": "!\u003e",
"version_value": "4.14.x"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "All Xen versions from 4.0 onwards are affected. Xen versions 3.4 and\nolder are not affected.\n\nOnly x86 HVM and PVH guests permitted to use grant table version 2\ninterfaces can leverage this vulnerability. x86 PV guests cannot\nleverage this vulnerability. On Arm, grant table v2 use is explicitly\nunsupported."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Julien Grall of Amazon."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to elevate its privileges to that of the\nhost, cause host or guest Denial of Service (DoS), or cause information\nleaks."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-384.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-384.txt"
},
{
"name": "http://xenbits.xen.org/xsa/advisory-384.html",
"refsource": "CONFIRM",
"url": "http://xenbits.xen.org/xsa/advisory-384.html"
},
{
"name": "[oss-security] 20210908 Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in XENMAPSPACE_grant_table handling",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/08/2"
},
{
"name": "FEDORA-2021-11577e5229",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU/"
},
{
"name": "FEDORA-2021-fed53cbc7d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C/"
},
{
"name": "DSA-4977",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-5a0c7bc619",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z/"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Running only PV guests will avoid this vulnerability.\n\nSuppressing use of grant table v2 interfaces for HVM or PVH guests will\nalso avoid this vulnerability."
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2021-28701",
"datePublished": "2021-09-08T13:02:28",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-08-03T21:47:33.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28694 (GCVE-0-2021-28694)
Vulnerability from cvelistv5
Published
2021-08-27 18:46
Modified
2024-08-03 21:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- unknown
Summary
IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696).
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-378.txt"
},
{
"name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/1"
},
{
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/5"
},
{
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/6"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.11.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "xen-unstable"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.12.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.14.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.15.x"
}
]
},
{
"product": "xen",
"vendor": "Xen",
"versions": [
{
"status": "affected",
"version": "4.13.x"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn\u0027t have access to anymore (CVE-2021-28696)."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "The precise impact is system specific, but can - on affected systems -\nbe any or all of privilege escalation, denial of service, or information\nleaks."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T20:11:57",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-378.txt"
},
{
"name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/1"
},
{
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/5"
},
{
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/6"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-23"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@xen.org",
"ID": "CVE-2021-28694",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.11.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "xen-unstable"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.12.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.14.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.15.x"
}
]
}
},
{
"product_name": "xen",
"version": {
"version_data": [
{
"version_value": "4.13.x"
}
]
}
}
]
},
"vendor_name": "Xen"
}
]
}
},
"configuration": {
"configuration_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability is only exploitable by guests granted access to\nphysical devices (ie, via PCI passthrough).\n\nAll versions of Xen are affected.\n\nOnly x86 systems with IOMMUs and with firmware specifying memory regions\nto be identity mapped are affected. Other x86 systems are not affected.\n\nWhether a particular system whose ACPI tables declare such memory\nregion(s) is actually affected cannot be known without knowing when\nand/or how these regions are used. For example, if these regions were\nused only during system boot, there would not be any vulnerability.\nThe necessary knowledge can only be obtained from, collectively, the\nhardware and firmware manufacturers.\n\nOn Arm hardware IOMMU use is not security supported. Accordingly, we\nhave not undertaken an analysis of these issues for Arm systems."
}
]
}
}
},
"credit": {
"credit_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "This issue was discovered by Jan Beulich of SUSE."
}
]
}
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn\u0027t have access to anymore (CVE-2021-28696)."
}
]
},
"impact": {
"impact_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "The precise impact is system specific, but can - on affected systems -\nbe any or all of privilege escalation, denial of service, or information\nleaks."
}
]
}
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unknown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://xenbits.xenproject.org/xsa/advisory-378.txt",
"refsource": "MISC",
"url": "https://xenbits.xenproject.org/xsa/advisory-378.txt"
},
{
"name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/1"
},
{
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/5"
},
{
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/6"
},
{
"name": "FEDORA-2021-4f129cc0c1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
},
{
"name": "FEDORA-2021-d68ed12e46",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
},
{
"name": "DSA-4977",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4977"
},
{
"name": "FEDORA-2021-081f9bf5d2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
},
{
"name": "GLSA-202208-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-23"
}
]
},
"workaround": {
"workaround_data": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "Not permitting untrusted guests access to phsyical devices will avoid\nthe vulnerability.\n\nLikewise, limiting untrusted guest access to physical devices whose\nfirmware-provided ACPI tables declare identity mappings, will avoid\nthe vulnerability. (Provided that there are no identity mapped\nregions which are specified by the ACPI tables to apply globally.)\n\nNote that a system is still vulnerable if a guest was trusted, while\nit had such a device assigned, and then has the device removed in\nanticipation of the guest becoming untrusted (because of, for example,\nthe insertion of an untrusted kernel module),"
}
]
}
}
}
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2021-28694",
"datePublished": "2021-08-27T18:46:32",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-08-03T21:47:33.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…