CVE-2012-5513
published 2012-12-13CVE-2012-5513: The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial…
PriorityP426medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
0.41%
32.4th percentile
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xen | < xen 4.1.3-5 (bookworm) | xen 4.1.3-5 (bookworm) |
| xen | xen | <= 4.2.0 | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
| xen | xen | — | — |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g9gx-4mw5-3rg7: The XENMEM_exchange handler in Xen 4
ghsa_unreviewed·2022-05-17
CVE-2012-5513 [MEDIUM] CWE-20 GHSA-g9gx-4mw5-3rg7: The XENMEM_exchange handler in Xen 4
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
Project0
Pandavirtualization: Exploiting the Xen hypervisor - Project Zero
project_zero·2017-04-01
CVE-2012-5513 Pandavirtualization: Exploiting the Xen hypervisor - Project Zero
Posted by Jann Horn, Project Zero
On 2017-03-14, I reported a bug to Xen's security team that permits an attacker with control over the kernel of a paravirtualized x86-64 Xen guest to break out of the hypervisor and gain full control over the machine's physical memory. The Xen Project publicly released an advisory and a patch for this issue 2017-04-04.
To demonstrate the impact of the issue, I created an exploit that, when executed in one 64-bit PV guest with root privileges, will execute a shell command as root in all other 64-bit PV guests (including dom0) on the same physical machine.
##
Background
##
access_ok()
On x86-64, Xen PV guests share the virtual address space with the hypervisor. The coarse memory layout looks as follows:
Xen allows the guest kernel to perform hyper
OSV
CVE-2012-5513: The XENMEM_exchange handler in Xen 4
osv·2012-12-13·CVSS 6.9
CVE-2012-5513 [MEDIUM] CVE-2012-5513: The XENMEM_exchange handler in Xen 4
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
Red Hat
kernel: xen: XENMEM_exchange may overwrite hypervisor memory
vendor_redhat·2012-12-03·CVSS 6.9
CVE-2012-5513 [MEDIUM] CWE-119 kernel: xen: XENMEM_exchange may overwrite hypervisor memory
kernel: xen: XENMEM_exchange may overwrite hypervisor memory
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
Statement: This issue did affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.
This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Package: kernel-xen (Red Hat Enterprise Linux Extended Update Support 5.9) - Affected
Debian
CVE-2012-5513: xen - The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the m...
vendor_debian·2012·CVSS 6.9
CVE-2012-5513 [MEDIUM] CVE-2012-5513: xen - The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the m...
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
Scope: local
bookworm: resolved (fixed in 4.1.3-5)
bullseye: resolved (fixed in 4.1.3-5)
forky: resolved (fixed in 4.1.3-5)
sid: resolved (fixed in 4.1.3-5)
trixie: resolved (fixed in 4.1.3-5)
No detection rules found.
Bugzilla
CVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory [fedora-all]
bugzilla·2012-12-03·CVSS 6.9
CVE-2012-5513 [MEDIUM] CVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory [fedora-all]
CVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this
Bugzilla
CVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory
bugzilla·2012-11-16·CVSS 6.9
CVE-2012-5513 [MEDIUM] CVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory
CVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory
The handler for XENMEM_exchange accesses guest memory without range checking
the guest provided addresses, thus allowing these accesses to include the
hypervisor reserved range.
A malicious PV guest administrator can cause Xen to crash. If the out of address
space bounds access does not lead to a crash, a carefully crafted privilege
escalation cannot be excluded, even though the guest doesn't itself control
the values written.
Acknowledgements:
Red Hat would like to thank the Xen project for reporting this issue.
Discussion:
Statement:
This issue did affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.
This issue did not affect Red Hat Enterprise Linux 6 and Red Hat Enter
http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-12/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-12/msg00018.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-12/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-01/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00051.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00052.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1540.htmlhttp://secunia.com/advisories/51397http://secunia.com/advisories/51468http://secunia.com/advisories/51486http://secunia.com/advisories/51487http://secunia.com/advisories/51495http://secunia.com/advisories/55082http://security.gentoo.org/glsa/glsa-201309-24.xmlhttp://support.citrix.com/article/CTX135777http://www.debian.org/security/2012/dsa-2582http://www.openwall.com/lists/oss-security/2012/12/03/11http://www.osvdb.org/88131http://www.securityfocus.com/bid/56797https://exchange.xforce.ibmcloud.com/vulnerabilities/80482http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-12/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-12/msg00018.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-12/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-01/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00051.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00052.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1540.htmlhttp://secunia.com/advisories/51397http://secunia.com/advisories/51468http://secunia.com/advisories/51486http://secunia.com/advisories/51487http://secunia.com/advisories/51495http://secunia.com/advisories/55082http://security.gentoo.org/glsa/glsa-201309-24.xmlhttp://support.citrix.com/article/CTX135777http://www.debian.org/security/2012/dsa-2582http://www.openwall.com/lists/oss-security/2012/12/03/11http://www.osvdb.org/88131http://www.securityfocus.com/bid/56797https://exchange.xforce.ibmcloud.com/vulnerabilities/80482
2012-12-13
Published