ADVISORY!
TLP : CLEAR
Date : 17/07/2024
REF NO : CERT / 2024/07/65
Xen Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- All Xen Systems running Xapi v1.249.x
- Xen versions 4.4 and newer
Overview
Multiple vulnerabilities have been identified in Xen. An attacker can exploit these vulnerabilities to trigger denial of service condition, elevation of privilege, sensitive information disclosure and spoofing on the targeted system.
Description
An optional feature of PCI MSI called “Multiple Message” allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held.
Impact
- Denial of Service
- Elevation of Privilege
- Information Disclosure
- Spoofing
Solution/ Workarounds
Before installation of the software, please visit the software manufacturer web-site for more details.
Apply fixes issued by the vendor:
https://xenbits.xen.org/xsa/advisory-459.html/
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
