cve-2019-18424
Vulnerability from cvelistv5
Published
2019-10-31 13:38
Modified
2024-08-05 01:54
Severity ?
EPSS score ?
Summary
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:54:14.121Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://xenbits.xen.org/xsa/advisory-302.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 302 v5 (CVE-2019-18424) - passed through PCI devices may corrupt host memory after deassignment", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/31/6" }, { "name": "openSUSE-SU-2019:2506", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html" }, { "name": "FEDORA-2019-865bb16900", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-56" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-26T14:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://xenbits.xen.org/xsa/advisory-302.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 302 v5 (CVE-2019-18424) - passed through PCI devices may corrupt host memory after deassignment", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/31/6" }, { "name": "openSUSE-SU-2019:2506", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html" }, { "name": "FEDORA-2019-865bb16900", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-56" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18424", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://xenbits.xen.org/xsa/advisory-302.html", "refsource": "MISC", "url": "http://xenbits.xen.org/xsa/advisory-302.html" }, { "name": "[oss-security] 20191031 Xen Security Advisory 302 v5 (CVE-2019-18424) - passed through PCI devices may corrupt host memory after deassignment", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/10/31/6" }, { "name": "openSUSE-SU-2019:2506", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html" }, { "name": "FEDORA-2019-865bb16900", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/" }, { "name": "FEDORA-2019-376ec5c107", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/" }, { "name": "FEDORA-2019-cbb732f760", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/" }, { "name": "DSA-4602", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4602" }, { "name": "20200114 [SECURITY] [DSA 4602-1] xen security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/21" }, { "name": "GLSA-202003-56", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-56" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18424", "datePublished": "2019-10-31T13:38:31", "dateReserved": "2019-10-24T00:00:00", "dateUpdated": "2024-08-05T01:54:14.121Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-18424\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-10-31T14:15:12.057\",\"lastModified\":\"2023-11-07T03:06:26.950\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 un problema en Xen versiones hasta 4.12.x, permitiendo a atacantes alcanzar privilegios de Sistema Operativo host por medio de DMA en una situaci\u00f3n donde un dominio no confiable tiene acceso a un dispositivo f\u00edsico. Esto se presenta porque pasado por medio de dispositivos PCI puede corromper la memoria del host despu\u00e9s de la desasignaci\u00f3n. Cuando un dispositivo PCI es asignado a un dominio no confiable, es posible que ese dominio programe el dispositivo a DMA en una direcci\u00f3n arbitraria. El IOMMU es utilizado para proteger el host de DMA malicioso al asegurar que las direcciones del dispositivo solo puedan apuntar a la memoria asignada al invitado. Sin embargo, cuando el dominio invitado es derribado o el dispositivo es desasignado, el dispositivo es asignado de nuevo a dom0, permitiendo que cualquier DMA en vuelo apunte potencialmente a datos cr\u00edticos del host. Un dominio no confiable con acceso a un dispositivo f\u00edsico puede DMA en la memoria del host, lo que conlleva a la escalada de privilegios. Solo los sistemas donde los invitados tienen acceso directo a dispositivos f\u00edsicos capaces de DMA (atravesar el PCI) son vulnerables. Los sistemas que no utilizan la transferencia PCI no son vulnerables.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:C/I:C/A:C\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":6.9},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.12.1\",\"matchCriteriaId\":\"44BCD11F-9BBA-47D2-94DF-C1E52317A7B3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D100F7CE-FC64-4CC6-852A-6136D72DA419\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1E78106-58E6-4D59-990F-75DA575BFAD9\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/10/31/6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"http://xenbits.xen.org/xsa/advisory-302.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUGHRBG6I3TC24YHP5Y3J7I6KH/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://seclists.org/bugtraq/2020/Jan/21\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-56\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4602\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.