Login Sign Up

CVE-2019-17346

8.8 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Xen hypervisor allows x86 PV (paravirtualized) guest operating systems to cause denial of service or potentially gain elevated privileges due to incompatibility between Process Context Identifiers (PCID) and TLB flushes. It affects Xen hypervisors running x86 PV guests. The issue stems from improper TLB flushing when PCID is enabled, allowing guest-to-host privilege escalation.

💻 Affected Systems

Products:
  • Xen Hypervisor
Versions: All versions through 4.11.x
Operating Systems: Linux (as host OS for Xen)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects x86 systems with PV (paravirtualized) guests. HVM (hardware virtualized) guests are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious PV guest could gain host-level privileges, potentially compromising the entire hypervisor and all other guests on the system.

🟠

Likely Case

Denial of service through hypervisor crash or instability, with privilege escalation being more difficult to achieve.

🟢

If Mitigated

If PV guests are untrusted or properly isolated, impact is limited to DoS rather than privilege escalation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires guest OS access. Technical details and proof-of-concept code are publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen 4.12.0 and later, plus backported patches for earlier versions

Vendor Advisory: https://xenbits.xen.org/xsa/advisory-292.html

Restart Required: Yes

Instructions:

1. Apply Xen security update from your distribution's repository. 2. Reboot the hypervisor host. 3. Verify Xen version is 4.12.0 or later, or has appropriate backported patches.

🔧 Temporary Workarounds

Disable PCID feature

linux

Disable Process Context Identifiers feature in Xen to prevent the vulnerability

Add 'pcid=0' to Xen command line parameters in bootloader configuration

Migrate to HVM guests

all

Convert PV guests to HVM (hardware virtualized) mode which is not vulnerable

🧯 If You Can't Patch

  • Isolate PV guests from sensitive systems and monitor for abnormal behavior
  • Implement strict access controls to prevent untrusted users from accessing PV guest VMs

🔍 How to Verify

Check if Vulnerable:

Check Xen version with 'xl info' or 'xm info' and verify if running Xen 4.11.x or earlier with PV guests

Check Version:

xl info | grep xen_version || xm info | grep xen_version

Verify Fix Applied:

Verify Xen version is 4.12.0 or later, or check with distribution-specific security update verification commands

📡 Detection & Monitoring

Log Indicators:

  • Hypervisor crashes or instability
  • Unexpected guest behavior in PV VMs
  • Kernel panic messages in host logs

Network Indicators:

  • Sudden loss of connectivity to multiple VMs on same host

SIEM Query:

source="xen.log" AND ("panic" OR "crash" OR "TLB" OR "PCID")

📊 Metadata

CVE ID: CVE-2019-17346
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-20
Published: October 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17346, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)