This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Xen First view 2009-05-22
Product Xen Last view 2020-09-23
Version Type Os
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:o:xen:xen:4.2.0:*:*:*:*:*:*:* 225
cpe:2.3:o:xen:xen:4.1.0:*:*:*:*:*:*:* 213
cpe:2.3:o:xen:xen:4.2.1:*:*:*:*:*:*:* 198
cpe:2.3:o:xen:xen:4.1.1:*:*:*:*:*:*:* 197
cpe:2.3:o:xen:xen:4.1.2:*:*:*:*:*:*:* 196
cpe:2.3:o:xen:xen:4.2.2:*:*:*:*:*:*:* 196
cpe:2.3:o:xen:xen:4.1.3:*:*:*:*:*:*:* 195
cpe:2.3:o:xen:xen:4.0.0:*:*:*:*:*:*:* 194
cpe:2.3:o:xen:xen:4.1.4:*:*:*:*:*:*:* 188
cpe:2.3:o:xen:xen:4.3.0:*:*:*:*:*:*:* 188
cpe:2.3:o:xen:xen:4.1.5:*:*:*:*:*:*:* 183
cpe:2.3:o:xen:xen:4.4.0:*:*:*:*:*:*:* 181
cpe:2.3:o:xen:xen:4.0.3:*:*:*:*:*:*:* 179
cpe:2.3:o:xen:xen:4.0.4:*:*:*:*:*:*:* 179
cpe:2.3:o:xen:xen:4.0.1:*:*:*:*:*:*:* 179
cpe:2.3:o:xen:xen:4.0.2:*:*:*:*:*:*:* 178
cpe:2.3:o:xen:xen:4.2.3:*:*:*:*:*:*:* 178
cpe:2.3:o:xen:xen:4.3.1:*:*:*:*:*:*:* 177
cpe:2.3:o:xen:xen:4.1.6.1:*:*:*:*:*:*:* 168
cpe:2.3:o:xen:xen:3.4.0:*:*:*:*:*:*:* 167
cpe:2.3:o:xen:xen:3.4.1:*:*:*:*:*:*:* 165
cpe:2.3:o:xen:xen:3.4.4:*:*:*:*:*:*:* 165
cpe:2.3:o:xen:xen:3.4.2:*:*:*:*:*:*:* 165
cpe:2.3:o:xen:xen:3.4.3:*:*:*:*:*:*:* 165
cpe:2.3:o:xen:xen:3.3.0:*:*:*:*:*:*:* 160
cpe:2.3:o:xen:xen:4.5.0:*:*:*:*:*:*:* 159
cpe:2.3:o:xen:xen:3.3.1:*:*:*:*:*:*:* 157
cpe:2.3:o:xen:xen:3.3.2:*:*:*:*:*:*:* 156
cpe:2.3:o:xen:xen:4.4.0:rc1:*:*:*:*:*:* 152
cpe:2.3:o:xen:xen:3.2.2:*:*:*:*:*:*:* 149
cpe:2.3:o:xen:xen:3.2.3:*:*:*:*:*:*:* 149
cpe:2.3:o:xen:xen:3.2.1:*:*:*:*:*:*:* 149
cpe:2.3:o:xen:xen:3.2.0:*:*:*:*:*:*:* 148
cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:* 144
cpe:2.3:o:xen:xen:4.3.2:*:*:*:*:*:*:* 143
cpe:2.3:o:xen:xen:-:*:*:*:*:*:*:* 142
cpe:2.3:o:xen:xen:4.3.4:*:*:*:*:*:*:* 141
cpe:2.3:o:xen:xen:4.5.1:*:*:*:*:*:*:* 141
cpe:2.3:o:xen:xen:4.6.0:*:*:*:*:*:*:* 141
cpe:2.3:o:xen:xen:3.1.3:*:*:*:*:*:*:* 140
cpe:2.3:o:xen:xen:3.1.4:*:*:*:*:*:*:* 140
cpe:2.3:o:xen:xen:3.0.3:*:*:*:*:*:*:* 138
cpe:2.3:o:xen:xen:3.0.4:*:*:*:*:*:*:* 137
cpe:2.3:o:xen:xen:4.4.1:*:*:*:*:*:*:* 137
cpe:2.3:o:xen:xen:3.0.2:*:*:*:*:*:*:* 136
cpe:2.3:o:xen:xen:4.1.6:*:*:*:*:*:*:* 136
cpe:2.3:o:xen:xen:2.2.0:*:*:*:*:*:*:* 135
cpe:2.3:o:xen:xen:4.4.1:-:*:*:*:*:*:* 134
cpe:2.3:o:xen:xen:-:*:~~~~x86~:*:*:*:*:* 134
cpe:2.3:o:xen:xen:-:*:*:*:*:*:x86:* 134

Related : CVE

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
4.7 2020-09-23 CVE-2020-25604

An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability.

7.8 2020-09-23 CVE-2020-25603

An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering.

6 2020-09-23 CVE-2020-25602

An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a #GP fault, which is the consequence of trying to read this MSR on non-Intel hardware. A buggy or malicious PV guest administrator can crash Xen, resulting in a host Denial of Service. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only Xen versions 4.11 and onwards are vulnerable. 4.10 and earlier are not vulnerable. Only x86 systems that do not implement the MISC_ENABLE MSR (0x1a0) are vulnerable. AMD and Hygon systems do not implement this MSR and are vulnerable. Intel systems do implement this MSR and are not vulnerable. Other manufacturers have not been checked. Only x86 PV guests can exploit the vulnerability. x86 HVM/PVH guests cannot exploit the vulnerability.

5.5 2020-09-23 CVE-2020-25601

An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics.

5.5 2020-09-23 CVE-2020-25600

An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties. At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly. Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail. Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure. An unprivileged guest may cause another domain, in particular Domain 0, to misbehave. This may lead to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only x86 32-bit domains servicing other domains are vulnerable. Arm systems, as well as x86 64-bit domains, are not vulnerable.

7 2020-09-23 CVE-2020-25599

An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (DoS). Information leaks cannot be ruled out. All Xen versions from 4.5 onwards are vulnerable. Xen versions 4.4 and earlier are not vulnerable.

5.5 2020-09-23 CVE-2020-25598

An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. A buggy or malicious HVM stubdomain can cause an RCU reference to be leaked. This causes subsequent administration operations, (e.g., CPU offline) to livelock, resulting in a host Denial of Service. The buggy codepath has been present since Xen 4.12. Xen 4.14 and later are vulnerable to the DoS. The side effects are believed to be benign on Xen 4.12 and 4.13, but patches are provided nevertheless. The vulnerability can generally only be exploited by x86 HVM VMs, as these are generally the only type of VM that have a Qemu stubdomain. x86 PV and PVH domains, as well as ARM VMs, typically don't use a stubdomain. Only VMs using HVM stubdomains can exploit the vulnerability. VMs using PV stubdomains, or with emulators running in dom0, cannot exploit the vulnerability.

6.5 2020-09-23 CVE-2020-25597

An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests permitted to create more than the default number of event channels are vulnerable. This number depends on the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting max_event_channels, are not vulnerable.

5.5 2020-09-23 CVE-2020-25596

An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service. All versions of Xen from 3.2 onwards are vulnerable. Only x86 systems are vulnerable. ARM platforms are not vulnerable. Only x86 systems that support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur, and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable. Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability.

7.8 2020-09-23 CVE-2020-25595

An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does.

7.8 2020-07-20 CVE-2020-15852

An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154.

7.8 2020-07-07 CVE-2020-15567

An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable.

6.5 2020-07-07 CVE-2020-15566

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1) will be considered an error. All the other cases will provide a valid port and will result in a crash when trying to access the event channel. When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and later are affected. All architectures are affected. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event-channel limit.

8.8 2020-07-07 CVE-2020-15565

An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.

6.5 2020-07-07 CVE-2020-15564

An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions that require a specific alignment. Unfortunately, there is no check that the address provided by the guest will be correctly aligned. As a result, a malicious guest could cause a hypervisor crash by passing a misaligned address. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). All Xen versions are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected.

6.5 2020-07-07 CVE-2020-15563

An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from 4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected. Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In addition, there needs to be an entity actively monitoring a guest's video frame buffer (typically for display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability.

5.5 2020-04-14 CVE-2020-11743

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain.

5.5 2020-04-14 CVE-2020-11742

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour.

8.8 2020-04-14 CVE-2020-11741

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.

5.5 2020-04-14 CVE-2020-11740

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.

7.8 2020-04-14 CVE-2020-11739

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded.

3.5 2020-01-31 CVE-2015-6815

The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.

7.5 2019-12-11 CVE-2019-19583

An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.

6.5 2019-12-11 CVE-2019-19582

An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable.

6.5 2019-12-11 CVE-2019-19581

An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access may occur. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. 32-bit Arm systems are vulnerable. 64-bit Arm systems are not vulnerable.

CWE : Common Weakness Enumeration

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
18% (56) CWE-20 Improper Input Validation
15% (46) CWE-264 Permissions, Privileges, and Access Controls
9% (29) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
9% (28) CWE-399 Resource Management Errors
9% (28) CWE-200 Information Exposure
5% (16) CWE-362 Race Condition
3% (10) CWE-284 Access Control (Authorization) Issues
3% (9) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
3% (9) CWE-17 Code
2% (7) CWE-189 Numeric Errors
1% (5) CWE-682 Incorrect Calculation
1% (5) CWE-476 NULL Pointer Dereference
1% (4) CWE-755 Improper Handling of Exceptional Conditions
1% (4) CWE-125 Out-of-bounds Read
1% (3) CWE-787 Out-of-bounds Write
1% (3) CWE-269 Improper Privilege Management
1% (3) CWE-254 Security Features
1% (3) CWE-16 Configuration
0% (2) CWE-772 Missing Release of Resource after Effective Lifetime
0% (2) CWE-416 Use After Free
0% (2) CWE-401 Failure to Release Memory Before Removing Last Reference ('Memory L...
0% (2) CWE-19 Data Handling
0% (1) CWE-770 Allocation of Resources Without Limits or Throttling
0% (1) CWE-754 Improper Check for Unusual or Exceptional Conditions
0% (1) CWE-732 Incorrect Permission Assignment for Critical Resource

Oval Markup Language : Definitions

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
OvalID Name
oval:org.mitre.oval:def:10313 The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to...
oval:org.mitre.oval:def:19861 DSA-2508-1 kfreebsd-8 - privilege escalation
oval:org.mitre.oval:def:19281 CRITICAL PATCH UPDATE OCTOBER 2012
oval:org.mitre.oval:def:15596 User Mode Scheduler Memory Corruption Vulnerability (CVE-2012-0217)
oval:org.mitre.oval:def:21551 RHSA-2012:1130: xen security update (Moderate)
oval:org.mitre.oval:def:23412 ELSA-2012:1130: xen security update (Moderate)
oval:org.mitre.oval:def:27844 DEPRECATED: ELSA-2012-1130 -- xen security update (moderate)
oval:org.mitre.oval:def:20953 RHSA-2013:0241: xen security update (Moderate)
oval:org.mitre.oval:def:23430 ELSA-2013:0241: xen security update (Moderate)
oval:org.mitre.oval:def:25518 SUSE-SU-2014:0411-1 -- Security update for Xen
oval:org.mitre.oval:def:26932 DEPRECATED: ELSA-2013-0241 -- xen security update (moderate)
oval:org.mitre.oval:def:17653 DSA-2544-1 xen - denial of service
oval:org.mitre.oval:def:25115 SUSE-SU-2014:0446-1 -- Security update for Xen
oval:org.mitre.oval:def:21575 RHSA-2012:1234: qemu-kvm security update (Important)
oval:org.mitre.oval:def:21464 RHSA-2012:1235: kvm security update (Important)
oval:org.mitre.oval:def:21145 RHSA-2012:1236: xen security update (Important)
oval:org.mitre.oval:def:19980 DSA-2545-1 qemu - multiple
oval:org.mitre.oval:def:18326 DSA-2542-1 qemu-kvm - multiple
oval:org.mitre.oval:def:18182 USN-1590-1 -- qemu-kvm vulnerability
oval:org.mitre.oval:def:23955 ELSA-2012:1234: qemu-kvm security update (Important)
oval:org.mitre.oval:def:22996 ELSA-2012:1236: xen security update (Important)
oval:org.mitre.oval:def:22862 ELSA-2012:1235: kvm security update (Important)
oval:org.mitre.oval:def:27797 DEPRECATED: ELSA-2012-1236 -- xen security update (important)
oval:org.mitre.oval:def:27721 DEPRECATED: ELSA-2012-1234 -- qemu-kvm security update (important)
oval:org.mitre.oval:def:27565 DEPRECATED: ELSA-2012-1235 -- kvm security update (important)

Open Source Vulnerability Database (OSVDB)

id Description
75279 Qemu hw/scsi-disk.c scsi_disk_emulate_command() Function Command Parsing Loca...
74873 Xen x86_64__addr_ok() Macro Off-by-one Unprivileged Local Host DoS
74868 Xen VM Exit CPUID Instruction Emulation Handling Unprivileged Local DoS
74656 Linux Kernel Xen Hypervisor Implementation SMP Guest Malicious User Process L...
74629 Xen DMA Request Parsing IOMMU Fault Local DoS
71331 Xen xen/arch/x86/domain.c arch_set_info_guest() Pagetable Local DoS
54474 Xen arch/i386/kernel/entry-xen.S hypervisor_callback() Function Local DoS

OpenVAS Exploits

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2013-09-18 Name : Debian Security Advisory DSA 2582-1 (xen - several vulnerabilities)
File : nvt/deb_2582_1.nasl
2012-12-18 Name : Fedora Update for xen FEDORA-2012-19828
File : nvt/gb_fedora_2012_19828_xen_fc16.nasl
2012-12-14 Name : Fedora Update for xen FEDORA-2012-19717
File : nvt/gb_fedora_2012_19717_xen_fc17.nasl
2012-12-13 Name : SuSE Update for XEN openSUSE-SU-2012:1572-1 (XEN)
File : nvt/gb_suse_2012_1572_1.nasl
2012-12-13 Name : SuSE Update for xen openSUSE-SU-2012:0886-1 (xen)
File : nvt/gb_suse_2012_0886_1.nasl
2012-12-13 Name : SuSE Update for qemu openSUSE-SU-2012:1170-1 (qemu)
File : nvt/gb_suse_2012_1170_1.nasl
2012-12-13 Name : SuSE Update for Security openSUSE-SU-2012:1172-1 (Security)
File : nvt/gb_suse_2012_1172_1.nasl
2012-12-13 Name : SuSE Update for Security openSUSE-SU-2012:1174-1 (Security)
File : nvt/gb_suse_2012_1174_1.nasl
2012-12-06 Name : RedHat Update for kernel RHSA-2012:1540-01
File : nvt/gb_RHSA-2012_1540-01_kernel.nasl
2012-12-06 Name : CentOS Update for kernel CESA-2012:1540 centos5
File : nvt/gb_CESA-2012_1540_kernel_centos5.nasl
2012-11-23 Name : Fedora Update for xen FEDORA-2012-18249
File : nvt/gb_fedora_2012_18249_xen_fc16.nasl
2012-11-23 Name : Fedora Update for xen FEDORA-2012-18242
File : nvt/gb_fedora_2012_18242_xen_fc17.nasl
2012-11-15 Name : CentOS Update for kernel CESA-2012:1445 centos5
File : nvt/gb_CESA-2012_1445_kernel_centos5.nasl
2012-11-15 Name : Fedora Update for xen FEDORA-2012-17408
File : nvt/gb_fedora_2012_17408_xen_fc16.nasl
2012-11-15 Name : Fedora Update for xen FEDORA-2012-17204
File : nvt/gb_fedora_2012_17204_xen_fc17.nasl
2012-11-15 Name : RedHat Update for kernel RHSA-2012:1445-01
File : nvt/gb_RHSA-2012_1445-01_kernel.nasl
2012-10-19 Name : Fedora Update for qemu FEDORA-2012-15606
File : nvt/gb_fedora_2012_15606_qemu_fc16.nasl
2012-10-16 Name : Fedora Update for qemu FEDORA-2012-15740
File : nvt/gb_fedora_2012_15740_qemu_fc17.nasl
2012-10-03 Name : Ubuntu Update for qemu-kvm USN-1590-1
File : nvt/gb_ubuntu_USN_1590_1.nasl
2012-09-22 Name : Fedora Update for xen FEDORA-2012-13434
File : nvt/gb_fedora_2012_13434_xen_fc17.nasl
2012-09-22 Name : Fedora Update for xen FEDORA-2012-13443
File : nvt/gb_fedora_2012_13443_xen_fc16.nasl
2012-09-15 Name : Debian Security Advisory DSA 2542-1 (qemu-kvm)
File : nvt/deb_2542_1.nasl
2012-09-15 Name : Debian Security Advisory DSA 2543-1 (xen-qemu-dm-4.0)
File : nvt/deb_2543_1.nasl
2012-09-15 Name : Debian Security Advisory DSA 2544-1 (xen)
File : nvt/deb_2544_1.nasl
2012-09-15 Name : Debian Security Advisory DSA 2545-1 (qemu)
File : nvt/deb_2545_1.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0202 Citrix XenServer Information Disclosure Vulnerability
Severity: Category I - VMSKEY: V0061343
2015-A-0112 Oracle Linux & Virtualization Buffer Overflow Vulnerability
Severity: Category I - VMSKEY: V0060735
2015-A-0115 QEMU Virtual Floppy Drive Controller (FDC) Buffer Overflow Vulnerability
Severity: Category II - VMSKEY: V0060741
2014-B-0099 Multiple Vulnerabilities in Citrix XenServer
Severity: Category I - VMSKEY: V0053313
2013-B-0048 Multiple Vulnerabilities in Citrix XenServer
Severity: Category I - VMSKEY: V0037950
2012-A-0020 Multiple Vulnerabilities in VMware ESX 4.1 and ESXi 4.1
Severity: Category I - VMSKEY: V0031252

Snort® IPS/IDS

Date Description
2019-09-24 OMRON CX-One MCI file stack buffer overflow attempt
RuleID : 51192 - Type : FILE-OTHER - Revision : 1
2019-09-24 OMRON CX-One MCI file stack buffer overflow attempt
RuleID : 51191 - Type : FILE-OTHER - Revision : 1
2018-07-10 Microsoft Windows Interrupt Service Routine stack rollback attempt
RuleID : 46910 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows Interrupt Service Routine stack rollback attempt
RuleID : 46909 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows processor modification return to user-mode attempt
RuleID : 46908 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows processor modification return to user-mode attempt
RuleID : 46907 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows malicious CONTEXT structure creation attempt
RuleID : 46906 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows malicious CONTEXT structure creation attempt
RuleID : 46905 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows SYSTEM token stealing attempt
RuleID : 46904 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-10 Microsoft Windows SYSTEM token stealing attempt
RuleID : 46903 - Type : INDICATOR-COMPROMISE - Revision : 2
2018-07-03 Microsoft Windows kernel privilege escalation attempt
RuleID : 46835 - Type : OS-WINDOWS - Revision : 1
2018-07-03 Microsoft Windows kernel privilege escalation attempt
RuleID : 46834 - Type : OS-WINDOWS - Revision : 1
2018-07-03 Microsoft Windows ROP gadget locate attempt
RuleID : 46833 - Type : OS-WINDOWS - Revision : 1
2018-07-03 Microsoft Windows ROP gadget locate attempt
RuleID : 46832 - Type : OS-WINDOWS - Revision : 1
2018-07-03 Microsoft Windows kernel privilege escalation attempt
RuleID : 46831 - Type : OS-WINDOWS - Revision : 1
2018-07-03 Microsoft Windows kernel privilege escalation attempt
RuleID : 46830 - Type : OS-WINDOWS - Revision : 1
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34488 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34487 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34486 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34485 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34484 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34483 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34482 - Type : OS-OTHER - Revision : 4
2015-06-23 QEMU floppy disk controller buffer overflow attempt
RuleID : 34481 - Type : OS-OTHER - Revision : 4

Nessus® Vulnerability Scanner

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-15 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4369.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-683dfde81a.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-73dd8de892.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-8422d94975.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a24754252a.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a7862a75f5.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a7ac26523d.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-cc812838fb.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-dbebca30d0.nasl - Type: ACT_GATHER_INFO
2018-11-26 Name: A server virtualization platform installed on the remote host is missing a se...
File: citrix_xenserver_CTX239432.nasl - Type: ACT_GATHER_INFO
2018-11-13 Name: The remote Debian host is missing a security update.
File: debian_DLA-1577.nasl - Type: ACT_GATHER_INFO
2018-11-13 Name: The remote Fedora host is missing a security update.
File: fedora_2018-f20a0cead5.nasl - Type: ACT_GATHER_INFO
2018-11-09 Name: A server virtualization platform installed on the remote host is missing a se...
File: citrix_xenserver_CTX239100.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL17403481.nasl - Type: ACT_GATHER_INFO
2018-10-31 Name: The remote Debian host is missing a security update.
File: debian_DLA-1559.nasl - Type: ACT_GATHER_INFO
2018-10-31 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201810-06.nasl - Type: ACT_GATHER_INFO
2018-10-19 Name: The remote Debian host is missing a security update.
File: debian_DLA-1549.nasl - Type: ACT_GATHER_INFO
2018-10-10 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4313.nasl - Type: ACT_GATHER_INFO
2018-10-04 Name: The remote Debian host is missing a security update.
File: debian_DLA-1531.nasl - Type: ACT_GATHER_INFO
2018-10-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4308.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote EulerOS Virtualization host is missing multiple security updates.
File: EulerOS_SA-2018-1263.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote EulerOS Virtualization host is missing multiple security updates.
File: EulerOS_SA-2018-1270.nasl - Type: ACT_GATHER_INFO
2018-09-07 Name: The remote Debian host is missing a security update.
File: debian_DLA-1493.nasl - Type: ACT_GATHER_INFO
2018-09-07 Name: The remote Debian host is missing a security update.
File: debian_DLA-1497.nasl - Type: ACT_GATHER_INFO
2018-09-04 Name: The remote Fedora host is missing a security update.
File: fedora_2018-915602df63.nasl - Type: ACT_GATHER_INFO