CVE-2021-28701

Gentoo Linux Security Advisory 202208-23

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

Otra carrera en el manejo de la función XENMAPSPACE_grant_table de los Huéspedes, se les permite el acceso a determinadas páginas de memoria propiedad de Xen. La mayoría de estas páginas permanecen asignadas / asociadas a un huésped durante toda su vida. Las páginas de estado de la tabla Grant v2, sin embargo, se desasignan cuando un huésped cambia (de nuevo) de v2 a v1. Una liberación de dichas páginas requiere que el hipervisor haga cumplir que ninguna petición paralela pueda resultar en la adición de un mapeo de dicha página a un huésped. Esta aplicación no existía, permitiendo a los huéspedes mantener el acceso a las páginas liberadas y quizás reusarlas para otros fines. Desafortunadamente, cuando fue preparada la XSA-379, no se advirtió este problema similar

Multiple vulnerabilities have been discovered in Xen, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 4.15.3 are affected.

*Credits: This issue was discovered by Julien Grall of Amazon.

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-18 CVE Reserved
2021-09-08 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/09/08/2	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://xenbits.xen.org/xsa/advisory-384.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HEHUIUWSSMCQGQY3GWX4J2SZGYP5W2Z	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEHZLIR5DFYYQBH55AERWHLO54OFU42C	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L4MI3MQAPGILCLXBGQWPZHGE3ALSO4ZU	2023-11-07
https://security.gentoo.org/glsa/202208-23	2023-11-07
https://www.debian.org/security/2021/dsa-4977	2023-11-07
https://xenbits.xenproject.org/xsa/advisory-384.txt	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				>= 4.0.0 Search vendor "Xen" for product "Xen" and version " >= 4.0.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected