Vulnerabilities > CVE-2012-4544 - Improper Input Validation vulnerability in XEN
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0241.NASL description From Red Hat Security Advisory 2013:0241 : Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way libxc, the Xen control library, handled excessively large kernel and ramdisk images when starting new guests. A privileged guest user in a para-virtualized guest (a DomU) could create a crafted kernel or ramdisk image that, when attempting to use it during guest start, could result in an out-of-memory condition in the privileged domain (the Dom0). (CVE-2012-4544) Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, the xend service must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68725 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68725 title Oracle Linux 5 : xen (ELSA-2013-0241) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0446-1.NASL description The SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs. The following security issues have been addressed : XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests. (bnc#860163) XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766) XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596) XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618) XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to last seen 2020-06-05 modified 2015-05-20 plugin id 83616 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83616 title SUSE SLES11 Security Update : Xen (SUSE-SU-2014:0446-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0470-1.NASL description The SUSE Linux Enterprise 10 Service Pack 3 LTSS Xen hypervisor and toolset have been updated to fix various security issues : The following security issues have been addressed : XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an last seen 2020-06-05 modified 2015-05-20 plugin id 83617 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83617 title SUSE SLES10 Security Update : Xen (SUSE-SU-2014:0470-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-17408.NASL description limit the size of guest kernels and ramdisks to avoid running out of memory on dom0 during guest boot [XSA-25,CVE-2012-4544] (#870414) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-11-12 plugin id 62876 published 2012-11-12 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62876 title Fedora 16 : xen-4.1.3-3.fc16 (2012-17408) NASL family Fedora Local Security Checks NASL id FEDORA_2012-17135.NASL description update to xen 4.2.0, limit the size of guest kernels and ramdisks to avoid running out of memeory on dom0 during guest boot [XSA-25, CVE-2012-4544] (#870414) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-11-14 plugin id 62912 published 2012-11-14 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62912 title Fedora 18 : xen-4.2.0-3.fc18 (2012-17135) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0068.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 84140 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84140 title OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0241.NASL description Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way libxc, the Xen control library, handled excessively large kernel and ramdisk images when starting new guests. A privileged guest user in a para-virtualized guest (a DomU) could create a crafted kernel or ramdisk image that, when attempting to use it during guest start, could result in an out-of-memory condition in the privileged domain (the Dom0). (CVE-2012-4544) Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, the xend service must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 64498 published 2013-02-08 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64498 title RHEL 5 : xen (RHSA-2013:0241) NASL family Fedora Local Security Checks NASL id FEDORA_2012-17204.NASL description limit the size of guest kernels and ramdisks to avoid running out of memory on dom0 during guest boot [XSA-25, CVE-2012-4544] (#870414) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-11-12 plugin id 62874 published 2012-11-12 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62874 title Fedora 17 : xen-4.1.3-5.fc17 (2012-17204) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0074.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - x86: check segment descriptor read result in 64-bit OUTS emulation XSA-67 (Matthew Daley) [orabug 17571640] (CVE-2013-4368) - x86: properly set up fbld emulation operand address XSA-66 (Jan Beulich) [orabug 17472492] (CVE-2013-4361) - x86: properly handle hvm_copy_from_guest_[phys,virt] errors XSA-63 (Jan Beulich) [orabug 17472461] (CVE-2013-4355) - libxc: builder: limit maximum size of kernel/ramdisk (Ian Campbell) [orabug 15852491] (CVE-2012-4544) - libxc: builder: Correct fix for CVE-2012-4544 (Ian Campbell) [orabug 15852491] (CVE-2012-4544) - [PATCH 01/21] libelf: abolish libelf-relocate.c (Ian Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196) - [PATCH 02/21] libxc: introduce xc_dom_seg_to_ptr_pages (Ian Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196) - [PATCH 03/21] libxc: Fix range checking in xc_dom_pfn_to_ptr etc. (Ian Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196) - [PATCH 04/21] libelf: abolish elf_sval and elf_access_signed (Ian Jackson) [orabug 16902308] (CVE-2013-2194 CVE-2013-2195 CVE-2013-2196) - [PATCH 05/21] libelf/xc_dom_load_elf_symtab: Do not use last seen 2020-06-01 modified 2020-06-02 plugin id 79521 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79521 title OracleVM 2.2 : xen (OVMSA-2013-0074) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2012-0051.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - libxc: builder: limit maximum size of kernel/ramdisk. Allowing user supplied kernels of arbitrary sizes, especially during decompression, can swallow up dom0 memory leading to either virtual address space exhaustion in the builder process or allocation failures/OOM killing of both toolstack and unrelated processes. We disable these checks when building in a stub domain for pvgrub since this uses the guest last seen 2020-06-01 modified 2020-06-02 plugin id 79489 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79489 title OracleVM 3.1 : xen (OVMSA-2012-0051) NASL family SuSE Local Security Checks NASL id SUSE_XEN-201211-8359.NASL description XEN received various security and bugfixes : - xen: Timer overflow DoS vulnerability (XSA-20). (CVE-2012-4535) - xen: Memory mapping failure DoS vulnerability (XSA-22) The following additional bugs have beenfixed:. (CVE-2012-4537) - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch. (bnc#784087) - Upstream patches from Jan 25927-x86-domctl-ioport-mapping-range.patch 25931-x86-domctl-iomem-mapping-checks.patch 26061-x86-oprof-counter-range.patch 25431-x86-EDD-MBR-sig-check.patch 25480-x86_64-sysret-canonical.patch 25481-x86_64-AMD-erratum-121.patch 25485-x86_64-canonical-checks.patch 25587-param-parse-limit.patch 25589-pygrub-size-limits.patch 25744-hypercall-return-long.patch 25765-x86_64-allow-unsafe-adjust.patch 25773-x86-honor-no-real-mode.patch 25786-x86-prefer-multiboot-meminfo-over-e801.patch 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 24742-gnttab-misc.patch 25098-x86-emul-lock-UD.patch 25200-x86_64-trap-bounce-flags.patch 25271-x86_64-IST-index.patch - win2k8 guests are unable to restore after saving the vms state ept-novell-x64.patch 23800-x86_64-guest-addr-range.patch 24168-x86-vioapic-clear-remote_irr.patch 24453-x86-vIRQ-IRR-TMR-race.patch 24456-x86-emul-lea.patch. (bnc#651093) - Unable to install RHEL 6.1 x86 as a paravirtualized guest OS on SLES 10 SP4 x86 vm-install-0.2.19.tar.bz2. (bnc#713555) last seen 2020-06-05 modified 2012-11-19 plugin id 62963 published 2012-11-19 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62963 title SuSE 10 Security Update : Xen (ZYPP Patch Number 8359) NASL family SuSE Local Security Checks NASL id SUSE_11_XEN-201211-121102.NASL description XEN was updated to fix various bugs and security issues : The following security issues have been fixed : - xen: Domain builder Out-of-memory due to malicious kernel/ramdisk (XSA 25). (CVE-2012-4544) - XEN / qemu: guest administrator can access qemu monitor console (XSA-19). (CVE-2012-4411) - xen: Timer overflow DoS vulnerability (XSA 20). (CVE-2012-4535) - xen: pirq range check DoS vulnerability (XSA 21). (CVE-2012-4536) - xen: Memory mapping failure DoS vulnerability (XSA 22). (CVE-2012-4537) - xen: Unhooking empty PAE entries DoS vulnerability (XSA 23). (CVE-2012-4538) - xen: Grant table hypercall infinite loop DoS vulnerability (XSA 24). (CVE-2012-4539) - xen: multiple TMEM hypercall vulnerabilities (XSA-15) Also the following bugs have been fixed and upstream patches have been applied:. (CVE-2012-3497) - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch. (bnc#784087) - Upstream patches merged: 26054-x86-AMD-perf-ctr-init.patch 26055-x86-oprof-hvm-mode.patch 26056-page-alloc-flush-filter.patch 26061-x86-oprof-counter-range.patch 26062-ACPI-ERST-move-data.patch 26063-x86-HPET-affinity-lock.patch 26093-HVM-PoD-grant-mem-type.patch 25931-x86-domctl-iomem-mapping-checks.patch 25952-x86-MMIO-remap-permissions.patch 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 25815-x86-PoD-no-bug-in-non-translated.patch 25816-x86-hvm-map-pirq-range-check.patch 25833-32on64-bogus-pt_base-adjust.patch 25834-x86-S3-MSI-resume.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25883-pt-MSI-cleanup.patch 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch - first XEN-PV VM fails to spawn xend: Increase wait time for disk to appear in host bootloader Modified existing xen-domUloader.diff. (bnc#778105) 25752-ACPI-pm-op-valid-cpu.patch 25754-x86-PoD-early-access.patch 25755-x86-PoD-types.patch 25756-x86-MMIO-max-mapped-pfn.patch last seen 2020-06-05 modified 2013-01-25 plugin id 64238 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64238 title SuSE 11.2 Security Update : Xen (SAT Patch Number 7018) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-812.NASL description This security update of XEN fixes various bugs and security issues. - Upstream patch 26088-xend-xml-filesize-check.patch - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch - bnc#784087 - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch - Upstream patches from Jan 26054-x86-AMD-perf-ctr-init.patch 26055-x86-oprof-hvm-mode.patch 26056-page-alloc-flush-filter.patch 26061-x86-oprof-counter-range.patch 26062-ACPI-ERST-move-data.patch 26063-x86-HPET-affinity-lock.patch 26093-HVM-PoD-grant-mem-type.patch - Upstream patches from Jan 25931-x86-domctl-iomem-mapping-checks.patch 25952-x86-MMIO-remap-permissions.patch ------------------------------------------------------------------- Mon Sep 24 16:41:58 CEST 2012 - [email protected] - use BuildRequires: gcc46 only in sles11sp2 or 12.1 to fix build in 11.4 ------------------------------------------------------------------- Thu Sep 20 10:03:40 MDT 2012 - [email protected] - Upstream patches from Jan 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 25815-x86-PoD-no-bug-in-non-translated.patch 25816-x86-hvm-map-pirq-range-check.patch 25833-32on64-bogus-pt_base-adjust.patch 25834-x86-S3-MSI-resume.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25883-pt-MSI-cleanup.patch 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch - bnc#778105 - first XEN-PV VM fails to spawn xend: Increase wait time for disk to appear in host bootloader Modified existing xen-domUloader.diff - Upstream patches from Jan 25752-ACPI-pm-op-valid-cpu.patch 25754-x86-PoD-early-access.patch 25755-x86-PoD-types.patch 25756-x86-MMIO-max-mapped-pfn.patch 25757-x86-EPT-PoD-1Gb-assert.patch 25764-x86-unknown-cpu-no-sysenter.patch 25765-x86_64-allow-unsafe-adjust.patch 25771-grant-copy-status-paged-out.patch 25773-x86-honor-no-real-mode.patch 25786-x86-prefer-multiboot-meminfo-over-e801.patch - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall vulnerabilities (XSA-15) CVE-2012-3497-tmem-xsa-15-1.patch CVE-2012-3497-tmem-xsa-15-2.patch CVE-2012-3497-tmem-xsa-15-3.patch CVE-2012-3497-tmem-xsa-15-4.patch CVE-2012-3497-tmem-xsa-15-5.patch CVE-2012-3497-tmem-xsa-15-6.patch CVE-2012-3497-tmem-xsa-15-7.patch CVE-2012-3497-tmem-xsa-15-8.patch CVE-2012-3497-tmem-xsa-15-9.patch tmem-missing-break.patch last seen 2020-06-05 modified 2014-06-13 plugin id 74821 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74821 title openSUSE Security Update : XEN (openSUSE-SU-2012:1573-1) NASL family SuSE Local Security Checks NASL id SUSE_11_LIBVIRT-201211-121102.NASL description libvirt received security and bugfixes : - Fixed a libvirt remote denial of service (crash) problem. The following bugs have been fixed :. (CVE-2012-4423) - qemu: Fix probing for guest capabilities - xen-xm: Generate UUID if not specified - xenParseXM: don last seen 2020-06-05 modified 2013-01-25 plugin id 64201 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64201 title SuSE 11.2 Security Update : libvirt (SAT Patch Number 7015) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0411-1.NASL description The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS Xen hypervisor and toolset have been updated to fix various security issues. The following security issues have been addressed : - XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) - XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) - XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) - XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) - XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) - XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to last seen 2020-06-05 modified 2015-05-20 plugin id 83614 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83614 title SUSE SLES10 Security Update : Xen (SUSE-SU-2014:0411-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0241.NASL description Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way libxc, the Xen control library, handled excessively large kernel and ramdisk images when starting new guests. A privileged guest user in a para-virtualized guest (a DomU) could create a crafted kernel or ramdisk image that, when attempting to use it during guest start, could result in an out-of-memory condition in the privileged domain (the Dom0). (CVE-2012-4544) Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, the xend service must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 64511 published 2013-02-10 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64511 title CentOS 5 : xen (CESA-2013:0241) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2636.NASL description Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2012-4544 Insufficient validation of kernel or ramdisk sizes in the Xen PV domain builder could result in denial of service. - CVE-2012-5511 Several HVM control operations performed insufficient validation of input, which could result in denial of service through resource exhaustion. - CVE-2012-5634 Incorrect interrupt handling when using VT-d hardware could result in denial of service. - CVE-2013-0153 Insufficient restriction of interrupt access could result in denial of service. last seen 2020-03-17 modified 2013-03-04 plugin id 64973 published 2013-03-04 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64973 title Debian DSA-2636-2 : xen - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2012-1487-1.NASL description XEN received various security and bugfixes : - CVE-2012-4535: xen: Timer overflow DoS vulnerability (XSA-20) - CVE-2012-4537: xen: Memory mapping failure DoS vulnerability (XSA-22) The following additional bugs have been fixed : - bnc#784087 - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch - Upstream patches from Jan 25927-x86-domctl-ioport-mapping-range.patch 25931-x86-domctl-iomem-mapping-checks.patch 26061-x86-oprof-counter-range.patch 25431-x86-EDD-MBR-sig-check.patch 25480-x86_64-sysret-canonical.patch 25481-x86_64-AMD-erratum-121.patch 25485-x86_64-canonical-checks.patch 25587-param-parse-limit.patch 25589-pygrub-size-limits.patch 25744-hypercall-return-long.patch 25765-x86_64-allow-unsafe-adjust.patch 25773-x86-honor-no-real-mode.patch 25786-x86-prefer-multiboot-meminfo-over-e801.patch 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 24742-gnttab-misc.patch 25098-x86-emul-lock-UD.patch 25200-x86_64-trap-bounce-flags.patch 25271-x86_64-IST-index.patch bnc#651093 - win2k8 guests are unable to restore after saving the vms state ept-novell-x64.patch 23800-x86_64-guest-addr-range.patch 24168-x86-vioapic-clear-remote_irr.patch 24453-x86-vIRQ-IRR-TMR-race.patch 24456-x86-emul-lea.patch bnc#713555 - Unable to install RHEL 6.1 x86 as a paravirtualized guest OS on SLES 10 SP4 x86 vm-install-0.2.19.tar.bz2 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83564 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83564 title SUSE SLED10 / SLES10 Security Update : Xen (SUSE-SU-2012:1487-1) NASL family Scientific Linux Local Security Checks NASL id SL_20130207_XEN_ON_SL5_X.NASL description A flaw was found in the way libxc, the Xen control library, handled excessively large kernel and ramdisk images when starting new guests. A privileged guest user in a para-virtualized guest (a DomU) could create a crafted kernel or ramdisk image that, when attempting to use it during guest start, could result in an out-of-memory condition in the privileged domain (the Dom0). (CVE-2012-4544) After installing the updated packages, the xend service must be restarted for this update to take effect. last seen 2020-03-18 modified 2013-02-08 plugin id 64499 published 2013-02-08 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64499 title Scientific Linux Security Update : xen on SL5.x i386/x86_64 (20130207) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-811.NASL description This security update of XEN fixes various bugs and security issues. - Upstream patch 26088-xend-xml-filesize-check.patch - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch - bnc#784087 - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch - Upstream patches from Jan 26054-x86-AMD-perf-ctr-init.patch 26055-x86-oprof-hvm-mode.patch 26056-page-alloc-flush-filter.patch 26061-x86-oprof-counter-range.patch 26062-ACPI-ERST-move-data.patch 26063-x86-HPET-affinity-lock.patch 26093-HVM-PoD-grant-mem-type.patch - Upstream patches from Jan 25931-x86-domctl-iomem-mapping-checks.patch 25952-x86-MMIO-remap-permissions.patch - Upstream patches from Jan 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 25815-x86-PoD-no-bug-in-non-translated.patch 25816-x86-hvm-map-pirq-range-check.patch 25833-32on64-bogus-pt_base-adjust.patch 25834-x86-S3-MSI-resume.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25883-pt-MSI-cleanup.patch 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch - bnc#778105 - first XEN-PV VM fails to spawn xend: Increase wait time for disk to appear in host bootloader Modified existing xen-domUloader.diff - Upstream patches from Jan 25752-ACPI-pm-op-valid-cpu.patch 25754-x86-PoD-early-access.patch 25755-x86-PoD-types.patch 25756-x86-MMIO-max-mapped-pfn.patch 25757-x86-EPT-PoD-1Gb-assert.patch 25764-x86-unknown-cpu-no-sysenter.patch 25765-x86_64-allow-unsafe-adjust.patch 25771-grant-copy-status-paged-out.patch 25773-x86-honor-no-real-mode.patch 25786-x86-prefer-multiboot-meminfo-over-e801.patch - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall vulnerabilities (XSA-15) CVE-2012-3497-tmem-xsa-15-1.patch CVE-2012-3497-tmem-xsa-15-2.patch CVE-2012-3497-tmem-xsa-15-3.patch CVE-2012-3497-tmem-xsa-15-4.patch CVE-2012-3497-tmem-xsa-15-5.patch CVE-2012-3497-tmem-xsa-15-6.patch CVE-2012-3497-tmem-xsa-15-7.patch CVE-2012-3497-tmem-xsa-15-8.patch CVE-2012-3497-tmem-xsa-15-9.patch tmem-missing-break.patch last seen 2020-06-05 modified 2014-06-13 plugin id 74820 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74820 title openSUSE Security Update : XEN (openSUSE-SU-2012:1572-1)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091832.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091844.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092050.html
- http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00000.html
- http://osvdb.org/86619
- http://rhn.redhat.com/errata/RHSA-2013-0241.html
- http://secunia.com/advisories/51071
- http://secunia.com/advisories/51324
- http://secunia.com/advisories/51352
- http://secunia.com/advisories/51413
- http://www.debian.org/security/2013/dsa-2636
- http://www.openwall.com/lists/oss-security/2012/10/26/3
- http://www.securityfocus.com/bid/56289
- http://www.securitytracker.com/id?1027699
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79617