Vulnerabilities > CVE-2011-3131 - Resource Management Errors vulnerability in XEN
Attack vector
LOCAL Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Xen 4.1.1 and earlier allows local guest OS kernels with control of a PCI[E] device to cause a denial of service (CPU consumption and host hang) via many crafted DMA requests that are denied by the IOMMU, which triggers a livelock.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | Xen
| 32 |
Common Weakness Enumeration (CWE)
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2011-0008.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Passthrough: disable bus-mastering on any card that causes an IOMMU fault (Tim Deegan) (CVE-2011-3131) - Serialize iptables calls in hotplug scripts (rhbz 460410) - Fix iptables service check bug (orabug 11727087) last seen 2020-06-01 modified 2020-06-02 plugin id 79474 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79474 title OracleVM 2.2 : xen (OVMSA-2011-0008) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2011-0008. # include("compat.inc"); if (description) { script_id(79474); script_version("1.5"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2011-3131"); script_bugtraq_id(49146); script_name(english:"OracleVM 2.2 : xen (OVMSA-2011-0008)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - Passthrough: disable bus-mastering on any card that causes an IOMMU fault (Tim Deegan) (CVE-2011-3131) - Serialize iptables calls in hotplug scripts (rhbz 460410) - Fix iptables service check bug (orabug 11727087)" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2011-August/000062.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1a285e99" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-debugger"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-pvhvm-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/13"); script_set_attribute(attribute:"patch_publication_date", value:"2011/08/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.2", reference:"xen-3.4.0-0.1.34.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-64-3.4.0-0.1.34.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-debugger-3.4.0-0.1.34.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-devel-3.4.0-0.1.34.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-pvhvm-devel-3.4.0-0.1.34.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-tools-3.4.0-0.1.34.el5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-64 / xen-debugger / xen-devel / xen-pvhvm-devel / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2011-10834.NASL description untrusted guest controlling PCI[E] device can lock up host CPU [CVE-2011-3131] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55961 published 2011-08-24 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55961 title Fedora 16 : xen-4.1.1-3.fc16 (2011-10834) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1408.NASL description An updated rhev-hypervisor package that fixes several security issues is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. The RHBA-2011:1254 update introduced a regression in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 79280 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79280 title RHEL 5 : rhev-hypervisor (RHSA-2011:1408) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1386.NASL description From Red Hat Security Advisory 2011:1386 : Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 68375 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68375 title Oracle Linux 5 : kernel (ELSA-2011-1386) NASL family SuSE Local Security Checks NASL id SUSE_XEN-7699.NASL description This update fixes a denial of service (Host Crash) in the XEN hypervisor. (CVE-2011-2901) last seen 2020-06-01 modified 2020-06-02 plugin id 57267 published 2011-12-13 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57267 title SuSE 10 Security Update : Xen (ZYPP Patch Number 7699) NASL family Scientific Linux Local Security Checks NASL id SL_20111020_KERNEL_ON_SL5_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : - The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) - IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 61162 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61162 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2582.NASL description Multiple denial of service vulnerabilities have been discovered in the Xen Hypervisor. One of the issue (CVE-2012-5513 ) could even lead to privilege escalation from guest to host. Some of the recently published Xen Security Advisories ( XSA 25and 28) are not fixed by this update and should be fixed in a future release. - CVE-2011-3131 ( XSA 5): DoS using I/OMMU faults from PCI-passthrough guest A VM that controls a PCI[E] device directly can cause it to issue DMA requests to invalid addresses. Although these requests are denied by the I/OMMU, the hypervisor needs to handle the interrupt and clear the error from the I/OMMU, and this can be used to live-lock a CPU and potentially hang the host. - CVE-2012-4535 ( XSA 20): Timer overflow DoS vulnerability A guest which sets a VCPU with an inappropriate deadline can cause an infinite loop in Xen, blocking the affected physical CPU indefinitely. - CVE-2012-4537 ( XSA 22): Memory mapping failure DoS vulnerability When set_p2m_entry fails, Xen last seen 2020-03-17 modified 2012-12-09 plugin id 63188 published 2012-12-09 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63188 title Debian DSA-2582-1 : xen - several vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-1386.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 56569 published 2011-10-21 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56569 title CentOS 5 : kernel (CESA-2011:1386) NASL family Fedora Local Security Checks NASL id FEDORA_2011-10942.NASL description untrusted guest controlling PCI[E] device can lock up host CPU [CVE-2011-3131] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56010 published 2011-08-31 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56010 title Fedora 15 : xen-4.1.1-3.fc15 (2011-10942) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1386.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security fixes : * The maximum file offset handling for ext4 file systems could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2695, Important) * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 56577 published 2011-10-21 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56577 title RHEL 5 : kernel (RHSA-2011:1386)
Redhat
| rpms |
|
References
- http://old-list-archives.xen.org/archives/html/xen-devel/2011-06/msg01106.html
- http://old-list-archives.xen.org/archives/html/xen-devel/2011-08/msg00450.html
- http://secunia.com/advisories/45622
- http://secunia.com/advisories/51468
- http://www.debian.org/security/2012/dsa-2582
- http://www.securityfocus.com/bid/49146
- http://xenbits.xen.org/hg/staging/xen-4.1-testing.hg/rev/84e3706df07a