CVE-2008-4405
published 2008-10-03CVE-2008-4405: xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access…
PriorityP428high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.04%
59.7th percentile
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | xen | — | — |
| citrix | xen | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6vm-2jmq-5wqx: xend in Xen 3
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2008-5716 [HIGH] GHSA-r6vm-2jmq-5wqx: xend in Xen 3
xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue exists because of erroneous set_permissions calls in the fix for CVE-2008-4405.
GHSA
GHSA-ffpp-v4vp-9vvh: xend in Xen 3
ghsa_unreviewed·2022-05-02
CVE-2008-4405 [HIGH] GHSA-ffpp-v4vp-9vvh: xend in Xen 3
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.
Red Hat
xen: Incomplete upstream fix for CVE-2008-4405
vendor_redhat·2008-12-18·CVSS 7.2
CVE-2008-5716 [HIGH] xen: Incomplete upstream fix for CVE-2008-4405
xen: Incomplete upstream fix for CVE-2008-4405
xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue exists because of erroneous set_permissions calls in the fix for CVE-2008-4405.
Statement: Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5. Security update released to address CVE-2008-4405 - RHSA-2009:0003 - contained correct patch which did not introduce this problem and resolved the original issue.
Red Hat
xen: Multiple unsafe uses of guest-writable data from xenstore
vendor_redhat·2008-09-30·CVSS 7.2
CVE-2008-4405 [HIGH] xen: Multiple unsafe uses of guest-writable data from xenstore
xen: Multiple unsafe uses of guest-writable data from xenstore
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.
No detection rules found.
Bugzilla
CVE-2008-5716 xen: Incomplete upstream fix for CVE-2008-4405
bugzilla·2009-01-06·CVSS 7.2
CVE-2008-5716 [HIGH] CVE-2008-5716 xen: Incomplete upstream fix for CVE-2008-4405
CVE-2008-5716 xen: Incomplete upstream fix for CVE-2008-4405
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5716 to
the following vulnerability:
xend in Xen 3.3.0 does not properly restrict a guest VM's write access
within the /local/domain xenstore directory tree, which allows guest
OS users to cause a denial of service and possibly have unspecified
other impact by writing to (1) console/tty, (2) console/limit, or (3)
image/device-model-pid. NOTE: this issue exists because of erroneous
set_permissions calls in the fix for CVE-2008-4405.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5716
http://openwall.com/lists/oss-security/2008/12/19/1
http://lists.xensource.com/archives/html/xen-devel/2008-12/msg00842.html
http://lists.xensource.com/archiv
Bugzilla
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore [F9]
bugzilla·2008-10-20·CVSS 7.2
CVE-2008-4405 [HIGH] CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore [F9]
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '9'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 9's end of life
Bugzilla
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore [F8]
bugzilla·2008-10-20·CVSS 7.2
CVE-2008-4405 [HIGH] CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore [F8]
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore [F8]
F8 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '8'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 8's end of life
Bugzilla
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore
bugzilla·2008-09-30·CVSS 7.2
CVE-2008-4405 [HIGH] CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore
Description of problem:
Every paravirt guest (and some fullvirt guests) have a TTY path associated with them for the text console access to the guest domain. The TTY path is allocated at time of VM creation, and is written into xenstored.
xm console reads the TTY path out of xenstored and opens it to provide admin access to the text console.
The problem is that the TTY path is written into an area of xenstore which is writtable by the guest. So a malicious guest can re-write the TTY path, tricking the host admin into accessing a different TTY than they should.
eg, if you have a guest called 'demo', with domain ID 5, inside the guest you could do
# yum install xen
# xenstore-write /local/domain/5/console/tty /
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-09/msg00992.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-09/msg00994.htmlhttp://openwall.com/lists/oss-security/2008/09/30/6http://secunia.com/advisories/32064http://www.mandriva.com/security/advisories?name=MDVSA-2009:016http://www.openwall.com/lists/oss-security/2008/10/04/3http://www.redhat.com/support/errata/RHSA-2009-0003.htmlhttp://www.securityfocus.com/bid/31499http://www.securitytracker.com/id?1020955http://www.vupen.com/english/advisories/2008/2709http://xenbits.xensource.com/staging/xen-3.3-testing.hg?rev/e0e17216ba70https://bugzilla.redhat.com/show_bug.cgi?id=464817https://bugzilla.redhat.com/show_bug.cgi?id=464818https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10627http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-09/msg00992.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-09/msg00994.htmlhttp://openwall.com/lists/oss-security/2008/09/30/6http://secunia.com/advisories/32064http://www.mandriva.com/security/advisories?name=MDVSA-2009:016http://www.openwall.com/lists/oss-security/2008/10/04/3http://www.redhat.com/support/errata/RHSA-2009-0003.htmlhttp://www.securityfocus.com/bid/31499http://www.securitytracker.com/id?1020955http://www.vupen.com/english/advisories/2008/2709http://xenbits.xensource.com/staging/xen-3.3-testing.hg?rev/e0e17216ba70https://bugzilla.redhat.com/show_bug.cgi?id=464817https://bugzilla.redhat.com/show_bug.cgi?id=464818https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10627
2008-10-03
Published