Vulnerabilities > CVE-2012-6032 - Numeric Errors vulnerability in XEN 4.0.0/4.1.0/4.2.0

047910
CVSS 4.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
local
low complexity
xen
CWE-189
nessus

Summary

Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

Vulnerable Configurations

Part Description Count
OS
Xen
3

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201309-24.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : Guest domains could possibly gain privileges, execute arbitrary code, or cause a Denial of Service on the host domain (Dom0). Additionally, guest domains could gain information about other virtual machines running on the same host or read arbitrary files on the host. Workaround : The CVEs listed below do not currently have fixes, but only apply to Xen setups which have “tmem” specified on the hypervisor command line. TMEM is not currently supported for use in production systems, and administrators using tmem should disable it. Relevant CVEs: * CVE-2012-2497 * CVE-2012-6030 * CVE-2012-6031 * CVE-2012-6032 * CVE-2012-6033 * CVE-2012-6034 * CVE-2012-6035 * CVE-2012-6036
    last seen2020-06-01
    modified2020-06-02
    plugin id70184
    published2013-09-28
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70184
    titleGLSA-201309-24 : Xen: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201309-24.
    #
    # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70184);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/12 17:35:38");
    
      script_cve_id("CVE-2011-2901", "CVE-2011-3262", "CVE-2012-0217", "CVE-2012-0218", "CVE-2012-2934", "CVE-2012-3432", "CVE-2012-3433", "CVE-2012-3494", "CVE-2012-3495", "CVE-2012-3496", "CVE-2012-3497", "CVE-2012-3498", "CVE-2012-3515", "CVE-2012-4411", "CVE-2012-4535", "CVE-2012-4536", "CVE-2012-4537", "CVE-2012-4538", "CVE-2012-4539", "CVE-2012-5510", "CVE-2012-5511", "CVE-2012-5512", "CVE-2012-5513", "CVE-2012-5514", "CVE-2012-5515", "CVE-2012-5525", "CVE-2012-5634", "CVE-2012-6030", "CVE-2012-6031", "CVE-2012-6032", "CVE-2012-6033", "CVE-2012-6034", "CVE-2012-6035", "CVE-2012-6036", "CVE-2012-6075", "CVE-2012-6333", "CVE-2013-0151", "CVE-2013-0152", "CVE-2013-0153", "CVE-2013-0154", "CVE-2013-0215", "CVE-2013-1432", "CVE-2013-1917", "CVE-2013-1918", "CVE-2013-1919", "CVE-2013-1920", "CVE-2013-1922", "CVE-2013-1952", "CVE-2013-1964", "CVE-2013-2076", "CVE-2013-2077", "CVE-2013-2078", "CVE-2013-2194", "CVE-2013-2195", "CVE-2013-2196", "CVE-2013-2211");
      script_bugtraq_id(49370, 53856, 53955, 53961, 54691, 54942, 55400, 55406, 55410, 55412, 55413, 55414, 55442, 56498, 56794, 56796, 56797, 56798, 56799, 56803, 56805, 57159, 57223, 57420, 57494, 57495, 57742, 57745, 58880, 59070, 59291, 59292, 59293, 59615, 59617, 60277, 60278, 60282, 60701, 60702, 60703, 60721, 60799);
      script_xref(name:"GLSA", value:"201309-24");
    
      script_name(english:"GLSA-201309-24 : Xen: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201309-24
    (Xen: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Xen. Please review the
          CVE identifiers referenced below for details.
      
    Impact :
    
        Guest domains could possibly gain privileges, execute arbitrary code, or
          cause a Denial of Service on the host domain (Dom0). Additionally, guest
          domains could gain information about other virtual machines running on
          the same host or read arbitrary files on the host.
      
    Workaround :
    
        The CVEs listed below do not currently have fixes, but only apply to Xen
          setups which have “tmem” specified on the hypervisor command line.
          TMEM is not currently supported for use in production systems, and
          administrators using tmem should disable it.
          Relevant CVEs:
          * CVE-2012-2497
          * CVE-2012-6030
          * CVE-2012-6031
          * CVE-2012-6032
          * CVE-2012-6033
          * CVE-2012-6034
          * CVE-2012-6035
          * CVE-2012-6036"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201309-24"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Xen users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-4.2.2-r1'
        All Xen-tools users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=app-emulation/xen-tools-4.2.2-r3'
        All Xen-pvgrub users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=app-emulation/xen-pvgrub-4.2.2-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'FreeBSD Intel SYSRET Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen-pvgrub");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/09/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-emulation/xen-pvgrub", unaffected:make_list("ge 4.2.2-r1"), vulnerable:make_list("lt 4.2.2-r1"))) flag++;
    if (qpkg_check(package:"app-emulation/xen", unaffected:make_list("ge 4.2.2-r1"), vulnerable:make_list("lt 4.2.2-r1"))) flag++;
    if (qpkg_check(package:"app-emulation/xen-tools", unaffected:make_list("ge 4.2.2-r3"), vulnerable:make_list("lt 4.2.2-r3"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Xen");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201604-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id90380
    published2016-04-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90380
    titleGLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201604-03.
    #
    # The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90380);
      script_version("2.6");
      script_cvs_date("Date: 2019/08/12 17:35:38");
    
      script_cve_id("CVE-2012-3494", "CVE-2012-3495", "CVE-2012-3496", "CVE-2012-3497", "CVE-2012-3498", "CVE-2012-3515", "CVE-2012-4411", "CVE-2012-4535", "CVE-2012-4536", "CVE-2012-4537", "CVE-2012-4538", "CVE-2012-4539", "CVE-2012-6030", "CVE-2012-6031", "CVE-2012-6032", "CVE-2012-6033", "CVE-2012-6034", "CVE-2012-6035", "CVE-2012-6036", "CVE-2015-2151", "CVE-2015-3209", "CVE-2015-3259", "CVE-2015-3340", "CVE-2015-3456", "CVE-2015-4103", "CVE-2015-4104", "CVE-2015-4105", "CVE-2015-4106", "CVE-2015-4163", "CVE-2015-4164", "CVE-2015-5154", "CVE-2015-7311", "CVE-2015-7504", "CVE-2015-7812", "CVE-2015-7813", "CVE-2015-7814", "CVE-2015-7835", "CVE-2015-7871", "CVE-2015-7969", "CVE-2015-7970", "CVE-2015-7971", "CVE-2015-7972", "CVE-2015-8339", "CVE-2015-8340", "CVE-2015-8341", "CVE-2015-8550", "CVE-2015-8551", "CVE-2015-8552", "CVE-2015-8554", "CVE-2015-8555", "CVE-2016-2270", "CVE-2016-2271");
      script_xref(name:"GLSA", value:"201604-03");
    
      script_name(english:"GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201604-03
    (Xen: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Xen. Please review the
          CVE identifiers referenced below for details.
      
    Impact :
    
        A local attacker could possibly cause a Denial of Service condition or
          obtain sensitive information.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201604-03"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Xen 4.5 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-4.5.2-r5'
        All Xen 4.6 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-4.6.0-r9'
        All Xen tools 4.5 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-tools-4.5.2-r5'
        All Xen tools 4.6 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-tools-4.6.0-r9'
        All Xen pvgrub users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-pvgrub-4.6.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pvgrub");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen-pvgrub");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-emulation/xen-pvgrub", unaffected:make_list(), vulnerable:make_list("lt 4.6.0"))) flag++;
    if (qpkg_check(package:"app-emulation/xen", unaffected:make_list("ge 4.6.0-r9", "rge 4.5.2-r5"), vulnerable:make_list("lt 4.6.0-r9"))) flag++;
    if (qpkg_check(package:"app-emulation/xen-tools", unaffected:make_list("ge 4.6.0-r9", "rge 4.5.2-r5"), vulnerable:make_list("lt 4.6.0-r9"))) flag++;
    if (qpkg_check(package:"app-emulation/pvgrub", unaffected:make_list("ge 4.6.0", "rge 4.5.2"), vulnerable:make_list())) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Xen");
    }