Vulnerabilities > CVE-2012-5513 - Improper Input Validation vulnerability in XEN

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
xen
CWE-20
nessus
exploit available
NVD
Published: 2012-12-13
Updated: 2023-02-13

Summary

The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.

Vulnerable Configurations

Part Description Count
OS
Xen
71

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Exploit-Db

descriptionXen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout. CVE-2017-7228. Local exploit for Multiple platform. Tags: Local
fileexploits/multiple/local/41870.txt
idEDB-ID:41870
last seen2017-04-12
modified2017-04-11
platformmultiple
port
published2017-04-11
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41870/
titleXen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout
typelocal

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2012-1540.NASL
    descriptionUpdated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages contain the Linux kernel. Security fixes : * A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important) * A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important) * A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id63171
    published2012-12-07
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63171
    titleCentOS 5 : kernel (CESA-2012:1540)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-19717.NASL
    descriptionA guest can cause xen to crash [XSA-26, CVE-2012-5510] (#883082) An HVM guest can cause xen to run slowly or crash [XSA-27, CVE-2012-5511] (#883084) An HVM guest can cause xen to crash or leak information [XSA-28, CVE-2012-5512] (#883085) A PV guest can cause xen to crash and might be able escalate privileges [XSA-29, CVE-2012-5513] (#883088) An HVM guest can cause xen to hang [XSA-30, CVE-2012-5514] (#883091) A guest can cause xen to hang [XSA-31, CVE-2012-5515] (#883092) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-12-13
    plugin id63252
    published2012-12-13
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63252
    titleFedora 17 : xen-4.1.3-7.fc17 (2012-19717)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-19828.NASL
    descriptionA guest can cause xen to crash [XSA-26, CVE-2012-5510] (#883082) An HVM guest can cause xen to run slowly or crash [XSA-27, CVE-2012-5511] (#883084) An HVM guest can cause xen to crash or leak information [XSA-28, CVE-2012-5512] (#883085) A PV guest can cause xen to crash and might be able escalate privileges [XSA-29, CVE-2012-5513] (#883088) An HVM guest can cause xen to hang [XSA-30, CVE-2012-5514] (#883091) A guest can cause xen to hang [XSA-31, CVE-2012-5515] (#883092) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-12-17
    plugin id63275
    published2012-12-17
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63275
    titleFedora 16 : xen-4.1.3-6.fc16 (2012-19828)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2014-0446-1.NASL
    descriptionThe SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs. The following security issues have been addressed : XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests. (bnc#860163) XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766) XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596) XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618) XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to
    last seen2020-06-05
    modified2015-05-20
    plugin id83616
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83616
    titleSUSE SLES11 Security Update : Xen (SUSE-SU-2014:0446-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2014-0470-1.NASL
    descriptionThe SUSE Linux Enterprise 10 Service Pack 3 LTSS Xen hypervisor and toolset have been updated to fix various security issues : The following security issues have been addressed : XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an
    last seen2020-06-05
    modified2015-05-20
    plugin id83617
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83617
    titleSUSE SLES10 Security Update : Xen (SUSE-SU-2014:0470-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-310.NASL
    descriptionXEN was updated to fix various bugs and security issues : Security issues fixed : - bnc#800275 - CVE-2013-0153: xen: interrupt remap entries shared and old ones not cleared on AMD IOMMUs - bnc#797523 - CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions - bnc#797031 - Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only) - bnc#794316 - CVE-2012-5634: xen: VT-d interrupt remapping source validation flaw (XSA-33) Bugs fixed : - Upstream patches from Jan 26536-xenoprof-div-by-0.patch 26578-AMD-IOMMU-replace-BUG_ON.patch 26656-x86-fix-null-pointer-dereference-in-intel_get_exte nded_msrs.patch 26659-AMD-IOMMU-erratum-746-workaround.patch 26660-x86-fix-CMCI-injection.patch 26672-vmx-fix-handling-of-NMI-VMEXIT.patch 26673-Avoid-stale-pointer-when-moving-domain-to-another- cpupool.patch 26676-fix-compat-memory-exchange-op-splitting.patch 26677-x86-make-certain-memory-sub-ops-return-valid-value s.patch 26678-SEDF-avoid-gathering-vCPU-s-on-pCPU0.patch 26679-x86-defer-processing-events-on-the-NMI-exit-path.p atch 26683-credit1-Use-atomic-bit-operations-for-the-flags-st ructure.patch 26692-x86-MSI-fully-protect-MSI-X-table.patch - bnc#805094 - xen hot plug attach/detach fails modified blktap-pv-cdrom.patch - bnc#802690 - domain locking can prevent a live migration from completing modified xend-domain-lock.patch - bnc#797014 - no way to control live migrations 26547-tools-xc_fix_logic_error_in_stdiostream_progress.p atch 26548-tools-xc_handle_tty_output_differently_in_stdiostr eam_progress.patch 26549-tools-xc_turn_XCFLAGS__into_shifts.patch 26550-tools-xc_restore_logging_in_xc_save.patch 26551-tools-xc_log_pid_in_xc_save-xc_restore_output.patc h 26675-tools-xentoollog_update_tty_detection_in_stdiostre am_progress.patch xen.migrate.tools-xc_print_messages_from_xc_save_with_xc _report.patch xen.migrate.tools-xc_document_printf_calls_in_xc_restore .patch xen.migrate.tools-xc_rework_xc_save.cswitch_qemu_logdirt y.patch xen.migrate.tools_set_migration_constraints_from_cmdline .patch xen.migrate.tools_add_xm_migrate_--log_progress_option.p atch - remove old patches: xen.xc.progress.patch xen.xc_save.details.patch xen.migration.abort_if_busy.patch - bnc#806736: enabling xentrace crashes hypervisor 26686-xentrace_fix_off-by-one_in_calculate_tbuf_size.pat ch - Upstream patches from Jan 26287-sched-credit-pick-idle.patch 26501-VMX-simplify-CR0-update.patch 26502-VMX-disable-SMEP-when-not-paging.patch 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) - bnc#798188 - Add $network to xend initscript dependencies - bnc#797014 - no way to control live migrations - fix logic error in stdiostream_progress xen.xc.progress.patch - restore logging in xc_save xen.xc_save.details.patch - add options to control migration tunables --max_iters, --max_factor, --abort_if_busy xen.migration.abort_if_busy.patch - bnc#799694 - Unable to dvd or cdrom-boot DomU after xen-tools update Fixed with update to Xen version 4.1.4 - bnc#800156 - L3: HP iLo Generate NMI function not working in XEN kernel 26440-x86-forward-SERR.patch - Upstream patches from Jan 26404-x86-forward-both-NMI-kinds.patch 26427-x86-AMD-enable-WC+.patch - bnc#793927 - Xen VMs with more than 2 disks randomly fail to start 25590-hotplug-locking.patch 25595-hotplug-locking.patch 26079-hotplug-locking.patch - Upstream patches from Jan 26332-x86-compat-show-guest-stack-mfn.patch 26333-x86-get_page_type-assert.patch (Replaces CVE-2013-0154-xsa37.patch) 26340-VT-d-intremap-verify-legacy-bridge.patch (Replaces CVE-2012-5634-xsa33.patch) 26370-libxc-x86-initial-mapping-fit.patch - Update to Xen 4.1.4 c/s 23432 - Update xenpaging.guest-memusage.patch add rule for xenmem to avoid spurious build failures - Upstream patches from Jan 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch 26200-IOMMU-debug-verbose.patch 26203-x86-HAP-dirty-vram-leak.patch 26229-gnttab-version-switch.patch (Replaces CVE-2012-5510-xsa26.patch) 26230-x86-HVM-limit-batches.patch (Replaces CVE-2012-5511-xsa27.patch) 26231-memory-exchange-checks.patch (Replaces CVE-2012-5513-xsa29.patch) 26232-x86-mark-PoD-error-path.patch (Replaces CVE-2012-5514-xsa30.patch) 26233-memop-order-checks.patch (Replaces CVE-2012-5515-xsa31.patch) 26235-IOMMU-ATS-max-queue-depth.patch 26272-x86-EFI-makefile-cflags-filter.patch 26294-x86-AMD-Fam15-way-access-filter.patch CVE-2013-0154-xsa37.patch - Restore c/s 25751 in 23614-x86_64-EFI-boot.patch. Modify the EFI Makefile to do additional filtering. EFI-makefile-cflags-filter.patch
    last seen2020-06-05
    modified2014-06-13
    plugin id74966
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74966
    titleopenSUSE Security Update : xen (openSUSE-SU-2013:0636-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0068.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id84140
    published2015-06-12
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84140
    titleOracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201309-24.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : Guest domains could possibly gain privileges, execute arbitrary code, or cause a Denial of Service on the host domain (Dom0). Additionally, guest domains could gain information about other virtual machines running on the same host or read arbitrary files on the host. Workaround : The CVEs listed below do not currently have fixes, but only apply to Xen setups which have “tmem” specified on the hypervisor command line. TMEM is not currently supported for use in production systems, and administrators using tmem should disable it. Relevant CVEs: * CVE-2012-2497 * CVE-2012-6030 * CVE-2012-6031 * CVE-2012-6032 * CVE-2012-6033 * CVE-2012-6034 * CVE-2012-6035 * CVE-2012-6036
    last seen2020-06-01
    modified2020-06-02
    plugin id70184
    published2013-09-28
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70184
    titleGLSA-201309-24 : Xen: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XEN-8379.NASL
    descriptionThis update fixes the following security issues in xen : - XENMEM_exchange may overwrite hypervisor memory (XSA-29). (CVE-2012-5513) - Several memory hypercall operations allow invalid extent order values (XSA-31). (CVE-2012-5515) Also the following bugs have been fixed and upstream patches have been applied: 26134-x86-shadow-invlpg-check.patch
    last seen2020-06-05
    modified2012-12-05
    plugin id63153
    published2012-12-05
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63153
    titleSuSE 10 Security Update : Xen (ZYPP Patch Number 8379)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-19652.NASL
    descriptionA guest can cause xen to crash [XSA-26, CVE-2012-5510] (#883082) An HVM guest can cause xen to run slowly or crash [XSA-27, CVE-2012-5511] (#883084) A PV guest can cause xen to crash and might be able escalate privileges [XSA-29, CVE-2012-5513] (#883088) An HVM guest can cause xen to hang [XSA-30, CVE-2012-5514] (#883091) A guest can cause xen to hang [XSA-31, CVE-2012-5515] (#883092) A PV guest can cause xen to crash and might be able escalate privileges [XSA-32, CVE-2012-5525] (#883094) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-12-12
    plugin id63239
    published2012-12-12
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63239
    titleFedora 18 : xen-4.2.0-6.fc18 (2012-19652)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-6723.NASL
    description - Thu Apr 25 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.5-1 - update to xen-4.1.5 includes fixes for passed through IRQs or PCI devices might allow denial of service attack [XSA-46, CVE-2013-1919] (#953568) SYSENTER in 32-bit PV guests on 64-bit xen can crash hypervisor [XSA-44, CVE-2013-1917] (#953569) grant releases can release more than intended potentially crashing xen [XSA-50, CVE-2013-1964] (#953632) - remove patches that are included in 4.1.5 - allow xendomains to work with xl saved images - Thu Apr 4 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-7 - make xendomains systemd script executable (#919705) - Potential use of freed memory in event channel operations [XSA-47, CVE-2013-1920] - Fri Feb 22 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-6 - patch for [XSA-36, CVE-2013-0153] can cause boot time crash - backport the fixes discovered when building with gcc 4.8 - Fri Feb 15 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-5 - patch for [XSA-38, CVE-2013-0215] was flawed - Wed Feb 6 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-4 - guest using oxenstored can crash host or exhaust memory [XSA-38, CVE-2013-0215] (#907888) - guest using AMD-Vi for PCI passthrough can cause denial of service [XSA-36, CVE-2013-0153] (#910914) - Thu Jan 17 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-3 - Buffer overflow when processing large packets in qemu e1000 device driver [XSA-41, CVE-2012-6075] (#910845) - fix a bug introduced by fix for XSA-27 - Fri Jan 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-2 - VT-d interrupt remapping source validation flaw [XSA-33, CVE-2012-5634] (#893568) - Tue Dec 18 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-1 - update to xen-4.1.4 - remove patches that are included in 4.1.4 - Tue Dec 4 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-7 - 6 security fixes A guest can cause xen to crash [XSA-26, CVE-2012-5510] (#883082) An HVM guest can cause xen to run slowly or crash [XSA-27, CVE-2012-5511] (#883084) An HVM guest can cause xen to crash or leak information [XSA-28, CVE-2012-5512] (#883085) A PV guest can cause xen to crash and might be able escalate privileges [XSA-29, CVE-2012-5513] (#883088) An HVM guest can cause xen to hang [XSA-30, CVE-2012-5514] (#883091) A guest can cause xen to hang [XSA-31, CVE-2012-5515] (#883092) - Tue Nov 13 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-6 - 5 security fixes A guest can block a cpu by setting a bad VCPU deadline [XSA 20, CVE-2012-4535] (#876198) [plus 60 lines in the Changelog] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-05-05
    plugin id66321
    published2013-05-05
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66321
    titleFedora 17 : xen-4.1.5-1.fc17 (2013-6723)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-869.NASL
    descriptionXEN was updated to fix various denial of service issues. - bnc#789945 - CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) - bnc#789944 - CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) - bnc#789940 - CVE-2012-5512: xen: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak (XSA-28) - bnc#789951 - CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) - bnc#789948 - CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) - bnc#789950 - CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) - bnc#789988 - FATAL PAGE FAULT in hypervisor (arch_do_domctl) - Upstream patches from Jan 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) - bnc#777628 - guest
    last seen2020-06-05
    modified2014-06-13
    plugin id74850
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74850
    titleopenSUSE Security Update : xen (openSUSE-SU-2012:1687-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2012-0058.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : XSA-27: hvm: Limit the size of large HVM op batches [orabug 15907978] (CVE-2012-5511) XSA-29: add missing guest address range checks to XENMEM_exchange handlers [orabug 15907996] (CVE-2012-5513) XSA-30: xen: fix error handling of guest_physmap_mark_populate_on_demand [orabug 15908008] (CVE-2012-5514) XSA-31: memop: limit guest specified extent order [orabug 15908028] (CVE-2012-5515)
    last seen2020-06-01
    modified2020-06-02
    plugin id79492
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79492
    titleOracleVM 2.2 : xen (OVMSA-2012-0058)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2012-0056.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - xen: fix error handling of guest_physmap_mark_populate_on_demand The only user of the
    last seen2020-06-01
    modified2020-06-02
    plugin id79490
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79490
    titleOracleVM 3.0 : xen (OVMSA-2012-0056)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2012-1606-1.NASL
    descriptionThis update fixes the following security issues in xen : - CVE-2012-5513: XENMEM_exchange may overwrite hypervisor memory (XSA-29) - CVE-2012-5515: Several memory hypercall operations allow invalid extent order values (XSA-31) Also the following bugs have been fixed and upstream patches have been applied: 26134-x86-shadow-invlpg-check.patch Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-05-20
    plugin id83569
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83569
    titleSUSE SLED10 / SLES10 Security Update : Xen (SUSE-SU-2012:1606-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-1540.NASL
    descriptionFrom Red Hat Security Advisory 2012:1540 : Updated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages contain the Linux kernel. Security fixes : * A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important) * A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important) * A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id68663
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68663
    titleOracle Linux 5 : kernel (ELSA-2012-1540)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2012-0057.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2012-0057 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id79491
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79491
    titleOracleVM 3.1 : xen (OVMSA-2012-0057)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_XEN-121205.NASL
    descriptionThis update fixes the following security issues in xen : - Grant table version switch list corruption vulnerability (XSA-26). (CVE-2012-5510) - Several HVM operations do not validate the range of their inputs (XSA-27). (CVE-2012-5511) - HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak (XSA-28). (CVE-2012-5512) - XENMEM_exchange may overwrite hypervisor memory (XSA-29). (CVE-2012-5513) - Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30). (CVE-2012-5514) - Several memory hypercall operations allow invalid extent order values (XSA-31) Also the following bugs have been fixed and upstream patches have been applied:. (CVE-2012-5515) - FATAL PAGE FAULT in hypervisor (arch_do_domctl) - 25931-x86-domctl-iomem-mapping-checks.patch - 26132-tmem-save-NULL-check.patch - 26134-x86-shadow-invlpg-check.patch - 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) - 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) - 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) - 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) - efi files missing in latest XEN update. (bnc#792476)
    last seen2020-06-05
    modified2013-01-25
    plugin id64232
    published2013-01-25
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64232
    titleSuSE 11.2 Security Update : Xen (SAT Patch Number 7133)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2582.NASL
    descriptionMultiple denial of service vulnerabilities have been discovered in the Xen Hypervisor. One of the issue (CVE-2012-5513 ) could even lead to privilege escalation from guest to host. Some of the recently published Xen Security Advisories ( XSA 25and 28) are not fixed by this update and should be fixed in a future release. - CVE-2011-3131 ( XSA 5): DoS using I/OMMU faults from PCI-passthrough guest A VM that controls a PCI[E] device directly can cause it to issue DMA requests to invalid addresses. Although these requests are denied by the I/OMMU, the hypervisor needs to handle the interrupt and clear the error from the I/OMMU, and this can be used to live-lock a CPU and potentially hang the host. - CVE-2012-4535 ( XSA 20): Timer overflow DoS vulnerability A guest which sets a VCPU with an inappropriate deadline can cause an infinite loop in Xen, blocking the affected physical CPU indefinitely. - CVE-2012-4537 ( XSA 22): Memory mapping failure DoS vulnerability When set_p2m_entry fails, Xen
    last seen2020-03-17
    modified2012-12-09
    plugin id63188
    published2012-12-09
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63188
    titleDebian DSA-2582-1 : xen - several vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-1540-1.NASL
    descriptionFrom Red Hat Security Advisory 2012:1540 : Updated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages contain the Linux kernel. Security fixes : * A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important) * A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important) * A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id68662
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/68662
    titleOracle Linux 5 : kernel (ELSA-2012-1540-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-870.NASL
    descriptionThis update of XEN fixes various denial of service bugs. - bnc#789945 - CVE-2012-5510: xen: Grant table version switch list corruption vulnerability (XSA-26) - bnc#789944 - CVE-2012-5511: xen: Several HVM operations do not validate the range of their inputs (XSA-27) - bnc#789940 - CVE-2012-5512: xen: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak (XSA-28) - bnc#789951 - CVE-2012-5513: xen: XENMEM_exchange may overwrite hypervisor memory (XSA-29) - bnc#789948 - CVE-2012-5514: xen: Missing unlock in guest_physmap_mark_populate_on_demand() (XSA-30) - bnc#789950 - CVE-2012-5515: xen: Several memory hypercall operations allow invalid extent order values (XSA-31) - bnc#789988 - FATAL PAGE FAULT in hypervisor (arch_do_domctl) 25931-x86-domctl-iomem-mapping-checks.patch - Upstream patches from Jan 26132-tmem-save-NULL-check.patch 26134-x86-shadow-invlpg-check.patch 26148-vcpu-timer-overflow.patch (Replaces CVE-2012-4535-xsa20.patch) 26149-x86-p2m-physmap-error-path.patch (Replaces CVE-2012-4537-xsa22.patch) 26150-x86-shadow-unhook-toplevel-check.patch (Replaces CVE-2012-4538-xsa23.patch) 26151-gnttab-compat-get-status-frames.patch (Replaces CVE-2012-4539-xsa24.patch) - bnc#777628 - guest
    last seen2020-06-05
    modified2014-06-13
    plugin id74852
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74852
    titleopenSUSE Security Update : xen (openSUSE-SU-2012:1685-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_XEN-130313.NASL
    descriptionXEN has been updated to fix various bugs and security issues : - (XSA 36) To avoid an erratum in early hardware, the Xen AMD IOMMU code by default choose to use a single interrupt remapping table for the whole system. This sharing implied that any guest with a passed through PCI device that is bus mastering capable can inject interrupts into other guests, including domain 0. This has been disabled for AMD chipsets not capable of it. (CVE-2013-0153) - qemu: The e1000 had overflows under some conditions, potentially corrupting memory. (CVE-2012-6075) - (XSA 37) Hypervisor crash due to incorrect ASSERT (debug build only). (CVE-2013-0154) - (XSA-33) A VT-d interrupt remapping source validation flaw was fixed. Also the following bugs have been fixed :. (CVE-2012-5634) - xen hot plug attach/detach fails. (bnc#805094) - domain locking can prevent a live migration from completing. (bnc#802690) - no way to control live migrations. (bnc#797014) - fix logic error in stdiostream_progress - restore logging in xc_save - add options to control migration tunables - enabling xentrace crashes hypervisor. (bnc#806736) - Upstream patches from Jan 26287-sched-credit-pick-idle.patch 26501-VMX-simplify-CR0-update.patch 26502-VMX-disable-SMEP-when-not-paging.patch 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) - Add $network to xend initscript dependencies. (bnc#798188) - Unable to dvd or cdrom-boot DomU after xen-tools update Fixed with update to Xen version 4.1.4. (bnc#799694) - L3: HP iLo Generate NMI function not working in XEN kernel. (bnc#800156) - Upstream patches from Jan 26404-x86-forward-both-NMI-kinds.patch 26427-x86-AMD-enable-WC+.patch - Xen VMs with more than 2 disks randomly fail to start. (bnc#793927) - Upstream patches from Jan 26332-x86-compat-show-guest-stack-mfn.patch 26333-x86-get_page_type-assert.patch (Replaces CVE-2013-0154-xsa37.patch) 26340-VT-d-intremap-verify-legacy-bridge.patch (Replaces CVE-2012-5634-xsa33.patch) 26370-libxc-x86-initial-mapping-fit.patch - Update to Xen 4.1.4 c/s 23432 - Update xenpaging.guest-memusage.patch add rule for xenmem to avoid spurious build failures - Upstream patches from Jan 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch 26200-IOMMU-debug-verbose.patch 26203-x86-HAP-dirty-vram-leak.patch 26229-gnttab-version-switch.patch (Replaces CVE-2012-5510-xsa26.patch) 26230-x86-HVM-limit-batches.patch (Replaces CVE-2012-5511-xsa27.patch) 26231-memory-exchange-checks.patch (Replaces CVE-2012-5513-xsa29.patch) 26232-x86-mark-PoD-error-path.patch (Replaces CVE-2012-5514-xsa30.patch) 26233-memop-order-checks.patch (Replaces CVE-2012-5515-xsa31.patch) 26235-IOMMU-ATS-max-queue-depth.patch 26272-x86-EFI-makefile-cflags-filter.patch 26294-x86-AMD-Fam15-way-access-filter.patch CVE-2013-0154-xsa37.patch - Restore c/s 25751 in 23614-x86_64-EFI-boot.patch. Modify the EFI Makefile to do additional filtering.
    last seen2020-06-05
    modified2013-04-04
    plugin id65797
    published2013-04-04
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65797
    titleSuSE 11.2 Security Update : Xen (SAT Patch Number 7492)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-311.NASL
    descriptionXEN was updated to fix various bugs and security issues : Security issues fixed : - bnc#800275 - CVE-2013-0153: xen: interrupt remap entries shared and old ones not cleared on AMD IOMMUs - bnc#797523 - CVE-2012-6075: qemu / kvm-qemu: e1000 overflows under some conditions - bnc#797031 - Xen Security Advisory 37 (CVE-2013-0154) - Hypervisor crash due to incorrect ASSERT (debug build only) - bnc#794316 - CVE-2012-5634: xen: VT-d interrupt remapping source validation flaw (XSA-33) Bugs fixed : - Upstream patches from Jan 26536-xenoprof-div-by-0.patch 26578-AMD-IOMMU-replace-BUG_ON.patch 26656-x86-fix-null-pointer-dereference-in-intel_get_exte nded_msrs.patch 26659-AMD-IOMMU-erratum-746-workaround.patch 26660-x86-fix-CMCI-injection.patch 26672-vmx-fix-handling-of-NMI-VMEXIT.patch 26673-Avoid-stale-pointer-when-moving-domain-to-another- cpupool.patch 26676-fix-compat-memory-exchange-op-splitting.patch 26677-x86-make-certain-memory-sub-ops-return-valid-value s.patch 26678-SEDF-avoid-gathering-vCPU-s-on-pCPU0.patch 26679-x86-defer-processing-events-on-the-NMI-exit-path.p atch 26683-credit1-Use-atomic-bit-operations-for-the-flags-st ructure.patch 26692-x86-MSI-fully-protect-MSI-X-table.patch - bnc#805094 - xen hot plug attach/detach fails modified blktap-pv-cdrom.patch - bnc#802690 - domain locking can prevent a live migration from completing modified xend-domain-lock.patch - bnc#797014 - no way to control live migrations 26547-tools-xc_fix_logic_error_in_stdiostream_progress.p atch 26548-tools-xc_handle_tty_output_differently_in_stdiostr eam_progress.patch 26549-tools-xc_turn_XCFLAGS__into_shifts.patch 26550-tools-xc_restore_logging_in_xc_save.patch 26551-tools-xc_log_pid_in_xc_save-xc_restore_output.patc h 26675-tools-xentoollog_update_tty_detection_in_stdiostre am_progress.patch xen.migrate.tools-xc_print_messages_from_xc_save_with_xc _report.patch xen.migrate.tools-xc_document_printf_calls_in_xc_restore .patch xen.migrate.tools-xc_rework_xc_save.cswitch_qemu_logdirt y.patch xen.migrate.tools_set_migration_constraints_from_cmdline .patch xen.migrate.tools_add_xm_migrate_--log_progress_option.p atch - remove old patches: xen.xc.progress.patch xen.xc_save.details.patch xen.migration.abort_if_busy.patch - bnc#806736: enabling xentrace crashes hypervisor 26686-xentrace_fix_off-by-one_in_calculate_tbuf_size.pat ch - Upstream patches from Jan 26287-sched-credit-pick-idle.patch 26501-VMX-simplify-CR0-update.patch 26502-VMX-disable-SMEP-when-not-paging.patch 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) - bnc#798188 - Add $network to xend initscript dependencies - bnc#797014 - no way to control live migrations - fix logic error in stdiostream_progress xen.xc.progress.patch - restore logging in xc_save xen.xc_save.details.patch - add options to control migration tunables --max_iters, --max_factor, --abort_if_busy xen.migration.abort_if_busy.patch - bnc#799694 - Unable to dvd or cdrom-boot DomU after xen-tools update Fixed with update to Xen version 4.1.4 - bnc#800156 - L3: HP iLo Generate NMI function not working in XEN kernel 26440-x86-forward-SERR.patch - Upstream patches from Jan 26404-x86-forward-both-NMI-kinds.patch 26427-x86-AMD-enable-WC+.patch - bnc#793927 - Xen VMs with more than 2 disks randomly fail to start 25590-hotplug-locking.patch 25595-hotplug-locking.patch 26079-hotplug-locking.patch - Upstream patches from Jan 26332-x86-compat-show-guest-stack-mfn.patch 26333-x86-get_page_type-assert.patch (Replaces CVE-2013-0154-xsa37.patch) 26340-VT-d-intremap-verify-legacy-bridge.patch (Replaces CVE-2012-5634-xsa33.patch) 26370-libxc-x86-initial-mapping-fit.patch - Update to Xen 4.1.4 c/s 23432 - Update xenpaging.guest-memusage.patch add rule for xenmem to avoid spurious build failures - Upstream patches from Jan 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch 26200-IOMMU-debug-verbose.patch 26203-x86-HAP-dirty-vram-leak.patch 26229-gnttab-version-switch.patch (Replaces CVE-2012-5510-xsa26.patch) 26230-x86-HVM-limit-batches.patch (Replaces CVE-2012-5511-xsa27.patch) 26231-memory-exchange-checks.patch (Replaces CVE-2012-5513-xsa29.patch) 26232-x86-mark-PoD-error-path.patch (Replaces CVE-2012-5514-xsa30.patch) 26233-memop-order-checks.patch (Replaces CVE-2012-5515-xsa31.patch) 26235-IOMMU-ATS-max-queue-depth.patch 26272-x86-EFI-makefile-cflags-filter.patch 26294-x86-AMD-Fam15-way-access-filter.patch CVE-2013-0154-xsa37.patch - Restore c/s 25751 in 23614-x86_64-EFI-boot.patch. Modify the EFI Makefile to do additional filtering. EFI-makefile-cflags-filter.patch
    last seen2020-06-05
    modified2014-06-13
    plugin id74967
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74967
    titleopenSUSE Security Update : xen (openSUSE-SU-2013:0637-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20121204_KERNEL_ON_SL5_X.NASL
    descriptionSecurity fixes : - A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important) - A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important) - A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate) - A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel
    last seen2020-03-18
    modified2012-12-07
    plugin id63183
    published2012-12-07
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63183
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64 (20121204)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-1540.NASL
    descriptionUpdated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages contain the Linux kernel. Security fixes : * A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. (CVE-2012-4508, Important) * A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-5513, Important) * A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2012-2372, Moderate) * A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id63152
    published2012-12-05
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63152
    titleRHEL 5 : kernel (RHSA-2012:1540)

Redhat

advisories
bugzilla
id877391
titleCVE-2012-5513 kernel: xen: XENMEM_exchange may overwrite hypervisor memory
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • commentkernel earlier than 0:2.6.18-308.24.1.el5 is currently running
        ovaloval:com.redhat.rhsa:tst:20121540025
      • commentkernel earlier than 0:2.6.18-308.24.1.el5 is set to boot up on next boot
        ovaloval:com.redhat.rhsa:tst:20121540026
    • OR
      • AND
        • commentkernel-xen is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540001
        • commentkernel-xen is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314018
      • AND
        • commentkernel-xen-devel is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540003
        • commentkernel-xen-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314020
      • AND
        • commentkernel-devel is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540005
        • commentkernel-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314016
      • AND
        • commentkernel-debug is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540007
        • commentkernel-debug is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314014
      • AND
        • commentkernel-headers is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540009
        • commentkernel-headers is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314006
      • AND
        • commentkernel-debug-devel is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540011
        • commentkernel-debug-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314004
      • AND
        • commentkernel is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540013
        • commentkernel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314008
      • AND
        • commentkernel-PAE is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540015
        • commentkernel-PAE is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314024
      • AND
        • commentkernel-PAE-devel is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540017
        • commentkernel-PAE-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314022
      • AND
        • commentkernel-kdump-devel is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540019
        • commentkernel-kdump-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314012
      • AND
        • commentkernel-kdump is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540021
        • commentkernel-kdump is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314010
      • AND
        • commentkernel-doc is earlier than 0:2.6.18-308.24.1.el5
          ovaloval:com.redhat.rhsa:tst:20121540023
        • commentkernel-doc is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314002
rhsa
idRHSA-2012:1540
released2012-12-04
severityImportant
titleRHSA-2012:1540: kernel security, bug fix, and enhancement update (Important)
rpms
  • kernel-0:2.6.18-308.24.1.el5
  • kernel-PAE-0:2.6.18-308.24.1.el5
  • kernel-PAE-debuginfo-0:2.6.18-308.24.1.el5
  • kernel-PAE-devel-0:2.6.18-308.24.1.el5
  • kernel-debug-0:2.6.18-308.24.1.el5
  • kernel-debug-debuginfo-0:2.6.18-308.24.1.el5
  • kernel-debug-devel-0:2.6.18-308.24.1.el5
  • kernel-debuginfo-0:2.6.18-308.24.1.el5
  • kernel-debuginfo-common-0:2.6.18-308.24.1.el5
  • kernel-devel-0:2.6.18-308.24.1.el5
  • kernel-doc-0:2.6.18-308.24.1.el5
  • kernel-headers-0:2.6.18-308.24.1.el5
  • kernel-kdump-0:2.6.18-308.24.1.el5
  • kernel-kdump-debuginfo-0:2.6.18-308.24.1.el5
  • kernel-kdump-devel-0:2.6.18-308.24.1.el5
  • kernel-xen-0:2.6.18-308.24.1.el5
  • kernel-xen-debuginfo-0:2.6.18-308.24.1.el5
  • kernel-xen-devel-0:2.6.18-308.24.1.el5

Seebug

bulletinFamilyexploit
descriptionDetailed analysis: [Pandavirtualization: Exploiting the Xen hypervisor ](<https://googleprojectzero.blogspot.tw/2017/04/pandavirtualization-exploiting-xen.html>) This bug report describes a vulnerability in memory_exchange() that permits PV guest kernels to write to an arbitrary virtual address with the hypervisor privileges. The vulnerability was introduced through a broken fix for CVE-2012-5513 / XSA-29. The fix for CVE-2012-5513 / XSA-29 introduced the following check in the memory_exchange() hypercall handler: if ( ! guest_handle_okay(exch. in. extent_start, exch. in. nr_extents) || ! guest_handle_okay(exch. out. extent_start, exch. out. nr_extents) ) { rc = -EFAULT; goto fail_early; } guest_handle_okay() calls array_access_ok(), which calls access_ok(), which is implemented as follows: /* * Valid if in +ve half of the 48-bit address space, or above * The Xen-reserved area. * This is also valid for range checks (addr, addr+size). As long * as the start address is outside the Xen-reserved area then we * will access a non-canonical address (and thus fault) before * ever reaching VIRT_START. */ #define __addr_ok(addr) \ (((unsigned long)(addr) < (1UL<<47)) || \ ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) #define access_ok(addr, size) \ (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) As the comment states, access_ok() only checks the address, not the size, if the address points to the guest memory, based on the assumption that any caller of access_ok() will access guest memory linearly, starting at the supplied address. Callers that want to access a subrange of the memory referenced by a guest of the handle are supposed to use guest_handle_subrange_okay(), which takes an additional start offset parameter, instead of guest_handle_okay(). memory_exchange() uses guest_handle_okay(), but only accesses the guest memory arrays referenced by exch. in. extent_start and exch. out. extent_start starting at exch. nr_exchanged, a 64-bit offset. The intent behind exch. nr_exchanged is that guests always set it to 0 and the nonzero values are only set when a hypercall has to be restarted because of preemption, but this isn't enforced. Therefore, by invoking this hypercall with a crafted arguments, it is possible to write to an arbitrary memory location that is encoded as exch. out. extent_start + 8 * exch. nr_exchanged where exch. out. extent_start points to guest memory and exch. nr_exchanged is an attacker-chosen 64-bit value. I have attached a proof of concept. This PoC demonstrates the issue by overwriting the first 8 bytes of the IDT entry for #PF, causing the next pagefault to doublefault. To run the PoC, unpack it in a normal 64-bit PV domain and run the following commands in the domain as root: `root@pv-guest:~# cd crashpoc root@pv-guest:~/crashpoc# make-C /lib/modules/$(uname-r)/build M=$(pwd) make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' LD /root/crashpoc/built-in. o CC [M] /root/crashpoc/module. o nasm-f elf64-o /root/crashpoc/native. o /root/crashpoc/native. asm LD [M] /root/crashpoc/test. o Building modules, stage 2. MODPOST 1 modules WARNING: could not find /root/crashpoc/. native. o. cmd for /root/crashpoc/native. o CC /root/crashpoc/test. mod. o LD [M] /root/crashpoc/test. ko make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' root@pv-guest:~/crashpoc# insmod test. ko root@pv-guest:~/crashpoc# rmmod test` The machine on which I tested the PoC was running the Xen 4.6.0-1ubuntu4 (from Ubuntu 16.04.2). Executing the PoC caused the following console output: `(XEN) *** DOUBLE FAULT *** (XEN)----[ Xen-4.6.0 x86_64 debug=n Tainted: C]---- (XEN) CPU: 0 (XEN) RIP: e033:[<0000557b46f56860>] 0000557b46f56860 (XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor (XEN) rax: 00007fffe9cfafd0 rbx: 00007fffe9cfd160 rcx: 0000557b47ebd040 (XEN) rdx: 0000000000000001 rsi: 0000000000000004 rdi: 0000557b47ec52e0 (XEN) rbp: 00007fffe9cfd158 rsp: 00007fffe9cfaf30 r8: 0000557b46f7df00 (XEN) r9: 0000557b46f7dec0 r10: 0000557b46f7df00 r11: 0000557b47ec5878 (XEN) r12: 0000557b47ebd040 r13: 00007fffe9cfb0c0 r14: 0000557b47ec52e0 (XEN) r15: 0000557b47ed5e70 cr0: 0000000080050033 cr4: 00000000001506a0 (XEN) cr3: 0000000098e2e000 cr2: 00007fffe9cfaf93 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033 (XEN) (XEN) **************************************** (XEN) Panic on CPU 0: (XEN) DOUBLE FAULT -- system shutdown (XEN) **************************************** (XEN) (XEN) Reboot in five seconds...` I strongly recommend changing the semantics of access_ok() so that it guarantees that any access to an address inside the specified range is valid. Alternatively, add some prefix, e.g. "UNSAFE_", to the names of access_ok() and appropriate wrappers to prevent people from using these functions improperly. Currently, in my opinion, the function name access_ok() is misleading. I have not allocated a CVE number for this issue. When disclosing this issue, please credit me as "Jann Horn of Google Project Zero". Attachment: [xen_memory_exchange_crashpoc. tar](<https://bugs.chromium.org/p/project-zero/issues/attachment?aid=275151>)
idSSV:92927
last seen2017-11-19
modified2017-04-09
published2017-04-09
reporterRoot
titleXen: broken check in memory_exchange() permits PV guest breakout(CVE-2017-7228)

References