CVE-2017-7228 : An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The e

An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.

Published 2017-04-04 14:59:00

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2017-7228

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 41 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-7228

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.2	HIGH	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	1.5	6.0	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-7228

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-7228

http://www.debian.org/security/2017/dsa-3847

Debian -- Security Information -- DSA-3847-1 xen

CVEs referencing this url
http://xenbits.xen.org/xsa/advisory-212.html

XSA-212 - Xen Security Advisories
Patch;Vendor Advisory
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt

qubes-secpack/qsb-029-2017.txt at master · QubesOS/qubes-secpack · GitHub
https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html

Project Zero: Pandavirtualization: Exploiting the Xen hypervisor
Technical Description;Third Party Advisory
http://www.securitytracker.com/id/1038223

Xen XENMEM_exchange Validation Flaw Lets Local Users on a Guest System Gain Elevated Privileges on the Host System - SecurityTracker
https://www.exploit-db.com/exploits/41870/

Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout
http://openwall.com/lists/oss-security/2017/04/04/3

oss-security - Xen Security Advisory 212 (CVE-2017-7228) - x86: broken check in memory_exchange() permits PV guest breakout
Mailing List;Third Party Advisory
http://www.securityfocus.com/bid/97375

Xen 'memory_exchange()' Function Incomplete Fix Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry

Products affected by CVE-2017-7228

XEN » XEN » Version: N/A
cpe:2.3:o:xen:xen:-:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2017-7228

Exploit prediction scoring system (EPSS) score for CVE-2017-7228

CVSS scores for CVE-2017-7228

CWE ids for CVE-2017-7228

References for CVE-2017-7228

Products affected by CVE-2017-7228