CVE-2019-18421

Current Description

An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability.

Referenced by CVEs:CVE-2019-19580

Basic Data

PublishedOctober 31, 2019
Last ModifiedNovember 14, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-362
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:H/Au:S/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityHIGH
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score7.1
SeverityHIGH
Exploitability Score3.9
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSXenXen******x86*4.12.1

Vulnerable Software List

VendorProductVersions
Xen Xen *

References

NameSourceURLTags
openSUSE-SU-2019:2506http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.htmlSUSE
[oss-security] 20191031 Xen Security Advisory 299 v4 (CVE-2019-18421) - Issues with restartable PV type change operationshttp://www.openwall.com/lists/oss-security/2019/10/31/3MLISTMailing List Patch Third Party Advisory
http://xenbits.xen.org/xsa/advisory-299.htmlhttp://xenbits.xen.org/xsa/advisory-299.htmlMISCPatch Vendor Advisory
FEDORA-2019-865bb16900https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BQKXFEDORA
FEDORA-2019-376ec5c107https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPFEDORA
FEDORA-2019-cbb732f760https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZYATFEDORA
20200114 [SECURITY] [DSA 4602-1] xen security updatehttps://seclists.org/bugtraq/2020/Jan/21BUGTRAQ
GLSA-202003-56https://security.gentoo.org/glsa/202003-56GENTOO
DSA-4602https://www.debian.org/security/2020/dsa-4602DEBIAN