Xenstore: Guests can crash xenstored

2022-11-0110:57:00

Xen Project

xenbits.xen.org

xenstore

guest-controlled

crash

memory corruption

xsa-115

quota

maximum nodes

privilege escalation

c variant

ocaml variant

vulnerable system

software

CVSS3

8.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

Percentile

14.2%

JSON

ISSUE DESCRIPTION

Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage.
Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.

IMPACT

A malicious guest can cause xenstored to crash, resulting in the inability to create new guests or to change the configuration of running guests.
Memory corruption in xenstored or privilege escalation of a guest can’t be ruled out.

VULNERABLE SYSTEMS

All Xen versions with the fix for XSA-115 running the C variant of Xenstore (xenstored or xenstore-stubdom) are vulnerable.
Systems using the Ocaml variant of Xenstore (oxenstored) are not vulnerable.