9.8

CVE-2019-18425

EPSS 4.87%
Published 31.10.2019 14:15:12
Last modified 21.11.2024 04:33:14
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 12

Data is provided by the National Vulnerability Database (NVD)

Xen ≫ Xen HwPlatformx86 Version <= 4.12.1

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version29

Fedoraproject ≫ Fedora Version30

Fedoraproject ≫ Fedora Version31

Opensuse ≫ Leap Version15.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.87%	0.885

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://seclists.org/bugtraq/2020/Jan/21

Third Party Advisory

Mailing List

https://security.gentoo.org/glsa/202003-56

Third Party Advisory

https://www.debian.org/security/2020/dsa-4602

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/

http://www.openwall.com/lists/oss-security/2019/10/31/2

Third Party Advisory

Mailing List

http://xenbits.xen.org/xsa/advisory-298.html

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-18425

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-18425

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-18425

EUVD