CVE-2024-31144
Vulnerability from cvelistv5
Published
2025-02-14 20:16
Modified
2025-04-26 20:03
Severity ?
EPSS score ?
Summary
Xapi: Metadata injection attack against backup/restore functionality
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Xen Project | Xen |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-04-26T20:03:17.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/4"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-459.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:36:10.430446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:43:41.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Xen",
"vendor": "Xen Project",
"versions": [
{
"status": "unknown",
"version": "consult Xen advisory XSA-459"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eSystems running Xapi v1.249.x are affected.\n\nSystems running Xapi v24.x are potentially affected. However it is\nbelieved that the only supported products using this version of Xapi\nhave not shipped the metadata backup/restore functionality.\n\nTo leverage the vulnerability, an attacker would likely need insider\ninformation to construct a plausible-looking metadata backup, and would\nhave to persuade a real administrator to perform a data-recovery action.\n\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "Systems running Xapi v1.249.x are affected.\n\nSystems running Xapi v24.x are potentially affected. However it is\nbelieved that the only supported products using this version of Xapi\nhave not shipped the metadata backup/restore functionality.\n\nTo leverage the vulnerability, an attacker would likely need insider\ninformation to construct a plausible-looking metadata backup, and would\nhave to persuade a real administrator to perform a data-recovery action."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by XenServer."
}
],
"datePublic": "2024-07-16T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eFor a brief summary of Xapi terminology, see:\n\n \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://xapi-project.github.io/xen-api/overview.html#object-model-overview\"\u003ehttps://xapi-project.github.io/xen-api/overview.html#object-model-overview\u003c/a\u003e\n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR. This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent. The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\nguest with two disks has a 75% chance, etc.\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "For a brief summary of Xapi terminology, see:\n\n https://xapi-project.github.io/xen-api/overview.html#object-model-overview \n\nXapi contains functionality to backup and restore metadata about Virtual\nMachines and Storage Repositories (SRs).\n\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\nSR. This is used for two purposes; a general backup of metadata\n(e.g. to recover from a host failure if the filer is still good), and\nPortable SRs (e.g. using an external hard drive to move VMs to another\nhost).\n\nMetadata is only restored as an explicit administrator action, but\noccurs in cases where the host has no information about the SR, and must\nlocate the metadata VDI in order to retrieve the metadata.\n\nThe metadata VDI is located by searching (in UUID alphanumeric order)\neach VDI, mounting it, and seeing if there is a suitable metadata file\npresent. The first matching VDI is deemed to be the metadata VDI, and\nis restored from.\n\nIn the general case, the content of VDIs are controlled by the VM owner,\nand should not be trusted by the host administrator.\n\nA malicious guest can manipulate its disk to appear to be a metadata\nbackup.\n\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\nguest with two disks has a 75% chance, etc."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "If a fraudulent metadata backup has been written into an SR which also contains a legitimate metadata backup, and an administrator explicitly chooses to restore from backup, the fraudulent metadata might be consumed instead of the legitimate metadata. Control over meta data includes: which VMs are created, disk assignment, vCPU/RAM requirements, GPU allocation, etc."
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T20:16:39.941Z",
"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"shortName": "XEN"
},
"references": [
{
"url": "https://xenbits.xen.org/xsa/advisory-459.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Xapi: Metadata injection attack against backup/restore functionality",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eNot using the metadata restore functionality avoids the vulnerability.\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "Not using the metadata restore functionality avoids the vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
"assignerShortName": "XEN",
"cveId": "CVE-2024-31144",
"datePublished": "2025-02-14T20:16:39.941Z",
"dateReserved": "2024-03-28T18:14:12.892Z",
"dateUpdated": "2025-04-26T20:03:17.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-31144\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2025-02-14T21:15:15.107\",\"lastModified\":\"2025-04-26T20:15:31.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"For a brief summary of Xapi terminology, see:\\n\\n https://xapi-project.github.io/xen-api/overview.html#object-model-overview \\n\\nXapi contains functionality to backup and restore metadata about Virtual\\nMachines and Storage Repositories (SRs).\\n\\nThe metadata itself is stored in a Virtual Disk Image (VDI) inside an\\nSR. This is used for two purposes; a general backup of metadata\\n(e.g. to recover from a host failure if the filer is still good), and\\nPortable SRs (e.g. using an external hard drive to move VMs to another\\nhost).\\n\\nMetadata is only restored as an explicit administrator action, but\\noccurs in cases where the host has no information about the SR, and must\\nlocate the metadata VDI in order to retrieve the metadata.\\n\\nThe metadata VDI is located by searching (in UUID alphanumeric order)\\neach VDI, mounting it, and seeing if there is a suitable metadata file\\npresent. The first matching VDI is deemed to be the metadata VDI, and\\nis restored from.\\n\\nIn the general case, the content of VDIs are controlled by the VM owner,\\nand should not be trusted by the host administrator.\\n\\nA malicious guest can manipulate its disk to appear to be a metadata\\nbackup.\\n\\nA guest cannot choose the UUIDs of its VDIs, but a guest with one disk\\nhas a 50% chance of sorting ahead of the legitimate metadata backup. A\\nguest with two disks has a 75% chance, etc.\"},{\"lang\":\"es\",\"value\":\"Para obtener un breve resumen de la terminolog\u00eda de Xapi, consulte: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contiene funcionalidad para realizar copias de seguridad y restaurar metadatos sobre m\u00e1quinas virtuales y repositorios de almacenamiento (SR). Los metadatos en s\u00ed se almacenan en una imagen de disco virtual (VDI) dentro de un SR. Esto se utiliza para dos prop\u00f3sitos: una copia de seguridad general de metadatos (por ejemplo, para recuperarse de una falla del host si el archivador a\u00fan est\u00e1 en buen estado) y SR port\u00e1tiles (por ejemplo, usar un disco duro externo para mover m\u00e1quinas virtuales a otro host). Los metadatos solo se restauran como una acci\u00f3n expl\u00edcita del administrador, pero ocurre en los casos en que el host no tiene informaci\u00f3n sobre el SR y debe ubicar el VDI de metadatos para recuperar los metadatos. El VDI de metadatos se ubica buscando (en orden alfanum\u00e9rico UUID) cada VDI, mont\u00e1ndolo y viendo si hay un archivo de metadatos adecuado presente. El primer VDI coincidente se considera el VDI de metadatos y se restaura desde \u00e9l. En general, el propietario de la m\u00e1quina virtual controla el contenido de las VDI y el administrador del host no deber\u00eda confiar en ellas. Un invitado malintencionado puede manipular su disco para que parezca una copia de seguridad de metadatos. Un invitado no puede elegir los UUID de sus VDI, pero un invitado con un disco tiene un 50 % de posibilidades de clasificarse antes que la copia de seguridad de metadatos leg\u00edtima. Un invitado con dos discos tiene un 75 % de posibilidades, etc.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.0,\"impactScore\":1.4}]},\"references\":[{\"url\":\"https://xenbits.xen.org/xsa/advisory-459.html\",\"source\":\"security@xen.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/07/16/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://xenbits.xen.org/xsa/advisory-459.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.