Vulnerabilities > CVE-2011-1936 - Denial-Of-Service vulnerability in Xen

047910
CVSS 4.6 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
high complexity
xen
nessus

Summary

Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction emulation when exiting the VM, which allows local guest users to cause a denial of service (guest crash) via unspecified vectors.

Vulnerable Configurations

Part Description Count
OS
Xen
1

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-1090.NASL
    descriptionAn updated rhev-hypervisor package that fixes one security issue and several bugs is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found that allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576) Red Hat would like to thank Ryan Sweat for reporting CVE-2011-1576. This updated package provides updated components that include fixes for security issues; however, these issues have no security impact for Red Hat Enterprise Virtualization Hypervisor. These fixes are for bash issue CVE-2008-5374; curl issue CVE-2011-2192; kernel issues CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1780, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-2525, and CVE-2011-2689; libvirt issue CVE-2011-2511; and rsync issue CVE-2007-6200. This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section. As Red Hat Enterprise Virtualization Hypervisor is based on KVM, the bug fixes from the KVM update RHBA-2011:1068 have been included in this update : https://rhn.redhat.com/errata/RHBA-2011-1068.html Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which resolves this issue and fixes the bugs noted in the Technical Notes.
    last seen2020-06-01
    modified2020-06-02
    plugin id79279
    published2014-11-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79279
    titleRHEL 5 : rhev-hypervisor (RHSA-2011:1090)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2011:1090. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79279);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:16");
    
      script_cve_id("CVE-2011-1576");
      script_xref(name:"RHSA", value:"2011:1090");
    
      script_name(english:"RHEL 5 : rhev-hypervisor (RHSA-2011:1090)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated rhev-hypervisor package that fixes one security issue and
    several bugs is now available.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    The rhev-hypervisor package provides a Red Hat Enterprise
    Virtualization Hypervisor ISO disk image. The Red Hat Enterprise
    Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine
    (KVM) hypervisor. It includes everything necessary to run and manage
    virtual machines: A subset of the Red Hat Enterprise Linux operating
    environment and the Red Hat Enterprise Virtualization Agent.
    
    Note: Red Hat Enterprise Virtualization Hypervisor is only available
    for the Intel 64 and AMD64 architectures with virtualization
    extensions.
    
    A flaw was found that allowed napi_reuse_skb() to be called on VLAN
    (virtual LAN) packets. An attacker on the local network could trigger
    this flaw by sending specially crafted packets to a target system,
    possibly causing a denial of service. (CVE-2011-1576)
    
    Red Hat would like to thank Ryan Sweat for reporting CVE-2011-1576.
    
    This updated package provides updated components that include fixes
    for security issues; however, these issues have no security impact for
    Red Hat Enterprise Virtualization Hypervisor. These fixes are for bash
    issue CVE-2008-5374; curl issue CVE-2011-2192; kernel issues
    CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044,
    CVE-2011-1182, CVE-2011-1573, CVE-2011-1593, CVE-2011-1745,
    CVE-2011-1746, CVE-2011-1776, CVE-2011-1780, CVE-2011-1936,
    CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-2525, and
    CVE-2011-2689; libvirt issue CVE-2011-2511; and rsync issue
    CVE-2007-6200.
    
    This update also fixes several bugs. Documentation for these bug fixes
    will be available shortly from the Technical Notes document linked to
    in the References section.
    
    As Red Hat Enterprise Virtualization Hypervisor is based on KVM, the
    bug fixes from the KVM update RHBA-2011:1068 have been included in
    this update :
    
    https://rhn.redhat.com/errata/RHBA-2011-1068.html
    
    Users of Red Hat Enterprise Virtualization Hypervisor are advised to
    upgrade to this updated package, which resolves this issue and fixes
    the bugs noted in the Technical Notes."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-1576"
      );
      # https://docs.redhat.com/docs/en-US/
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/documentation/en-US/"
      );
      # https://rhn.redhat.com/errata/RHBA-2011-1068.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHBA-2011:1068"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2011:1090"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected rhev-hypervisor package."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/07/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2011:1090";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", reference:"rhev-hypervisor-5.7-20110725.1.el5")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rhev-hypervisor");
      }
    }
    
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2012-0001_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - COS kernel - cURL - python - rpm
    last seen2020-06-01
    modified2020-06-02
    plugin id89105
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89105
    titleVMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2011-0927.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important) * A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important) * A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl
    last seen2020-06-01
    modified2020-06-02
    plugin id55609
    published2011-07-19
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55609
    titleCentOS 5 : kernel (CESA-2011:0927)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20110715_KERNEL_ON_SL5_X.NASL
    descriptionThe kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important) - A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important) - A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl
    last seen2020-06-01
    modified2020-06-02
    plugin id61083
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61083
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2012-0001.NASL
    descriptiona. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues. b. ESX third-party update for Service Console cURL RPM The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9 resolving a security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2192 to this issue. c. ESX third-party update for Service Console nspr and nss RPMs The ESX Service Console (COS) nspr and nss RPMs are updated to nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving a security issues. A Certificate Authority (CA) issued fraudulent SSL certificates and Netscape Portable Runtime (NSPR) and Network Security Services (NSS) contain the built-in tokens of this fraudulent Certificate Authority. This update renders all SSL certificates signed by the fraudulent CA as untrusted for all uses. d. ESX third-party update for Service Console rpm RPMs The ESX Service Console Operating System (COS) rpm packages are updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2, rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues. e. ESX third-party update for Service Console samba RPMs The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4, samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522 and CVE-2011-2694 to these issues. Note that ESX does not include the Samba Web Administration Tool (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and CVE-2011-2694. f. ESX third-party update for Service Console python package The ESX Service Console (COS) python package is updated to 2.4.3-44 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and CVE-2011-1521 to these issues. g. ESXi update to third-party component python The python third-party library is updated to python 2.5.6 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, and CVE-2011-1521 to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id57749
    published2012-01-31
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57749
    titleVMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-0927.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important) * A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important) * A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl
    last seen2020-06-01
    modified2020-06-02
    plugin id55597
    published2011-07-15
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55597
    titleRHEL 5 : kernel (RHSA-2011:0927)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-0927.NASL
    descriptionFrom Red Hat Security Advisory 2011:0927 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * An integer overflow flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4649, Important) * A race condition in the way new InfiniBand connections were set up could allow a remote user to cause a denial of service. (CVE-2011-0695, Important) * A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service if the sysctl
    last seen2020-06-01
    modified2020-06-02
    plugin id68304
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68304
    titleOracle Linux 5 : kernel (ELSA-2011-0927)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XEN-201108-7703.NASL
    descriptionThis update fixes various bugs in XEN : The following security issues have been fixed : - A denial of service (Host Crash) in the XEN hypervisor. (CVE-2011-2901) - A bug was found in the way Xen handles CPUID instruction emulation during VM exits. An unprivileged guest user can potentially use this flaw to crash the guest. (CVE-2011-1936) - A 64-bit guest can get one of its vcpus into non-kernel mode without first providing a valid non-kernel pagetable. The observed failure mode was usually a hard lockup of the host (host denial of service). (CVE-2011-1166) It fixes also the following bugs : - SLES 10 SP3 XEN: Device /dev/xvdp is already connected error when starting multiple vm
    last seen2020-06-01
    modified2020-06-02
    plugin id56618
    published2011-10-24
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56618
    titleSuSE 10 Security Update : Xen (ZYPP Patch Number 7703)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XEN-7654.NASL
    descriptionA security bug was fixed in Xen - A bug was found in the way Xen handles CPUID instruction emulation during VM exits. An unprivileged guest user can potentially use this flaw to crash the guest. (CVE-2011-1936) This issue only affected systems running on x86 architecture with Intel processor and VMX virtualization extension enabled.
    last seen2020-06-01
    modified2020-06-02
    plugin id57266
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57266
    titleSuSE 10 Security Update : Xen (ZYPP Patch Number 7654)

Redhat

advisories
rhsa
idRHSA-2011:0927
rpms
  • kernel-0:2.6.18-238.19.1.el5
  • kernel-PAE-0:2.6.18-238.19.1.el5
  • kernel-PAE-debuginfo-0:2.6.18-238.19.1.el5
  • kernel-PAE-devel-0:2.6.18-238.19.1.el5
  • kernel-debug-0:2.6.18-238.19.1.el5
  • kernel-debug-debuginfo-0:2.6.18-238.19.1.el5
  • kernel-debug-devel-0:2.6.18-238.19.1.el5
  • kernel-debuginfo-0:2.6.18-238.19.1.el5
  • kernel-debuginfo-common-0:2.6.18-238.19.1.el5
  • kernel-devel-0:2.6.18-238.19.1.el5
  • kernel-doc-0:2.6.18-238.19.1.el5
  • kernel-headers-0:2.6.18-238.19.1.el5
  • kernel-kdump-0:2.6.18-238.19.1.el5
  • kernel-kdump-debuginfo-0:2.6.18-238.19.1.el5
  • kernel-kdump-devel-0:2.6.18-238.19.1.el5
  • kernel-xen-0:2.6.18-238.19.1.el5
  • kernel-xen-debuginfo-0:2.6.18-238.19.1.el5
  • kernel-xen-devel-0:2.6.18-238.19.1.el5