Login Sign Up

CVE-2019-19583

7.5 HIGH
Denial of Service

📋 TL;DR

This CVE allows x86 HVM/PVH guest OS users in Xen hypervisors to cause a denial of service by crashing the guest OS through a VMX VMEntry check failure. Only systems with Intel, Cyrix, or Zhaoxin CPUs running HVM/PVH guests are affected. Arm, AMD systems, and PV guests are not vulnerable.

💻 Affected Systems

Products:
  • Xen hypervisor
Versions: All versions through 4.12.x
Operating Systems: Any OS running Xen hypervisor
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects x86 systems with VMX hardware virtual extensions (Intel, Cyrix, Zhaoxin CPUs). HVM/PVH guest types only. Not applicable to Arm, AMD, or PV guests.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Leap by Opensuse

View all CVEs affecting Leap →

Xen by Xen

View all CVEs affecting Xen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Guest OS crash leading to denial of service for that virtual machine

🟠

Likely Case

Guest OS crash requiring restart of the affected virtual machine

🟢

If Mitigated

No impact if patched or using unaffected CPU architectures

🌐 Internet-Facing: LOW - Requires guest OS user access, not directly network exploitable
🏢 Internal Only: MEDIUM - Malicious or compromised guest users could crash their VMs

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires guest OS user privileges and specific CPU state conditions (#DB intercepted, Single Stepping active, blocked by STI/MovSS active)

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in Xen security updates (see XSA-260)

Vendor Advisory: https://xenbits.xen.org/xsa/advisory-260.html

Restart Required: Yes

Instructions:

1. Update Xen hypervisor to patched version. 2. Reboot hypervisor host. 3. Restart affected VMs.

🔧 Temporary Workarounds

Migrate to PV guests

all

Convert affected HVM/PVH guests to PV mode if possible

Use AMD or Arm hardware

all

Deploy on unaffected CPU architectures

🧯 If You Can't Patch

  • Restrict guest user privileges to minimize attack surface
  • Monitor for guest OS crashes and investigate suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Xen version and CPU type: 'xl info' and 'cat /proc/cpuinfo'

Check Version:

xl info | grep xen_version

Verify Fix Applied:

Verify Xen version is updated and check for XSA-260 patch in changelog

📡 Detection & Monitoring

Log Indicators:

  • Guest OS crash logs
  • Xen hypervisor error messages related to VMEntry failures

Network Indicators:

  • Sudden loss of connectivity to guest VM

SIEM Query:

Search for: 'guest crash' OR 'VMEntry failure' OR 'Xen error' in hypervisor logs

📊 Metadata

CVE ID: CVE-2019-19583
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: December 11, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON