CVE-2017-15595
published 2017-10-18CVE-2017-15595: An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and…
PriorityP346high8.8CVSS 3.0
AVLACLPRLUINSCCHIHAH
EXPLOIT
EPSS
1.55%
71.9th percentile
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | xen | < xen 4.11.3+24-g14b62ab3e5-1 (bookworm) | xen 4.11.3+24-g14b62ab3e5-1 (bookworm) |
| debian | xen | < xen 4.8.2+xsa245-0+deb9u1 (bookworm) | xen 4.8.2+xsa245-0+deb9u1 (bookworm) |
| debian | xen | < xen 4.11.1-1 (bookworm) | xen 4.11.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| xen | xen | <= 4.12.1 | — |
| xen | xen | <= 4.9.0 | — |
| xen | xen | >= 0 < 4.11.3+24-g14b62ab3e5-1 | 4.11.3+24-g14b62ab3e5-1 |
| xen | xen | >= 0 < 4.11.1-1 | 4.11.1-1 |
| xen | xen | >= 0 < 4.8.2+xsa245-0+deb9u1 | 4.8.2+xsa245-0+deb9u1 |
| xen | xen | >= 0 < 4.11.3+24-g14b62ab3e5-1 | 4.11.3+24-g14b62ab3e5-1 |
| xen | xen | >= 0 < 4.11.1-1 | 4.11.1-1 |
| xen | xen | >= 0 < 4.8.2+xsa245-0+deb9u1 | 4.8.2+xsa245-0+deb9u1 |
| xen | xen | >= 0 < 4.11.3+24-g14b62ab3e5-1 | 4.11.3+24-g14b62ab3e5-1 |
| xen | xen | >= 0 < 4.11.1-1 | 4.11.1-1 |
| xen | xen | >= 0 < 4.8.2+xsa245-0+deb9u1 | 4.8.2+xsa245-0+deb9u1 |
| xen | xen | >= 0 < 4.11.3+24-g14b62ab3e5-1 | 4.11.3+24-g14b62ab3e5-1 |
| xen | xen | >= 0 < 4.11.1-1 | 4.11.1-1 |
| xen | xen | >= 0 < 4.8.2+xsa245-0+deb9u1 | 4.8.2+xsa245-0+deb9u1 |
| xen | xen | 4.11.0 – 4.11.1 | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xm4c-wwh2-mcv8: An issue was discovered in Xen through 4
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-19578 [HIGH] GHSA-xm4c-wwh2-mcv8: An issue was discovered in Xen through 4
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a
GHSA
GHSA-m9p9-mh4f-qxmq: An issue was discovered in Xen through 4
ghsa_unreviewed·2022-05-14
CVE-2017-15595 [HIGH] CWE-400 GHSA-m9p9-mh4f-qxmq: An issue was discovered in Xen through 4
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.
GHSA
GHSA-3635-87f7-gfgj: An issue was discovered in Xen through 4
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2018-19966 [HIGH] CWE-436 GHSA-3635-87f7-gfgj: An issue was discovered in Xen through 4
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
OSV
CVE-2019-19578: An issue was discovered in Xen through 4
osv·2019-12-11·CVSS 8.8
CVE-2019-19578 [HIGH] CVE-2019-19578: An issue was discovered in Xen through 4
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a
OSV
CVE-2018-19966: An issue was discovered in Xen through 4
osv·2018-12-08·CVSS 8.8
CVE-2018-19966 [HIGH] CVE-2018-19966: An issue was discovered in Xen through 4
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
OSV
CVE-2017-15595: An issue was discovered in Xen through 4
osv·2017-10-18·CVSS 8.8
CVE-2017-15595 [HIGH] CVE-2017-15595: An issue was discovered in Xen through 4
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.
Red Hat
xen: privilege escalation due to malicious PV guest (XSA-309)
vendor_redhat·2019-12-11·CVSS 8.8
CVE-2019-19578 [HIGH] CWE-400 xen: privilege escalation due to malicious PV guest (XSA-309)
xen: privilege escalation due to malicious PV guest (XSA-309)
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To imp
Debian
CVE-2019-19578: xen - An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to ...
vendor_debian·2019·CVSS 8.8
CVE-2019-19578 [HIGH] CVE-2019-19578: xen - An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to ...
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a
Red Hat
xen: Conflicts with shadow paging due to XSA-240 incomplete fix (XSA-280)
vendor_redhat·2018-11-20·CVSS 8.8
CVE-2018-19966 [HIGH] CWE-770 xen: Conflicts with shadow paging due to XSA-240 incomplete fix (XSA-280)
xen: Conflicts with shadow paging due to XSA-240 incomplete fix (XSA-280)
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
Package: xen (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2018-19966: xen - An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to ...
vendor_debian·2018·CVSS 8.8
CVE-2018-19966 [HIGH] CVE-2018-19966: xen - An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to ...
An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
Scope: local
bookworm: resolved (fixed in 4.11.1-1)
bullseye: resolved (fixed in 4.11.1-1)
forky: resolved (fixed in 4.11.1-1)
sid: resolved (fixed in 4.11.1-1)
trixie: resolved (fixed in 4.11.1-1)
Red Hat
xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
vendor_redhat·2017-10-12·CVSS 8.8
CVE-2017-15595 [HIGH] xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.
Package: xen (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2017-15595: xen - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to c...
vendor_debian·2017·CVSS 8.8
CVE-2017-15595 [HIGH] CVE-2017-15595: xen - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to c...
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking.
Scope: local
bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1)
bullseye: resolved (fixed in 4.8.2+xsa245-0+deb9u1)
forky: resolved (fixed in 4.8.2+xsa245-0+deb9u1)
sid: resolved (fixed in 4.8.2+xsa245-0+deb9u1)
trixie: resolved (fixed in 4.8.2+xsa245-0+deb9u1)
No detection rules found.
Bugzilla
CVE-2019-19578 xen: privilege escalation due to malicious PV guest (XSA-309)
bugzilla·2019-11-29·CVSS 8.8
CVE-2019-19578 [HIGH] CVE-2019-19578 xen: privilege escalation due to malicious PV guest (XSA-309)
CVE-2019-19578 xen: privilege escalation due to malicious PV guest (XSA-309)
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but n
Bugzilla
CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15591 CVE-2017-15592 CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 xen: various flaws [fedora-all]
bugzilla·2017-10-12·CVSS 7.8
CVE-2017-15588 [HIGH] CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15591 CVE-2017-15592 CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 xen: various flaws [fedora-all]
CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15591 CVE-2017-15592 CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 xen: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fe
Bugzilla
CVE-2017-15595 xsa240 xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
bugzilla·2017-10-09·CVSS 8.8
CVE-2017-15595 [HIGH] CVE-2017-15595 xsa240 xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
CVE-2017-15595 xsa240 xen: Unlimited recursion in linear pagetable de-typing (XSA-240)
ISSUE DESCRIPTION
x86 PV guests are permitted to set up certain forms of what is often
called "linear page tables", where pagetables contain references to
other pagetables at the same level or higher. Certain restrictions
apply in order to fit into Xen's page type handling system. An
important restriction was missed, however: Stacking multiple layers
of page tables of the same level on top of one another is not very
useful, and the tearing down of such an arrangement involves
recursion. With sufficiently many layers such recursion will result
in a stack overflow, commonly resulting in Xen to crash.
IMPACT
A malicious or buggy PV guest may cause the hypervisor to crash,
resulting in Denial of Service
https://lists.debian.org/debian-lts-announce/2017/11/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2018/10/msg00021.htmlhttps://security.gentoo.org/glsa/201801-14https://support.citrix.com/article/CTX228867https://www.debian.org/security/2017/dsa-4050https://www.exploit-db.com/exploits/43014/https://xenbits.xen.org/xsa/advisory-240.htmlhttps://lists.debian.org/debian-lts-announce/2017/11/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2018/10/msg00021.htmlhttps://security.gentoo.org/glsa/201801-14https://support.citrix.com/article/CTX228867https://www.debian.org/security/2017/dsa-4050https://www.exploit-db.com/exploits/43014/https://xenbits.xen.org/xsa/advisory-240.html
2017-10-18
Published