Vulnerability CVE-2009-3525

Vulnerability Name:

CVE-2009-3525 (CCN-53485)

Assigned:

2009-08-25

Published:

2009-08-25

Updated:

2017-09-19

Summary:

The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password.

CVSS v3 Severity:

2.8 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:P/A:N)
1.3 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.2 Medium (REDHAT CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C)
4.6 Medium (REDHAT Temporal CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2009-3525

Source: SUSE
Type: UNKNOWN
SUSE-SR:2010:012

Source: CCN
Type: RHSA-2009-1472
Moderate: xen security and bug fix update

Source: SECUNIA
Type: Vendor Advisory
36908

Source: CCN
Type: SECTRACK ID: 1022950
Xen PyGrub Access Control Flaw Lets Local Users Modify the Boot Configuration

Source: MLIST
Type: Patch
[oss-security] 20090925 CVE Request -- Xen -- PyGrub

Source: CCN
Type: OSVDB ID: 58621
Xen pyGrub Boot Loader Para-virtualized Guest Password Bypass

Source: REDHAT
Type: Vendor Advisory
RHSA-2009:1472

Source: BID
Type: Exploit
36523

Source: CCN
Type: BID-36523
Xen pygrub Local Authentication Bypass Vulnerability

Source: SECTRACK
Type: UNKNOWN
1022950

Source: CCN
Type: Xen Web site
What is Xen?

Source: CONFIRM
Type: Exploit
http://xenbits.xensource.com/xen-unstable.hg?rev/8f783adc0ee3

Source: CCN
Type: Red Hat Bugzilla Bug 525740
Xen: PyGrub allows to edit it's configuration at boot time even when configured with password protection

Source: CONFIRM
Type: Exploit, Patch
https://bugzilla.redhat.com/show_bug.cgi?id=525740

Source: CONFIRM
Type: Exploit, Patch
https://bugzilla.redhat.com/show_bug.cgi?id=525740#c0

Source: XF
Type: UNKNOWN
xen-pygrub-authentication-bypass(53485)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9466

Vulnerable Configuration:

Configuration 1:

cpe:/a:xen:xen:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:xen:xen:3.3.0:*:*:*:*:*:*:*

OR cpe:/a:xen:xen:3.3.1:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:rhel_virtualization:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:rhel_virtualization:5::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:rhel_virtualization:5::server:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:xensource:xen:3.0.3:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/a:redhat:rhel_virtualization:5:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20093525	V	CVE-2009-3525	2022-05-20
oval:org.opensuse.security:def:32250	P	Security update for log4j (Important)	2021-12-17
oval:org.opensuse.security:def:29442	P	Security update for binutils (Moderate)	2021-11-09
oval:org.opensuse.security:def:32116	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:29478	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:28603	P	Security update for usbmuxd	2020-12-01
oval:org.opensuse.security:def:28021	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:32853	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28705	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:32400	P	Security update for vim (Important)	2020-12-01
oval:org.opensuse.security:def:28096	P	Security update for giflib (Moderate)	2020-12-01
oval:org.opensuse.security:def:33530	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:28760	P	Security update for pulseaudio	2020-12-01
oval:org.opensuse.security:def:32643	P	coolkey on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28310	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:32031	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32748	P	mipv6d on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28451	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:28020	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:32809	P	xorg-x11-Xvnc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28656	P	Security update for e2fsprogs	2020-12-01
oval:org.opensuse.security:def:32343	P	Security update for spice (Important)	2020-12-01
oval:org.opensuse.security:def:28032	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:33491	P	Security update for libtiff	2020-12-01
oval:org.opensuse.security:def:28744	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:32487	P	apache2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28226	P	Security update for libssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:32030	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:28804	P	Security update for openvpn	2020-12-01
oval:org.opensuse.security:def:32699	P	ldapsmb on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28367	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:32042	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32787	P	squidGuard on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:29340	P	RHSA-2009:1472 -- xen security and bug fix update (Moderate)	2015-08-17
oval:org.mitre.oval:def:22812	P	ELSA-2009:1472: xen security and bug fix update (Moderate)	2014-05-26
oval:org.mitre.oval:def:9466	V	The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password.	2013-04-29
oval:com.redhat.rhsa:def:20091472	P	RHSA-2009:1472: xen security and bug fix update (Moderate)	2009-10-01

BACK