Linux Foundation Xen up to 4.3.1 arch/x86/irq.c pirq_guest_bind resource management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.8 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in Linux Foundation Xen up to 4.3.1. This affects the function pirq_guest_bind of the file arch/x86/irq.c. Executing a manipulation can lead to resource management.
The identification of this vulnerability is CVE-2014-1642. There is no exploit available.
Changing the configuration settings is recommended.
Details
A vulnerability has been found in Linux Foundation Xen up to 4.3.1 (Virtualization Software) and classified as critical. This vulnerability affects the function pirq_guest_bind of the file arch/x86/irq.c. The manipulation with an unknown input leads to a resource management vulnerability. The CWE definition for the vulnerability is CWE-399. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free.
The weakness was shared 01/23/2014 with Coverity Scan Project as XSA-83 as confirmed mailinglist post (oss-sec). The advisory is shared for download at seclists.org. This vulnerability was named CVE-2014-1642 since 01/23/2014. The attack needs to be approached locally. A single authentication is necessary for exploitation. There are known technical details, but no exploit is available. The advisory points out:
When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption.
The vulnerability scanner Nessus provides a plugin with the ID 72251 (Fedora 20 : xen-4.3.1-8.fc20 (2014-1552)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 166935 (OpenSuSE Security Update for xen (openSUSE-SU-2014:0483-1)).
It is possible to mitigate the problem by applying the configuration setting Intel VT-d/AMD Vi. A possible mitigation has been published immediately after the disclosure of the vulnerability. The mailinglist post contains the following remark:
This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d or AMD Vi.
The vulnerability is also documented in the databases at X-Force (90649), Tenable (72251), SecurityFocus (BID 65097†), OSVDB (102406†) and Secunia (SA56557†). Additional details are provided at seclists.org. The entries VDB-11164, VDB-12235, VDB-12236 and VDB-12339 are related to this item. Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.linuxfoundation.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.8VulDB Meta Temp Score: 7.8
VulDB Base Score: 8.8
VulDB Temp Score: 7.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 72251
Nessus Name: Fedora 20 : xen-4.3.1-8.fc20 (2014-1552)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 867263
OpenVAS Name: Fedora Update for xen FEDORA-2014-1559
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: ConfigStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Config: Intel VT-d/AMD Vi
Timeline
01/23/2014 🔍01/23/2014 🔍
01/23/2014 🔍
01/23/2014 🔍
01/23/2014 🔍
01/23/2014 🔍
01/24/2014 🔍
01/26/2014 🔍
02/03/2014 🔍
02/10/2014 🔍
06/08/2021 🔍
Sources
Vendor: linuxfoundation.orgAdvisory: XSA-83
Organization: Coverity Scan Project
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-1642 (🔍)
GCVE (CVE): GCVE-0-2014-1642
GCVE (VulDB): GCVE-100-12064
OVAL: 🔍
X-Force: 90649 - Xen IRQ setup code execution, Medium Risk
SecurityFocus: 65097 - Xen Use After Free Memory Corruption Vulnerability
Secunia: 56557 - Xen "pirq_guest_bind()" IRQ Setup Double Free Vulnerability, Not Critical
OSVDB: 102406
SecurityTracker: 1029679
Vulnerability Center: 43195 - Xen 4.2, 4.3 Local DoS and Code Execution Vulnerability due to Out-of-memory Error During IRQ Setup, Medium
Misc.: 🔍
See also: 🔍
Entry
Created: 01/24/2014 11:24Updated: 06/08/2021 16:04
Changes: 01/24/2014 11:24 (86), 05/20/2017 10:32 (6), 06/08/2021 15:58 (3), 06/08/2021 16:04 (1)
Complete: 🔍
Cache ID: 216:57C:103
No comments yet. Languages: en.
Please log in to comment.