CVE-2019-18420

Current Description

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via a VCPUOP_initialise hypercall. hypercall_create_continuation() is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG(), which crashes Xen. One path, via the VCPUOP_initialise hypercall, has a bad format character. The BUG() can be hit if VCPUOP_initialise executes for a sufficiently long period of time for a continuation to be created. Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen versions 4.6 and newer are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only x86 PV guests can exploit the vulnerability. HVM and PVH guests, and guests on ARM systems, cannot exploit the vulnerability.

Basic Data

PublishedOctober 31, 2019
Last ModifiedNovember 14, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-20
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:S/C:N/I:N/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score6.3
SeverityMEDIUM
Exploitability Score6.8
Impact Score6.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSXenXen******x86*4.12.1

Vulnerable Software List

VendorProductVersions
Xen Xen *

References

NameSourceURLTags
openSUSE-SU-2019:2506http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.htmlSUSE
[oss-security] 20191031 Xen Security Advisory 296 v4 (CVE-2019-18420) - VCPUOP_initialise DoShttp://www.openwall.com/lists/oss-security/2019/10/31/1MLISTMailing List Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-296.htmlhttp://xenbits.xen.org/xsa/advisory-296.htmlMISCPatch Vendor Advisory
FEDORA-2019-865bb16900https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BQKXFEDORA
FEDORA-2019-376ec5c107https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPFEDORA
FEDORA-2019-cbb732f760https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZYATFEDORA
20200114 [SECURITY] [DSA 4602-1] xen security updatehttps://seclists.org/bugtraq/2020/Jan/21BUGTRAQ
GLSA-202003-56https://security.gentoo.org/glsa/202003-56GENTOO
DSA-4602https://www.debian.org/security/2020/dsa-4602DEBIAN