CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:N/A:P
EPSS
Percentile
5.1%
When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3714).
Furthermore when checking a 32-bit guest kernel for an appended DTB, the Xen tools were prone to additional overruns also leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3715). Also, the tools would access a field in the putative DTB header without checking for its alignment (CVE-2014-3716).
When loading a 64-bit ARM guest kernel the tools similarly did not fully validate the requested load addresses, possibly leading to an overrun on the input buffer when loading the kernel into guest RAM (CVE-2014-3717).
An attacker who can control the kernel used to boot a guest can exploit these issues.
Exploiting the overflow issues allows information which follows the guest kernel in the toolstack address space to be copied into the guest’s memory, constituting an information leak.
Alternatively either the overflow or alignment issues could be used to crash the toolstack process, leading to a denial of service.
ARM systems are vulnerable from Xen 4.4 onwards.