CVE-2017-15597 - OpenCVE

An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Xen	Xen

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:rc7:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2017/10/24/3	Issue Tracking Mailing List Mitigation Third Party Advisory
http://www.securityfocus.com/bid/101564	Issue Tracking Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039653	Issue Tracking Third Party Advisory VDB Entry
http://xenbits.xen.org/xsa/advisory-236.html	Issue Tracking Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html
https://support.citrix.com/article/CTX229057	Issue Tracking Third Party Advisory
https://www.debian.org/security/2017/dsa-4050

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-30T14:00:00

Updated: 2018-10-19T09:57:01

Reserved: 2017-10-18T00:00:00

Link: CVE-2017-15597

JSON object: View

NVD Information

Status : Modified

Published: 2017-10-30T14:29:00.847

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-15597

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-24T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-19T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://xenbits.xen.org/xsa/advisory-236.html"}, {"name": "101564", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101564"}, {"name": "[oss-security] 20171024 Xen Security Advisory 236 (CVE-2017-15597) - pin count / page reference race in grant table code", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2017/10/24/3"}, {"name": "DSA-4050", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-4050"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.citrix.com/article/CTX229057"}, {"name": "1039653", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039653"}, {"name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-15597", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://xenbits.xen.org/xsa/advisory-236.html", "refsource": "CONFIRM", "url": "http://xenbits.xen.org/xsa/advisory-236.html"}, {"name": "101564", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101564"}, {"name": "[oss-security] 20171024 Xen Security Advisory 236 (CVE-2017-15597) - pin count / page reference race in grant table code", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2017/10/24/3"}, {"name": "DSA-4050", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-4050"}, {"name": "https://support.citrix.com/article/CTX229057", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX229057"}, {"name": "1039653", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039653"}, {"name": "[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-15597", "datePublished": "2017-10-30T14:00:00", "dateReserved": "2017-10-18T00:00:00", "dateUpdated": "2018-10-19T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:rc7:*:*:*:*:*:*", "matchCriteriaId": "4FE0E8DB-FAAA-4516-88F5-594F625A008C", "versionEndIncluding": "4.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out."}, {"lang": "es", "value": "Se ha descubierto un problema en Xen hasta las versiones 4.9.x. El c\u00f3digo copiado por la funci\u00f3n GRANT asum\u00eda que cualquier Grant Pin estar\u00eda acompa\u00f1ado de una referencia de p\u00e1gina adecuada. Sin embargo, otras fragmentos de c\u00f3digo no coincidieron con esta suposici\u00f3n. Cuando esta operaci\u00f3n de copia de autorizaci\u00f3n se realiza en una tabla grant de un dominio obsoleto, la suposici\u00f3n se vuelve err\u00f3nea. Un administrador invitado malicioso puede provocar la corrupci\u00f3n de la memoria del hipervisor, lo que probablemente resulte en el cierre inesperado del host y una denegaci\u00f3n de servicio. El escalado de privilegios y las fugas de informaci\u00f3n no pueden descartarse."}], "id": "CVE-2017-15597", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-30T14:29:00.847", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/10/24/3"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101564"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039653"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "http://xenbits.xen.org/xsa/advisory-236.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://support.citrix.com/article/CTX229057"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2017/dsa-4050"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}