CVE-2018-14678

Description

An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.08%• Percentile: 24%

Techniques & Countermeasures

• CWE-665•Improper Initialization

  The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Systems

• canonical•ubuntu_linux

  14.04 | 16.04 | 18.04

• debian•debian_linux

  8.0 | 9.0

• linux•linux_kernel

  ≥ 4.14.21, < 4.14.61 | ≥ 4.15.5, < 4.17.13

• xen•xen

  ≤ 4.11.0

References (7)

• http://www.securitytracker.com/id/1041397
• https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html
• https://xenbits.xen.org/xsa/advisory-274.html
• http://www.securityfocus.com/bid/104924
• https://www.debian.org/security/2018/dsa-4308
• https://usn.ubuntu.com/3931-1/
• https://usn.ubuntu.com/3931-2/