Data Leakage in Linux Disk and Network Frontends by Xen Project
CVE-2022-33740

7.1HIGH

Key Information:

Vendor: Linux
Status: Linux; Xen
Vendor: CVE Published:; 5 July 2022

Summary

The vulnerability affects the Linux Block and Network PV device frontends in the Xen Project, where memory regions are not properly zeroed before they are shared with backend services. This oversight allows unrelated data to persist within the same 4K page, potentially enabling attackers to access sensitive information through these memory leaks. The lack of granularity in the grant table exacerbates the issue, making it a critical concern for systems relying on Xen virtualization for handling disk and network operations.

Affected Version(s)

Linux consult Xen advisory XSA-403

xen consult Xen advisory XSA-403

References

https://xenbits.xenproject.org/xsa/advisory-403.txt

x_refsource_MISC

http://xenbits.xen.org/xsa/advisory-403.html

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/05/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 5, 2022
Vulnerability Reserved
Jun 15, 2022

Credit

{'credit_data': {'description': {'description_data': [{'lang': 'eng', 'value': 'The issue related to not zeroing memory areas used for shared communications\nwas discovered by Roger Pau Monné of Citrix.\n\nThe issue related to leaking contiguous data in granted pages was disclosed\npublicly.'}]}}}