mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
200 lines
9.5 KiB
JSON
200 lines
9.5 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security@xen.org",
|
|
"ID": "CVE-2021-28696",
|
|
"STATE": "PUBLIC"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "xen",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "4.11.x"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "xen",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "xen-unstable"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "xen",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "4.12.x"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "xen",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "4.14.x"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "xen",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "4.15.x"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "xen",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "4.13.x"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "Xen"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"configuration": {
|
|
"configuration_data": {
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The vulnerability is only exploitable by guests granted access to\nphysical devices (ie, via PCI passthrough).\n\nAll versions of Xen are affected.\n\nOnly x86 systems with IOMMUs and with firmware specifying memory regions\nto be identity mapped are affected. Other x86 systems are not affected.\n\nWhether a particular system whose ACPI tables declare such memory\nregion(s) is actually affected cannot be known without knowing when\nand/or how these regions are used. For example, if these regions were\nused only during system boot, there would not be any vulnerability.\nThe necessary knowledge can only be obtained from, collectively, the\nhardware and firmware manufacturers.\n\nOn Arm hardware IOMMU use is not security supported. Accordingly, we\nhave not undertaken an analysis of these issues for Arm systems."
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"credit": {
|
|
"credit_data": {
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "This issue was discovered by Jan Beulich of SUSE."
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696)."
|
|
}
|
|
]
|
|
},
|
|
"impact": {
|
|
"impact_data": {
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "The precise impact is system specific, but can - on affected systems -\nbe any or all of privilege escalation, denial of service, or information\nleaks."
|
|
}
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "unknown"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"url": "https://xenbits.xenproject.org/xsa/advisory-378.txt",
|
|
"refsource": "MISC",
|
|
"name": "https://xenbits.xenproject.org/xsa/advisory-378.txt"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[oss-security] 20210901 Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
|
|
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/1"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
|
|
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/5"
|
|
},
|
|
{
|
|
"refsource": "MLIST",
|
|
"name": "[oss-security] 20210901 Re: Xen Security Advisory 378 v3 (CVE-2021-28694,CVE-2021-28695,CVE-2021-28696) - IOMMU page mapping issues on x86",
|
|
"url": "http://www.openwall.com/lists/oss-security/2021/09/01/6"
|
|
},
|
|
{
|
|
"refsource": "FEDORA",
|
|
"name": "FEDORA-2021-4f129cc0c1",
|
|
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPRVHW4J4ZCPPOHZEWP5MOJT7XDGFFPJ/"
|
|
},
|
|
{
|
|
"refsource": "FEDORA",
|
|
"name": "FEDORA-2021-d68ed12e46",
|
|
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZCNPSRPGFCQRYE2BI4D4Q4SCE56ANV2/"
|
|
},
|
|
{
|
|
"refsource": "DEBIAN",
|
|
"name": "DSA-4977",
|
|
"url": "https://www.debian.org/security/2021/dsa-4977"
|
|
},
|
|
{
|
|
"refsource": "FEDORA",
|
|
"name": "FEDORA-2021-081f9bf5d2",
|
|
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2VQCFAPBNGBBAOMJZG6QBREOG5IIDZID/"
|
|
},
|
|
{
|
|
"refsource": "GENTOO",
|
|
"name": "GLSA-202208-23",
|
|
"url": "https://security.gentoo.org/glsa/202208-23"
|
|
}
|
|
]
|
|
},
|
|
"workaround": {
|
|
"workaround_data": {
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Not permitting untrusted guests access to phsyical devices will avoid\nthe vulnerability.\n\nLikewise, limiting untrusted guest access to physical devices whose\nfirmware-provided ACPI tables declare identity mappings, will avoid\nthe vulnerability. (Provided that there are no identity mapped\nregions which are specified by the ACPI tables to apply globally.)\n\nNote that a system is still vulnerable if a guest was trusted, while\nit had such a device assigned, and then has the device removed in\nanticipation of the guest becoming untrusted (because of, for example,\nthe insertion of an untrusted kernel module),"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
} |