A vulnerability, which was classified as critical, was found in XenSource Xen on x86 (Virtualization Software) (version now known). Affected is the function main_loop_wait of the file vl.c of the component libxl Logging. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr.

The weakness was presented 05/23/2016 by Andrew as XSA-180 as confirmed security advisory (Website). The advisory is available at xenbits.xen.org. This vulnerability is traded as CVE-2014-3672 since 05/14/2014. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 92168 (Fedora 24 : xen (2016-cfea37952b)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 169267 (OpenSuSE Security Update for xen (openSUSE-SU-2016:2497-1)).

Applying a patch is able to eliminate this problem. The bugfix is ready for download at xenbits.xen.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:

static void check_cve_2014_3672_xen(void)
{
   static unsigned long limit = ~0UL;
   const int fd = 2;
   struct stat stab;

   if (limit == ~0UL) {
      const char *s = getenv("XEN_QEMU_CONSOLE_LIMIT");
      /* XEN_QEMU_CONSOLE_LIMIT=0 means no limit */
      limit = s ? strtoul(s,0,0) : 1*1024*1024;
   }
   if (limit == 0)
      return;

   int r = fstat(fd, &stab);
   if (r) {
      perror("fstat stderr (for CVE-2014-3672 check)");
      exit(-1);
   }
   if (!S_ISREG(stab.st_mode))
      return;
   if (stab.st_size <= limit)
      return;

   /* oh dear */
   fprintf(stderr,"\r\n"
      "Closing stderr due to CVE-2014-3672 limit. "
      " Set XEN_QEMU_CONSOLE_LIMIT to number of bytes to override,"
      " or 0 for no limit.\n");
   fflush(stderr);

   int nfd = open("/dev/null", O_WRONLY);
   if (nfd < 0) {
      perror("open /dev/null (for CVE-2014-3672 check)");
      exit(-1);
   }
   r = dup2(nfd, fd);
   if (r != fd) {
      perror("dup2 /dev/null (for CVE-2014-3672 check)");
      exit(-1);
   }
   close(nfd);
}

The vulnerability is also documented in the vulnerability database at Tenable (92168). See 91041 and 91042 for similar entries.

Productinfo

Type

• Virtualization Software

Vendor

• XenSource

Name

• Xen

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion