Login Sign Up

CVE-2019-17340

8.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Xen hypervisor allows x86 guest OS users to cause denial of service or potentially gain elevated privileges by exploiting mishandled grant-table transfer requests. It affects Xen hypervisors up to version 4.11.x. Both denial of service and privilege escalation are possible outcomes.

💻 Affected Systems

Products:
  • Xen Hypervisor
Versions: Xen through 4.11.x
Operating Systems: Linux (as host OS for Xen)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects x86 architecture only. Requires grant table functionality to be enabled (default).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Guest OS users gain hypervisor-level privileges, potentially compromising the entire virtualization host and all other guest VMs.

🟠

Likely Case

Denial of service affecting the hypervisor and potentially crashing guest VMs.

🟢

If Mitigated

Limited impact with proper isolation and monitoring; potential DoS but privilege escalation prevented by security controls.

🌐 Internet-Facing: MEDIUM - Requires guest OS access, but cloud environments with shared infrastructure could be affected.
🏢 Internal Only: HIGH - Internal virtualization infrastructure with multiple tenants is particularly vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires guest OS user access. Proof of concept code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen 4.12.0 and later

Vendor Advisory: https://xenbits.xen.org/xsa/advisory-284.html

Restart Required: Yes

Instructions:

1. Update Xen to version 4.12.0 or later. 2. Apply vendor-specific patches if using distribution packages. 3. Reboot hypervisor host after patching. 4. Verify patch application with version check.

🔧 Temporary Workarounds

Disable grant tables

linux

Disable grant table functionality to prevent exploitation (will break certain VM features)

Edit Xen configuration to remove grant table support (specific commands depend on distribution)

🧯 If You Can't Patch

  • Isolate vulnerable Xen hosts from critical infrastructure
  • Implement strict access controls to guest VMs and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Xen version with 'xl info' or 'xm info' and compare to affected versions (through 4.11.x)

Check Version:

xl info | grep xen_version || xm info | grep xen_version

Verify Fix Applied:

Verify Xen version is 4.12.0 or later using 'xl info' or check with distribution package manager

📡 Detection & Monitoring

Log Indicators:

  • Xen hypervisor crashes
  • Unexpected guest VM behavior
  • Grant table related errors in Xen logs

Network Indicators:

  • Unusual inter-VM communication patterns

SIEM Query:

source="xen.log" AND ("crash" OR "panic" OR "grant-table")

📊 Metadata

CVE ID: CVE-2019-17340
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-401
Published: October 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17340, you might also want to check these:

CVE-2021-40633 8.8

CVE-2021-40633 is a memory leak vulnerability in gif2rgb, a utility in giflib 5.1.4, allowing remote...

Same vulnerability type (CWE-401)
CVE-2021-3492 8.8

CVE-2021-3492 is a kernel vulnerability in Ubuntu's Shiftfs filesystem where improper error handling...

Same vulnerability type (CWE-401)
CVE-2024-25450 8.8

CVE-2024-25450 is a memory allocation vulnerability in imlib2 v1.9.1's init_imlib_fonts() function t...

Same vulnerability type (CWE-401)