Xen ProjectXSA-421Xenstore: Guests can create arbitrary number of nodes via transactions
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
17.1%
ISSUE DESCRIPTION
In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error.
As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes.
IMPACT
A malicious guest can cause memory shortage in xenstored, resulting in a Denial of Service (DoS) of xenstored.
This will inhibit creating new guests and changing the configuration of already running guests.
VULNERABLE SYSTEMS
All systems running Xen version 4.9 and newer are affected.
Only systems running the C variant of Xenstore (xenstored or xenstore- stubdom) are vulnerable.
Systems using the Ocaml variant of Xenstore (oxenstored) are not vulnerable.
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
17.1%