CVE-2019-18425
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.
Se detectó un problema en Xen versiones hasta 4.12.x, permitiendo a usuarios del SO invitado de PV de 32 bits alcanzar privilegios del SO invitado mediante la instalación y el uso de descriptores. Se presenta una falta la comprobación de límite de la tabla descriptor en la emulación PV x86. Al emular determinadas operaciones de invitados PV, el código de emulación realiza los accesos a la tabla de descriptores. Dichos accesos deben respetar los límites especificados por parte del invitado, a menos que se garantice que fallen en tal caso. Sin esto, la emulación de llamadas de modo de usuario invitado de 32 bits por medio de las puertas de llamada permitiría la instalación del modo de usuario invitado y luego usaría los descriptores de su elección, siempre que el kernel invitado no instalara un LDT. (La mayoría de los sistemas operativos no instalan ningún LDT por defecto). El modo de usuario invitado PV de 32 bits puede elevar sus privilegios a los del kernel invitado. Las versiones de Xen de por lo menos 3.2 en adelante están afectadas. Solo el modo de usuario invitado PV de 32 bits puede aprovechar esta vulnerabilidad. HVM, PVH, así como los invitados PV de 64 bits no pueden explotar esta vulnerabilidad. Los sistemas ARM no están afectados.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-10-24 CVE Reserved
- 2019-10-31 CVE Published
- 2024-02-24 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/10/31/2 | Mailing List |
|
| https://seclists.org/bugtraq/2020/Jan/21 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://xenbits.xen.org/xsa/advisory-298.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | <= 4.12.1 Search vendor "Xen" for product "Xen" and version " <= 4.12.1" | x86 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||