An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw that is triggered when, as a new CPU is brought online, it copies certain selector fields from CPU0's Interrupt Descriptor Table (IDT) while CPU0 is in HVM context. This may result in incorrect values being copied, allowing an attacker on the guest to cause a denial of service or gain elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw in mm/shadow/multi.c that is triggered during the handling of self-linear shadow mappings with translated guests. This may allow an attacker on the guest to cause a denial of service or gain  elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw in arch/x86/mm.c that is triggered as page type  references are not properly handled when performing certain cleanup operations. This allows an attacker on the guest to consume excessive memory, resulting in a denial of service for the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a race condition that is triggered when handling TLB flush requests. This allows an attacker on the guest to access all system memory,  allowing them to cause a denial of service, disclose sensitive information, or gain elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a stack overflow vulnerability that is triggered when recursion is not properly handled when de-typing linear pagetables. By stacking multiple layers of page tables, an attacker within a guest can cause a stack overflow, resulting in the Xen process to crash.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw in the hvmemul_do_io() function in arch/x86/hvm/emulate.c that is triggered as an internal structure may contain data from an uninitialized hypervisor stack slot. This may allow an attacker on the guest to gain access to potentially sensitive information from the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by unspecified flaws in arch/x86/hvm/ioreq.c that is triggered when handling DMOPs. This may allow an attacker within a  guest to consume excessive resources.

Note this can only be exploited by domains controlling HVM guests.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by multiple vulnerabilities related to the setup of PCI MSI interrupts, which may allow an attacker on the guest to cause a denial of service on the host, potentially disclose sensitive information from the host, or potentially gain elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2017-10912     Jann Horn discovered that incorrectly handling of page     transfers might result in privilege escalation.

  - CVE-2017-10913 / CVE-2017-10914     Jann Horn discovered that race conditions in grant     handling might result in information leaks or privilege     escalation.

  - CVE-2017-10915     Andrew Cooper discovered that incorrect reference     counting with shadow paging might result in privilege     escalation.

  - CVE-2017-10916     Andrew Cooper discovered an information leak in the     handling of the Memory Protection Extensions (MPX) and     Protection Key (PKU) CPU features. This only affects     Debian stretch.

  - CVE-2017-10917     Ankur Arora discovered a NULL pointer dereference in     event polling, resulting in denial of service.

  - CVE-2017-10918     Julien Grall discovered that incorrect error handling in     physical-to-machine memory mappings may result in     privilege escalation, denial of service or an     information leak.

  - CVE-2017-10919     Julien Grall discovered that incorrect handling of     virtual interrupt injection on ARM systems may result in     denial of service.

  - CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922     Jan Beulich discovered multiple places where reference     counting on grant table operations was incorrect,     resulting in potential privilege escalation.

  - CVE-2017-12135     Jan Beulich found multiple problems in the handling of     transitive grants which could result in denial of     service and potentially privilege escalation.

  - CVE-2017-12136     Ian Jackson discovered that race conditions in the     allocator for grant mappings may result in denial of     service or privilege escalation. This only affects     Debian stretch.

  - CVE-2017-12137     Andrew Cooper discovered that incorrect validation of     grants may result in privilege escalation.

  - CVE-2017-12855     Jan Beulich discovered that incorrect grant status     handling, thus incorrectly informing the guest that the     grant is no longer in use.

  - XSA-235 (no CVE yet)

    Wei Liu discovered that incorrect locking of     add-to-physmap operations on ARM may result in denial of     service.

ID	Name	Product	Family	Severity
103979	Xen Hypervisor New CPU Interrupt Descriptor Table (IDT) Copy Handling Guest-to-Host Privilege Escalation (XSA-244)	Nessus	Misc.	high
103978	Xen Hypervisor Translated Guest Self-linear Shadow Mapping Handling Guest-to-Host Privilege Escalation (XSA-243)	Nessus	Misc.	high
103977	Xen Hypervisor Page Type Reference Handling Memory Exhaustion Guest-to-Host DoS (XSA-242)	Nessus	Misc.	high
103976	Xen Hypervisor TLB Flush Request Handling Race Condition System Memory Access Guest-to-Host Privilege Escalation (XSA-241)	Nessus	Misc.	high
103975	Xen Hypervisor Pagetable De-typing Recursion Handling Guest-to-Host DoS (XSA-240)	Nessus	Misc.	high
103974	Xen Hypervisor I/O Intercept Code Hypervisor Stack Guest-to-Host Information Disclosure (XSA-239)	Nessus	Misc.	high
103973	Xen Hypervisor Multiple Functions DMOP Handling Guest-to-Host DoS (XSA-238)	Nessus	Misc.	high
103972	Xen Hypervisor PCI MSI Interrupt Setup Multiple Guest-to-Host Privilege Escalation (XSA-237)	Nessus	Misc.	high
103146	Debian DSA-3969-1 : xen - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2017-15596

medium

Tenable Plugins

high

high

high

high

high

high

high

high

critical