FreeBSDE43B210A-4212-11E6-942D-BC5FF45D0F28xen-kernel -- x86 software guest page walk PS bit handling flaw
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
52.0%
The Xen Project reports:
The Page Size (PS) page table entry bit exists at all page table
levels other than L1. Its meaning is reserved in L4, and
conditionally reserved in L3 and L2 (depending on hardware
capabilities). The software page table walker in the hypervisor,
however, so far ignored that bit in L4 and (on respective hardware)
L3 entries, resulting in pages to be treated as page tables which
the guest OS may not have designated as such. If the page in
question is writable by an unprivileged user, then that user will
be able to map arbitrary guest memory.
On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to
elevate its privileges inside the guest.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | xen-kernel | < 4.7.0 | UNKNOWN |
References
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
52.0%