CVE-2021-28710 (GCVE-0-2021-28710)

Vulnerability from cvelistv5 – Published: 2021-11-21 14:18 – Updated: 2024-08-03 21:47
VLAI?
Summary
certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries.
Severity ?
No CVSS data available.
CWE
  • unknown
Assigner
XEN
References
Impacted products
Vendor Product Version
Xen xen Unknown: unspecified , < 4.12 (custom)
Affected: 4.15.x , < unspecified (custom)
Unaffected: next of xen-unstable , < unspecified (custom)
Create a notification for this product.
Credits
{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'This issue was discovered by Jan Beulich of SUSE.'}]}}}
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:47:33.159Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-390.txt"
          },
          {
            "name": "FEDORA-2021-03645e9807",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/"
          },
          {
            "name": "GLSA-202208-23",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-23"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xen",
          "vendor": "Xen",
          "versions": [
            {
              "lessThan": "4.12",
              "status": "unknown",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.15.x",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "unaffected",
              "version": "next of xen-unstable",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "{\u0027credit_data\u0027: {\u0027description\u0027: {\u0027description_data\u0027: [{\u0027lang\u0027: \u0027eng\u0027, \u0027value\u0027: \u0027This issue was discovered by Jan Beulich of SUSE.\u0027}]}}}"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table\u0027s address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "description": {
                "description_data": [
                  {
                    "lang": "eng",
                    "value": "A malicious guest may be able to escalate its privileges to that of\nthe host."
                  }
                ]
              }
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "unknown",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-14T20:09:18",
        "orgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
        "shortName": "XEN"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://xenbits.xenproject.org/xsa/advisory-390.txt"
        },
        {
          "name": "FEDORA-2021-03645e9807",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/"
        },
        {
          "name": "GLSA-202208-23",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-23"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@xen.org",
          "ID": "CVE-2021-28710",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xen",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "?\u003c",
                            "version_value": "4.12"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.15.x"
                          },
                          {
                            "version_affected": "!\u003e",
                            "version_value": "xen-unstable"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Xen"
              }
            ]
          }
        },
        "configuration": {
          "configuration_data": {
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Xen version 4.15 is vulnerable.  Xen versions 4.14 and earlier are not\nvulnerable.\n\nOnly x86 Intel systems with IOMMU(s) in use are affected.  Arm\nsystems, non-Intel x86 systems, and x86 systems without IOMMU are not\naffected.\n\nOnly HVM guests with passed-through PCI devices and configured to share\nIOMMU and EPT page tables are able to leverage the vulnerability on\naffected hardware.  Note that page table sharing is the default\nconfiguration on capable hardware.\n\nSystems are only affected if the IOMMU used for a passed through\ndevice requires the use of page tables less than 4 levels deep.  We\nare informed that this is the case for some at least Ivybridge and\nearlier \"client\" chips; additionally it might be possible for such a\nsituation to arise when Xen is running nested under another\nhypervisor, if an (emulated) Intel IOMMU is made available to Xen."
                }
              ]
            }
          }
        },
        "credit": {
          "credit_data": {
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This issue was discovered by Jan Beulich of SUSE."
                }
              ]
            }
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table\u0027s address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries."
            }
          ]
        },
        "impact": {
          "impact_data": {
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A malicious guest may be able to escalate its privileges to that of\nthe host."
                }
              ]
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "unknown"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://xenbits.xenproject.org/xsa/advisory-390.txt",
              "refsource": "MISC",
              "url": "https://xenbits.xenproject.org/xsa/advisory-390.txt"
            },
            {
              "name": "FEDORA-2021-03645e9807",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/"
            },
            {
              "name": "GLSA-202208-23",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-23"
            }
          ]
        },
        "workaround": {
          "workaround_data": {
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Suppressing the use of shared page tables avoids the vulnerability.\nThis can be achieved globally by passing \"iommu=no-sharept\" on the\nhypervisor command line.  This can also be achieved on a per-guest basis\nvia the \"passthrough=sync_pt\" xl guest configuration file option."
                }
              ]
            }
          }
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f",
    "assignerShortName": "XEN",
    "cveId": "CVE-2021-28710",
    "datePublished": "2021-11-21T14:18:23",
    "dateReserved": "2021-03-18T00:00:00",
    "dateUpdated": "2024-08-03T21:47:33.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-28710\",\"sourceIdentifier\":\"security@xen.org\",\"published\":\"2021-11-21T15:15:07.597\",\"lastModified\":\"2024-11-21T06:00:11.550\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table\u0027s address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries.\"},{\"lang\":\"es\",\"value\":\"determinadas IOMMUs de VT-d pueden no funcionar en modo de tabla de p\u00e1ginas compartida Por razones de eficiencia, las estructuras de control de traducci\u00f3n de direcciones (tablas de p\u00e1ginas) pueden (y, en el hardware adecuado, por defecto) ser compartidas entre las CPUs, para la traducci\u00f3n de segundo nivel (EPT), y las IOMMUs. Estas tablas de p\u00e1ginas est\u00e1n actualmente configuradas para tener siempre 4 niveles de profundidad. Sin embargo, una IOMMU puede requerir el uso de s\u00f3lo 3 niveles de tabla de p\u00e1ginas. En una configuraci\u00f3n de este tipo, la tabla de nivel inferior debe ser eliminada antes de insertar la direcci\u00f3n de la tabla root en el registro base de la tabla de p\u00e1ginas del hardware. Cuando son compartidas las tablas de p\u00e1ginas, Xen omite err\u00f3neamente este despojo. En consecuencia, el hu\u00e9sped es capaz de escribir en las entradas de la tabla de p\u00e1ginas hoja\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":6.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:xen:xen:4.15.0:*:*:*:*:*:x86:*\",\"matchCriteriaId\":\"C3BFD203-8E25-46AF-AF43-DAFB86BDFE0D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}],\"references\":[{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/\",\"source\":\"security@xen.org\"},{\"url\":\"https://security.gentoo.org/glsa/202208-23\",\"source\":\"security@xen.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-390.txt\",\"source\":\"security@xen.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202208-23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://xenbits.xenproject.org/xsa/advisory-390.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.