CVE-2024-45817Information Exposure via Error Message in XEN

CWE-209Information Exposure via Error Message6 documents5 sources
Severity
7.3HIGHNVD
EPSS
0.5%
top 33.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
XENDebian XEN
Timeline
PublishedSep 25

Description

In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages4 packages

debiandebian/xen< xen 4.17.5+23-ga4e5191dc0-1 (bookworm)
Alpinexen/xen< 4.16.6-r2+6
Debianxen/xen< 4.17.5+23-ga4e5191dc0-1+2
NVDxen/xen

Patches

Patch: xenbits.xenproject.orgPatch: xenbits.xen.org

🔴Vulnerability Details

4
CVEList
x86: Deadlock in vlapic_error()2024-09-25
OSV
CVE-2024-45817: In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register2024-09-25
GHSA
GHSA-x9f9-xjf3-f3v6: In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register2024-09-25
OSV
CVE-2024-45817: In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register2024-09-25

📋Vendor Advisories

1
Debian
CVE-2024-45817: xen - In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error c...2024