Rapid7 Vulnerability & Exploit Database

RHSA-2008:0194: xen security and bug fix update

Back to Search

RHSA-2008:0194: xen security and bug fix update

Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
05/14/2008
Created
07/25/2018
Added
05/21/2008
Modified
07/04/2017

Description

The xen packages contain tools for managing the virtual machine monitor inRed Hat Virtualization.These updated packages fix the following security issues:Daniel P. Berrange discovered that the hypervisor's para-virtualizedframebuffer (PVFB) backend failed to validate the format of messagesserving to update the contents of the framebuffer. This could allow amalicious user to cause a denial of service, or compromise the privilegeddomain (Dom0). (CVE-2008-1944)Markus Armbruster discovered that the hypervisor's para-virtualizedframebuffer (PVFB) backend failed to validate the frontend's framebufferdescription. This could allow a malicious user to cause a denial ofservice, or to use a specially crafted frontend to compromise theprivileged domain (Dom0). (CVE-2008-1943)Chris Wright discovered a security vulnerability in the QEMU block formatauto-detection, when running fully-virtualized guests. Suchfully-virtualized guests, with a raw formatted disk image, were ableto write a header to that disk image describing another format. This couldallow such guests to read arbitrary files in their hypervisor's host.(CVE-2008-2004)Ian Jackson discovered a security vulnerability in the QEMU block devicedrivers backend. A guest operating system could issue a block devicerequest and read or write arbitrary memory locations, which could lead toprivilege escalation. (CVE-2008-0928)Tavis Ormandy found that QEMU did not perform adequate sanity-checking ofdata received via the "net socket listen" option. A malicious localadministrator of a guest domain could trigger this flaw to potentiallyexecute arbitrary code outside of the domain. (CVE-2007-5730)Steve Kemp discovered that the xenbaked daemon and the XenMon utilitycommunicated via an insecure temporary file. A malicious localadministrator of a guest domain could perform a symbolic link attack,causing arbitrary files to be truncated. (CVE-2007-3919)As well, in the previous xen packages, it was possible for Dom0 to fail toflush data from a fully-virtualized guest to disk, even if the guestexplicitly requested the flush. This could cause data integrity problems onthe guest. In these updated packages, Dom0 always respects the request toflush to disk.Users of xen are advised to upgrade to these updated packages, whichresolve these issues.

Solution(s)

  • redhat-upgrade-xen
  • redhat-upgrade-xen-devel
  • redhat-upgrade-xen-libs

References

  • redhat-upgrade-xen
  • redhat-upgrade-xen-devel
  • redhat-upgrade-xen-libs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;