All the vulnerabilites related to Xen Project - Xen
cve-2024-31144
Vulnerability from cvelistv5
Published
2025-02-14 20:16
Modified
2025-04-26 20:03
Severity ?
EPSS score ?
Summary
Xapi: Metadata injection attack against backup/restore functionality
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Xen Project | Xen |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-04-26T20:03:17.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/4"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-459.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:36:10.430446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:43:41.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen Project",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-459"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eSystems running Xapi v1.249.x are affected.\n\nSystems running Xapi v24.x are potentially affected. However it is\nbelieved that the only supported products using this version of Xapi\nhave not shipped the metadata backup/restore functionality.\n\nTo leverage the vulnerability, an attacker would likely need insider\ninformation to construct a plausible-looking metadata backup, and would\nhave to persuade a real administrator to perform a data-recovery action.\n\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "Systems running Xapi v1.249.x are affected.\n\nSystems running Xapi v24.x are potentially affected. However it is\nbelieved that the only supported products using this version of Xapi\nhave not shipped the metadata backup/restore functionality.\n\nTo leverage the vulnerability, an attacker would likely need insider\ninformation to construct a plausible-looking metadata backup, and would\nhave to persuade a real administrator to perform a data-recovery action."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by XenServer."
}
],
"datePublic": "2024-07-16T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eFor a brief summary of Xapi terminology, see:\n\n \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://xapi-project.github.io/xen-api/overview.html#object-model-overview\"\u003ehttps://xapi-project.github.io/xen-api/overview.html#object-model-overview\u003c/a\u003e\n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR. This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent. The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\nguest with two disks has a 75% chance, etc.\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "For a brief summary of Xapi terminology, see:\n\n https://xapi-project.github.io/xen-api/overview.html#object-model-overview \n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR. This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent. The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\nguest with two disks has a 75% chance, etc."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "If a fraudulent metadata backup has been written into an SR which also contains a legitimate metadata backup, and an administrator explicitly chooses to restore from backup, the fraudulent metadata might be consumed instead of the legitimate metadata. Control over meta data includes: which VMs are created, disk assignment, vCPU/RAM requirements, GPU allocation, etc."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T20:16:39.941Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-459.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Xapi: Metadata injection attack against backup/restore functionality",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eNot using the metadata restore functionality avoids the vulnerability.\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "Not using the metadata restore functionality avoids the vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-31144",
"datePublished": "2025-02-14T20:16:39.941Z",
"dateReserved": "2024-03-28T18:14:12.892Z",
"dateUpdated": "2025-04-26T20:03:17.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-28703
Vulnerability from cvelistv5
Published
2021-12-07 00:00
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378.
References
| ▼ | URL | Tags |
|---|---|---|
| https://xenbits.xenproject.org/xsa/advisory-387.txt | ||
| https://security.gentoo.org/glsa/202402-07 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Xen Project | Xen |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:47:33.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://xenbits.xenproject.org/xsa/advisory-387.txt"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Xen",
"vendor": "Xen Project",
"versions": [
{
"status": "unaffected",
"version": "Branch 4.13.4 4.13.4"
},
{
"status": "unaffected",
"version": "Branch 4.14.x 4.14.x"
},
{
"status": "unaffected",
"version": "Branch 4.15.x 4.15.x"
},
{
"lessThanOrEqual": "4.13",
"status": "affected",
"version": "Branch 4.13",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Patryk Balicki and Julien Grall of Amazon.\u0027}]}}}"
}
],
"descriptions": [
{
"lang": "en",
"value": "grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378."
}
],
"metrics": [
{
"other": {
"content": {
"description": {
"description_data": [
{
"lang": "eng",
"value": "A malicious guest may be able to elevate its privileges to that of the\nhost, cause host or guest Denial of Service (DoS), or cause information\nleaks."
}
]
}
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unknown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-04T08:06:29.390082",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xenproject.org/xsa/advisory-387.txt"
},
{
"name": "GLSA-202402-07",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202402-07"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2021-28703",
"datePublished": "2021-12-07T00:00:00",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-08-03T21:47:33.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}