CVE-2021-28699
Vulnerability from cvelistv5
Published
2021-08-27 18:21
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.197Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://xenbits.xenproject.org/xsa/advisory-382.txt" }, { "name": "FEDORA-2021-4f129cc0c1", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "xen", "vendor": "Xen", "versions": [ { "lessThan": "4.12", "status": "unknown", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "4.11.x", "versionType": "custom" }, { "lessThan": "unspecified", "status": "unaffected", "version": "next of xen-unstable", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}" } ], "descriptions": [ { "lang": "en", "value": "inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing." } ], "metrics": [ { "other": { "content": { "description": { "description_data": [ { "lang": "eng", "value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system. Privilege escalation\nand information leaks cannot be ruled out." } ] } }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "unknown", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-08-14T20:12:37", "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://xenbits.xenproject.org/xsa/advisory-382.txt" }, { "name": "FEDORA-2021-4f129cc0c1", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202208-23" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@xen.org", "ID": "CVE-2021-28699", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "xen", "version": { "version_data": [ { "version_affected": "?\u003c", "version_value": "4.12" }, { "version_affected": "\u003e=", "version_value": "4.11.x" }, { "version_affected": "!\u003e", "version_value": "xen-unstable" } ] } } ] }, "vendor_name": "Xen" } ] } }, "configuration": { "configuration_data": { "description": { "description_data": [ { "lang": "eng", "value": "All Xen versions from 4.10 onwards are affected. Xen versions 4.9 and\nolder are not affected.\n\nOnly 32-bit x86 guests permitted to use grant table version 2 interfaces\ncan leverage this vulnerability. 64-bit x86 guests cannot leverage this\nvulnerability, but note that HVM and PVH guests are free to alter their\nbitness as they see fit. On Arm, grant table v2 use is explicitly\nunsupported.\n\nOnly guests permitted to have 8177 or more grant table frames can\nleverage this vulnerability." } ] } } }, "credit": { "credit_data": { "description": { "description_data": [ { "lang": "eng", "value": "This issue was discovered by Jan Beulich of SUSE." } ] } } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing." } ] }, "impact": { "impact_data": { "description": { "description_data": [ { "lang": "eng", "value": "Malicious or buggy guest kernels may be able to mount a Denial of\nService (DoS) attack affecting the entire system. Privilege escalation\nand information leaks cannot be ruled out." } ] } } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "unknown" } ] } ] }, "references": { "reference_data": [ { "name": "https://xenbits.xenproject.org/xsa/advisory-382.txt", "refsource": "MISC", "url": "https://xenbits.xenproject.org/xsa/advisory-382.txt" }, { "name": "FEDORA-2021-4f129cc0c1", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/" }, { "name": "FEDORA-2021-d68ed12e46", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/" }, { "name": "DSA-4977", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4977" }, { "name": "FEDORA-2021-081f9bf5d2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/" }, { "name": "GLSA-202208-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-23" } ] }, "workaround": { "workaround_data": { "description": { "description_data": [ { "lang": "eng", "value": "The problem can be avoided by not increasing too much the number of\ngrants Xen would allow guests to establish. The limit is controlled by\nthe \"gnttab_max_frames\" Xen command line option and the\n\"max_grant_frames\" xl domain configuration setting.\n\n- From Xen 4.14 onwards it is also possible to alter the system wide upper\nbound of the number of grants Xen would allow guests to establish by\nwriting to the /params/gnttab_max_frames hypervisor file system node.\nNote however that changing the value this way will only affect guests\nyet to be created on the respective host.\n\nSuppressing use of grant table v2 interfaces for 32-bit x86 guests will\nalso avoid this vulnerability." } ] } } } } } }, "cveMetadata": { "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "assignerShortName": "XEN", "cveId": "CVE-2021-28699", "datePublished": "2021-08-27T18:21:40", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.197Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-28699\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2021-08-27T19:15:07.837\",\"lastModified\":\"2023-11-07T03:32:19.703\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.\"},{\"lang\":\"es\",\"value\":\"Una comprobaci\u00f3n inadecuada de los l\u00edmites de tramas de la matriz estado de grant-v2 la interfaz v2 grant table separa los atributos de la concesi\u00f3n del estado de la misma. Es decir, cuando se opera en este modo, un hu\u00e9sped presenta dos tablas. Como resultado, los hu\u00e9spedes tambi\u00e9n necesitan ser capaces de recuperar las direcciones mediante las cuales se puede acceder a la nueva tabla de seguimiento de estado. En el caso de los hu\u00e9spedes de 32 bits en x86, la traducci\u00f3n de las peticiones tienen que ocurrir porque las disposiciones de la estructura de la interfaz suelen ser diferentes entre los 32 y los 64 bits. La traducci\u00f3n de la petici\u00f3n para obtener los n\u00fameros de trama de la tabla de estado de concesi\u00f3n implica la traducci\u00f3n de la matriz resultante de n\u00fameros de trama. Dado que el espacio usado para realizar la traducci\u00f3n es limitado, la capa de traducci\u00f3n indica a la funci\u00f3n central la capacidad de la matriz dentro del espacio de traducci\u00f3n. Desafortunadamente, la funci\u00f3n central s\u00f3lo aplica los l\u00edmites de la matriz para que sea inferior a 8 veces el valor especificado, y escribir\u00eda m\u00e1s all\u00e1 del espacio disponible si se necesitan almacenar suficientes n\u00fameros de trama.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:N/A:C\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":4.9},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0\",\"matchCriteriaId\":\"E0060574-66EE-413D-9C6B-197AF1164EC9\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/\",\"source\":\"security@xen.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/\",\"source\":\"security@xen.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/\",\"source\":\"security@xen.org\"},{\"url\":\"https://security.gentoo.org/glsa/202208-23\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4977\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-382.txt\",\"source\":\"security@xen.org\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.