PT-2018-2684 · Xen+4 · Xen+4

Andy Lutomirski

Published

2018-07-24

Updated

2023-02-24

CVE-2018-14678

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.17.12 Xen versions prior to 4.11.x

Description An issue in the Linux kernel and Xen hypervisor allows local users to cause a denial of service or possibly gain privileges. The xen failsafe callback entry point does not properly maintain the RBX register, leading to uninitialized memory usage and system crash. Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash. The vulnerability is related to insufficient access control in the xen failsafe callback function.

Recommendations For Linux kernel versions prior to 4.17.12, update to version 4.17.12 or later to resolve the issue. For Xen versions prior to 4.11.x, update to a version later than 4.11.x to resolve the issue. As a temporary workaround, consider restricting access to the xen failsafe callback entry point to minimize the risk of exploitation.

Fix

DoS

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-665CWE-264

Related Identifiers

ALT-PU-2018-2108

ALT-PU-2018-2110

ALT-PU-2018-2181

BDU:2019-01344

CVE-2018-14678

DLA-1529-1

DLA-1531-1

DSA-4308-1

MGASA-2018-0337

MGASA-2018-0340

MGASA-2018-0341

SUSE-SU-2018:3084-1

USN-3931-1

USN-3931-2

Affected Products

Alt Linux

Linux Kernel

Suse

Ubuntu

Xen

PT-2018-2684 · Xen+4 · Xen+4

CVE-2018-14678

Weakness Enumeration

Related Identifiers

Affected Products

References · 155