CVE-2014-1666 | Vulnerability Database | Aqua Security

The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors.

Affected Software

Name	Vendor	Start Version	End Version
Xen	Xen	4.1.5 (including)	4.1.5 (including)
Xen	Xen	4.1.6.1 (including)	4.1.6.1 (including)
Xen	Xen	4.2.2 (including)	4.2.2 (including)
Xen	Xen	4.2.3 (including)	4.2.3 (including)
Xen	Xen	4.3.0 (including)	4.3.0 (including)
Xen	Xen	4.3.1 (including)	4.3.1 (including)
Xen	Ubuntu	devel	*
Xen	Ubuntu	precise	*
Xen	Ubuntu	quantal	*
Xen	Ubuntu	raring	*
Xen	Ubuntu	saucy	*
Xen	Ubuntu	upstream	*
Xen-3.3	Ubuntu	upstream	*

References

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127580.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127607.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00011.html
http://osvdb.org/102536
http://secunia.com/advisories/56650
http://security.gentoo.org/glsa/glsa-201407-03.xml
http://support.citrix.com/article/CTX200288
http://www.openwall.com/lists/oss-security/2014/01/24/6
http://www.securityfocus.com/bid/65125
http://www.securitytracker.com/id/1029684
http://xenbits.xen.org/xsa/advisory-87.html
http://xenbits.xen.org/xsa/xsa87-unstable-4.3.patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/90675

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-1666
CWE	https://cwe.mitre.org/data/definitions/264.html