CVE-2008-5716
published 2008-12-24CVE-2008-5716: xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a…
PriorityP422high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.36%
27.6th percentile
xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue exists because of erroneous set_permissions calls in the fix for CVE-2008-4405.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | xen | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6vm-2jmq-5wqx: xend in Xen 3
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2008-5716 [HIGH] GHSA-r6vm-2jmq-5wqx: xend in Xen 3
xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue exists because of erroneous set_permissions calls in the fix for CVE-2008-4405.
Red Hat
xen: Incomplete upstream fix for CVE-2008-4405
vendor_redhat·2008-12-18·CVSS 7.2
CVE-2008-5716 [HIGH] xen: Incomplete upstream fix for CVE-2008-4405
xen: Incomplete upstream fix for CVE-2008-4405
xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue exists because of erroneous set_permissions calls in the fix for CVE-2008-4405.
Statement: Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5. Security update released to address CVE-2008-4405 - RHSA-2009:0003 - contained correct patch which did not introduce this problem and resolved the original issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-5716 xen: Incomplete upstream fix for CVE-2008-4405
bugzilla·2009-01-06·CVSS 7.2
CVE-2008-5716 [HIGH] CVE-2008-5716 xen: Incomplete upstream fix for CVE-2008-4405
CVE-2008-5716 xen: Incomplete upstream fix for CVE-2008-4405
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5716 to
the following vulnerability:
xend in Xen 3.3.0 does not properly restrict a guest VM's write access
within the /local/domain xenstore directory tree, which allows guest
OS users to cause a denial of service and possibly have unspecified
other impact by writing to (1) console/tty, (2) console/limit, or (3)
image/device-model-pid. NOTE: this issue exists because of erroneous
set_permissions calls in the fix for CVE-2008-4405.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5716
http://openwall.com/lists/oss-security/2008/12/19/1
http://lists.xensource.com/archives/html/xen-devel/2008-12/msg00842.html
http://lists.xensource.com/archiv
Bugzilla
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore
bugzilla·2008-09-30·CVSS 7.2
CVE-2008-4405 [HIGH] CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore
CVE-2008-4405 xen: Multiple unsafe uses of guest-writable data from xenstore
Description of problem:
Every paravirt guest (and some fullvirt guests) have a TTY path associated with them for the text console access to the guest domain. The TTY path is allocated at time of VM creation, and is written into xenstored.
xm console reads the TTY path out of xenstored and opens it to provide admin access to the text console.
The problem is that the TTY path is written into an area of xenstore which is writtable by the guest. So a malicious guest can re-write the TTY path, tricking the host admin into accessing a different TTY than they should.
eg, if you have a guest called 'demo', with domain ID 5, inside the guest you could do
# yum install xen
# xenstore-write /local/domain/5/console/tty /
http://lists.xensource.com/archives/html/xen-devel/2008-12/msg00842.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-12/msg00845.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-12/msg00846.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-12/msg00847.htmlhttp://openwall.com/lists/oss-security/2008/12/19/1http://www.securityfocus.com/bid/31499https://exchange.xforce.ibmcloud.com/vulnerabilities/47668http://lists.xensource.com/archives/html/xen-devel/2008-12/msg00842.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-12/msg00845.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-12/msg00846.htmlhttp://lists.xensource.com/archives/html/xen-devel/2008-12/msg00847.htmlhttp://openwall.com/lists/oss-security/2008/12/19/1http://www.securityfocus.com/bid/31499https://exchange.xforce.ibmcloud.com/vulnerabilities/47668
2008-12-24
Published