Linux Foundation Xen up to 4.4.0 on x86 Compatibility Mode hypercall code
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Foundation Xen on x86 and classified as problematic. This affects an unknown function of the component Compatibility Mode. Executing a manipulation of the argument hypercall can lead to denial of service. This vulnerability is handled as CVE-2014-8866. The attack can only be done within the local network. There is not any exploit available. Applying a patch is advised to resolve this issue.
Details
A vulnerability has been found in Linux Foundation Xen on x86 (Virtualization Software) and classified as critical. This vulnerability affects an unknown code of the component Compatibility Mode. The manipulation of the argument hypercall with an unknown input leads to a code vulnerability. The CWE definition for the vulnerability is CWE-17. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was released 11/27/2014 by Jan Beulich with SuSE as XSA-111 as confirmed advisory (Website). The advisory is shared for download at xenbits.xen.org. The public release was coordinated with the vendor. This vulnerability was named CVE-2014-8866 since 11/14/2014. The attack needs to be approached locally. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The advisory points out:
he hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed, since the code was originally intended for use only by PV guests. While this is not a problem for PV guests (as they can't enter 64-bit mode and hence can't alter the high halves of any of the registers), the subsequent reuse of the same functionality for HVM guests exposed those checks to values (specifically, unexpected values for the high halves of registers not holding hypercall arguments) controlled by guest software.
The vulnerability scanner Nessus provides a plugin with the ID 79745 (Citrix XenServer Multiple Vulnerabilities (CTX200288)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Misc. and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 370031 (Citrix XenServer Security Update (CTX200288)).
Applying the patch xsa111.patch is able to eliminate this problem. The bugfix is ready for download at xenbits.xen.org. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (99020), Tenable (79745), SecurityFocus (BID 71332†), Secunia (SA59937†) and SecurityTracker (ID 1031273†). Entries connected to this vulnerability are available at VDB-12078, VDB-68222 and VDB-68297. Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
- 3.3.0
- 3.3.1
- 3.3.2
- 3.4.0
- 3.4.1
- 3.4.2
- 3.4.3
- 3.4.4
- 4.0.0
- 4.0.1
- 4.0.2
- 4.0.3
- 4.0.4
- 4.1.0
- 4.1.1
- 4.1.2
- 4.1.3
- 4.1.4
- 4.1.5
- 4.1.6.1
- 4.2.0
- 4.2.1
- 4.2.2
- 4.2.3
- 4.3.0
- 4.3.1
- 4.4.0
License
Website
- Vendor: https://www.linuxfoundation.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.0VulDB Meta Temp Score: 8.6
VulDB Base Score: 9.0
VulDB Temp Score: 8.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: CodeCWE: CWE-17
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 79745
Nessus Name: Citrix XenServer Multiple Vulnerabilities (CTX200288)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 867386
OpenVAS Name: Fedora Update for xen FEDORA-2014-16017
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: xsa111.patch
Timeline
11/14/2014 🔍11/27/2014 🔍
11/27/2014 🔍
11/27/2014 🔍
11/28/2014 🔍
11/28/2014 🔍
12/01/2014 🔍
12/01/2014 🔍
12/05/2014 🔍
08/12/2015 🔍
11/02/2015 🔍
02/27/2022 🔍
Sources
Vendor: linuxfoundation.orgAdvisory: XSA-111
Researcher: Jan Beulich
Organization: SuSE
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2014-8866 (🔍)
GCVE (CVE): GCVE-0-2014-8866
GCVE (VulDB): GCVE-100-68296
OVAL: 🔍
X-Force: 99020
SecurityFocus: 71332 - Xen CVE-2014-8866 Denial of Service Vulnerability
Secunia: 59937 - Xen Hypercall Argument Translation Denial of Service Vulnerability, Not Critical
SecurityTracker: 1031273
Vulnerability Center: 54085 - Xen 3.3 through 4.4 Local DoS due to Use of Compatibility Mode Hypercall Argument Translation in HVM Guests, Medium
See also: 🔍
Entry
Created: 12/01/2014 09:06Updated: 02/27/2022 10:28
Changes: 12/01/2014 09:06 (69), 06/26/2018 08:45 (24), 02/27/2022 10:28 (2)
Complete: 🔍
Cache ID: 216:369:103
No comments yet. Languages: en.
Please log in to comment.