Vulnerabilities > CVE-2013-4494 - Improper Input Validation vulnerability in multiple products

047910
CVSS 5.2 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE

Summary

Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2013-0085.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86/HVM: only allow ring 0 guest code to make hypercalls Anything else would allow for privilege escalation. This is CVE-2013-4554 / XSA-76. (CVE-2013-4554) - x86: restrict XEN_DOMCTL_getmemlist Coverity ID 1055652 (See the code comment.) This is CVE-2013-4553 / XSA-74. (CVE-2013-4553) - gnttab: update version 1 of xsa73-4.1.patch to version 3 Version 1 of xsa73-4.1.patch had an error: bool_t drop_dom_ref = (e->tot_pages-- == 0) should have been: bool_t drop_dom_ref = (e->tot_pages-- == 1) Consolidate error handling. Backported to Xen-4.1 (CVE-2013-4494) - Xen: Spread boot time page scrubbing across all available CPU
    last seen2020-06-01
    modified2020-06-02
    plugin id79523
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79523
    titleOracleVM 3.2 : xen (OVMSA-2013-0085)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2013-0085.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79523);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/27 13:00:34");
    
      script_cve_id("CVE-2013-4494", "CVE-2013-4553", "CVE-2013-4554");
      script_bugtraq_id(63494, 63931, 63933);
    
      script_name(english:"OracleVM 3.2 : xen (OVMSA-2013-0085)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - x86/HVM: only allow ring 0 guest code to make hypercalls
        Anything else would allow for privilege escalation. This
        is CVE-2013-4554 / XSA-76. (CVE-2013-4554)
    
      - x86: restrict XEN_DOMCTL_getmemlist Coverity ID 1055652
        (See the code comment.) This is CVE-2013-4553 / XSA-74.
        (CVE-2013-4553)
    
      - gnttab: update version 1 of xsa73-4.1.patch to version 3
        Version 1 of xsa73-4.1.patch had an error: bool_t
        drop_dom_ref = (e->tot_pages-- == 0)  should have been:
        bool_t drop_dom_ref = (e->tot_pages-- == 1) 
    
        Consolidate error handling.
    
        Backported to Xen-4.1 (CVE-2013-4494)
    
      - Xen: Spread boot time page scrubbing across all
        available CPU's Written by Malcolm Crossley The page
        scrubbing is done in 256MB chunks in lockstep across all
        the CPU's. This allows for the boot CPU to hold the
        heap_lock whilst each chunk is being scrubbed and then
        release the heap_lock when all CPU's are finished
        scrubing their individual chunk. This allows for the
        heap_lock to not be held continously and for pending
        softirqs are to be serviced periodically across all
        CPU's. The page scrub memory chunks are allocated to the
        CPU's in a NUMA aware fashion to reduce Socket
        interconnect overhead and improve performance. This
        patch reduces the boot page scrub time on a 256GB 16
        core AMD Opteron machine from 1 minute 46 seconds to 38
        seconds.
    
      - gnttab: correct locking order reversal Coverity ID
        1087189 Correct a lock order reversal between a domains
        page allocation and grant table locks. This is XSA-73.
    
        Consolidate error handling.
    
        Backported to Xen-4.1 (CVE-2013-4494)
    
      - piix4acpi, xen, hotplug: Fix race with ACPI AML code and
        hotplug. This is a race so the amount varies but on a
        4PCPU box I seem to get only ~14 out of 16 vCPUs I want
        to online. The issue at hand is that QEMU xenstore.c
        hotplug code changes the vCPU array and triggers an ACPI
        SCI for each vCPU online/offline change. That means we
        modify the array of vCPUs as the guests ACPI AML code is
        reading it - resulting in the guest reading the data
        only once and not changing the CPU states appropiately.
        The fix is to seperate the vCPU array changes from the
        ACPI SCI notification. The code now will enumerate all
        of the vCPUs and change the vCPU array if there is a
        need for a change. If a change did occur then only _one_
        ACPI SCI pulse is sent to the guest. The vCPU array at
        that point has the online/offline modified to what the
        user wanted to have.
    
        [v1: Use stack for the 'attr' instead of malloc/free]
    
      - piix4acpi, xen: Clarify that the qemu_set_irq calls just
        do an IRQ pulse. The 'qemu_cpu_notify' raises and lowers
        the ACPI SCI line when the vCPU state has changed.
        Instead of doing the two functions, just use one
        function that describes exactly what it does.
    
      - piix4acpi, xen, vcpu hotplug: Split the notification
        from the changes. This is a prepatory patch that splits
        the notification of an vCPU change from the actual
        changes to the vCPU array.
    
      - Backported Carson's changes - Requests to connect on
        port 8003 with a LOW/weak cipher are now rejected."
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2013-December/000196.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d8768268"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected xen / xen-devel / xen-tools packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:S/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/12/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.88")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.88")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.88")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_XEN-201311-131125.NASL
    descriptionXen has been updated to fix a security issue and a bug : - XSA-73: A lock order reversal between page allocation and grant table locks could lead to host crashes or even host code execution. (CVE-2013-4494) A non-security bug has also been fixed : - It is possible to start a VM twice on the same node (bnc#840997)
    last seen2020-06-05
    modified2013-12-13
    plugin id71393
    published2013-12-13
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/71393
    titleSuSE 11.2 Security Update : Xen (SAT Patch Number 8577)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_XEN-201311-131127.NASL
    descriptionThe Xen hypervisor and tool-suite have been updated to fix security issues and bugs : - XSA-73: A lock order reversal between page allocation and grant table locks could lead to host crashes or even host code execution. (CVE-2013-4494) - XSA-74: A lock order reversal between page_alloc_lock and mm_rwlock could lead to deadlocks. (CVE-2013-4553) - XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests which might lead to Hypervisor escalation under specific circumstances. (CVE-2013-4554) - XSA-78: Insufficient TLB flushing in VT-d (iommu) code could lead to access of memory that was revoked. (CVE-2013-6375) - XSA-75: A host crash due to guest VMX instruction execution was fixed. Non-security bugs have also been fixed:. (CVE-2013-4551) - It is possible to start a VM twice on the same node. (bnc#840997) - In HP
    last seen2020-06-05
    modified2013-12-20
    plugin id71562
    published2013-12-20
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/71562
    titleSuSE 11.3 Security Update : Xen (SAT Patch Number 8588)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2014-271.NASL
    descriptionXen was updated to fix various bugs and security issues : Update to Xen version 4.2.4 c/s 26280. - bnc#861256 - CVE-2014-1950: xen: XSA-88: use-after-free in xc_cpupool_getinfo() under memory pressure. (fix included with update) - bnc#863297: xend/pvscsi: recognize also SCSI CDROM devices - bnc#858496 - CVE-2014-1642: Xen: XSA-83: Out-of-memory condition yielding memory corruption during IRQ setup - bnc#860163 - xen: XSA-84: integer overflow in several XSM/Flask hypercalls (CVE-2014-1891 CVE-2014-1892 CVE-2014-1893 CVE-2014-1894) - bnc#860165 - CVE-2014-1895: xen: XSA-85: Off-by-one error in FLASK_AVC_CACHESTAT hypercall - bnc#860300 - CVE-2014-1896: xen: XSA-86: libvchan failure handling malicious ring indexes - bnc#860302 - CVE-2014-1666: xen: XSA-87: PHYSDEVOP_(prepare,release)_msix exposed to unprivileged guests - bnc#858311 - Server is not booting in kernel XEN after latest updates - (XEN) setup 0000:00:18.0 for d0 failed (-19) - bnc#858496 - CVE-2014-1642: Xen: XSA-83: Out-of-memory condition yielding memory corruption during IRQ setup - bnc#853049 - CVE-2013-6885: xen: XSA-82: Guest triggerable AMD CPU erratum may cause host hang - bnc#853048 - CVE-2013-6400: xen: XSA-80: IOMMU TLB flushing may be inadvertently suppressed - bnc#831120 - CVE-2013-2212: xen: XSA-60: Excessive time to disable caching with HVM guests with PCI passthrough - bnc#848014 - [HP HPS] Xen hypervisor panics on 8-blades nPar with 46-bit memory addressing - bnc#833251 - [HP BCS SLES11 Bug]: In HPs UEFI x86_64 platform and with xen environment, in booting stage ,xen hypervisor will panic. - pygrub: Support (/dev/xvda) style disk specifications - bnc#849667 - CVE-2014-1895: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock - bnc#849668 - CVE-2013-4554: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests - bnc#842417 - In HPs UEFI x86_64 platform and sles11sp3 with xen environment, dom0 will soft lockup on multiple blades nPar. - bnc#848014 - [HP HPS] Xen hypervisor panics on 8-blades nPar with 46-bit memory addressing - bnc#846849 - Soft lockup with PCI passthrough and many VCPUs - bnc#833483 - Boot Failure with xen kernel in UEFI mode with error
    last seen2020-06-05
    modified2014-06-13
    plugin id75312
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75312
    titleopenSUSE Security Update : xen (openSUSE-SU-2014:0483-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2014-0446-1.NASL
    descriptionThe SUSE Linux Enterprise Server 11 Service Pack 1 LTSS Xen hypervisor and toolset have been updated to fix various security issues and some bugs. The following security issues have been addressed : XSA-84: CVE-2014-1894: Xen 3.2 (and presumably earlier) exhibit both problems with the overflow issue being present for more than just the suboperations listed above. (bnc#860163) XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through 4.1, while not affected by the above overflow, have a different overflow issue on FLASK_{GET,SET}BOOL and expose unreasonably large memory allocation to arbitrary guests. (bnc#860163) XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL, FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an attempt to allocate then access a zero byte buffer. (bnc#860163) XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). (bnc#849667) XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) XSA-66: CVE-2013-4361: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (bnc#841766) XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) XSA-62: CVE-2013-1442: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. (bnc#839596) XSA-61: CVE-2013-4329: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. (bnc#839618) XSA-60: CVE-2013-2212: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling chaches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. (bnc#831120) XSA-58: CVE-2013-1918: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to
    last seen2020-06-05
    modified2015-05-20
    plugin id83616
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83616
    titleSUSE SLES11 Security Update : Xen (SUSE-SU-2014:0446-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2014-0470-1.NASL
    descriptionThe SUSE Linux Enterprise 10 Service Pack 3 LTSS Xen hypervisor and toolset have been updated to fix various security issues : The following security issues have been addressed : XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an
    last seen2020-06-05
    modified2015-05-20
    plugin id83617
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83617
    titleSUSE SLES10 Security Update : Xen (SUSE-SU-2014:0470-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0068.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id84140
    published2015-06-12
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84140
    titleOracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-20544.NASL
    descriptionLock order reversal between page allocation and grant table locks ocaml xenstored mishandles oversized message replies systemd changes to allow oxenstored to be used instead of xenstored Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-11-11
    plugin id70830
    published2013-11-11
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70830
    titleFedora 18 : xen-4.2.3-7.fc18 (2013-20544)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-20517.NASL
    descriptionupdate to xen-4.3.1, Lock order reversal between page allocation and grant table lock ocaml xenstored mishandles oversized message replies systemd changes to allow oxenstored to be used instead of xenstored Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-11-11
    plugin id70813
    published2013-11-11
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70813
    titleFedora 20 : xen-4.3.1-1.fc20 (2013-20517)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3006.NASL
    descriptionMultiple security issues have been discovered in the Xen virtualisation solution which may result in information leaks or denial of service.
    last seen2020-03-17
    modified2014-08-19
    plugin id77240
    published2014-08-19
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77240
    titleDebian DSA-3006-1 : xen - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201407-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201407-03 (Xen: Multiple Vunlerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A remote attacker can utilize multiple vectors to execute arbitrary code, cause Denial of Service, or gain access to data on the host. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id76544
    published2014-07-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76544
    titleGLSA-201407-03 : Xen: Multiple Vunlerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2014-0411-1.NASL
    descriptionThe SUSE Linux Enterprise Server 10 Service Pack 4 LTSS Xen hypervisor and toolset have been updated to fix various security issues. The following security issues have been addressed : - XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#853049) - XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. (bnc#849668) - XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. (bnc#848657) - XSA-67: CVE-2013-4368: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. (bnc#842511) - XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (bnc#840592) - XSA-55: CVE-2013-2196: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to
    last seen2020-06-05
    modified2015-05-20
    plugin id83614
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83614
    titleSUSE SLES10 Security Update : Xen (SUSE-SU-2014:0411-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-0108.NASL
    descriptionUpdated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Xen hypervisor did not always lock
    last seen2020-06-01
    modified2020-06-02
    plugin id72246
    published2014-02-03
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72246
    titleCentOS 5 : kernel (CESA-2014:0108)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-0108.NASL
    descriptionFrom Red Hat Security Advisory 2014:0108 : Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Xen hypervisor did not always lock
    last seen2020-06-01
    modified2020-06-02
    plugin id72228
    published2014-01-31
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72228
    titleOracle Linux 5 : kernel (ELSA-2014-0108)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-20555.NASL
    descriptionLock order reversal between page allocation and grant table locks ocaml xenstored mishandles oversized message replies systemd changes to allow oxenstored to be used instead of xenstored Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-11-11
    plugin id70831
    published2013-11-11
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70831
    titleFedora 19 : xen-4.2.3-7.fc19 (2013-20555)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-968.NASL
    descriptionXen was updated to 4.3.1 and also to fix various security issues and bugs : - bnc#851749 - Xen service file does not call xend properly xend.service - Add missing requires to pciutils package for xend-tools - bnc#851386 - xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code - Make -devel package depend on libuuid-devel, since libxl.h includes uuid.h - bnc#849667 - CVE-2013-4553: xen: XSA-74: Lock order reversal between page_alloc_lock and mm_rwlock - bnc#849665 - CVE-2013-4551: xen: XSA-75: Host crash due to guest VMX instruction execution - bnc#849668 - CVE-2013-4554: xen: XSA-76: Hypercalls exposed to privilege rings 1 and 2 of HVM guests - bnc#848657 - xen: CVE-2013-4494: XSA-73: Lock order reversal between page allocation and grant table locks - Update to Xen 4.3.1 - bnc#845520 - CVE-2013-4416: xen: ocaml xenstored mishandles oversized message replies
    last seen2020-06-05
    modified2014-06-13
    plugin id75232
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75232
    titleopenSUSE Security Update : xen (openSUSE-SU-2013:1876-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2013-0088.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86/HVM: only allow ring 0 guest code to make hypercalls XSA-76 (Jan Beulich) [17822325] (CVE-2013-4554) - x86: restrict XEN_DOMCTL_getmemlist XSA-74 (Jan Beulich) [17821907] (CVE-2013-4553) - gnttab: correct locking order reversal XSA-73 (Andrew Cooper) [orabug 17768955] (CVE-2013-4494)
    last seen2020-06-01
    modified2020-06-02
    plugin id79525
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79525
    titleOracleVM 2.2 : xen (OVMSA-2013-0088)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20140129_KERNEL_ON_SL5_X.NASL
    description - It was found that the Xen hypervisor did not always lock
    last seen2020-03-18
    modified2014-01-30
    plugin id72210
    published2014-01-30
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72210
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64 (20140129)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2013-0087.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86/HVM: only allow ring 0 guest code to make hypercalls Anything else would allow for privilege escalation. This is CVE-2013-4554 / XSA-76. (CVE-2013-4554) - x86: restrict XEN_DOMCTL_getmemlist Coverity ID 1055652 (See the code comment.) This is CVE-2013-4553 / XSA-74. (CVE-2013-4553) - gnttab: correct locking order reversal Coverity ID 1087189 Correct a lock order reversal between a domains page allocation and grant table locks. This is CVE-2013-4494 / XSA-73. Consolidate error handling. Backported to Xen-4.1 (CVE-2013-4494)
    last seen2020-06-01
    modified2020-06-02
    plugin id79524
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79524
    titleOracleVM 3.1 : xen (OVMSA-2013-0087)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-0108-1.NASL
    descriptionFrom Red Hat Security Advisory 2014:0108 : Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Xen hypervisor did not always lock
    last seen2020-06-01
    modified2020-06-02
    plugin id72227
    published2014-01-31
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72227
    titleOracle Linux 5 : kernel (ELSA-2014-0108-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-0108.NASL
    descriptionUpdated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * It was found that the Xen hypervisor did not always lock
    last seen2020-06-01
    modified2020-06-02
    plugin id72209
    published2014-01-30
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72209
    titleRHEL 5 : kernel (RHSA-2014:0108)

Redhat

advisories
bugzilla
id1026243
titleCVE-2013-4494 kernel: xen: Lock order reversal between page allocation and grant table locks
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • commentkernel earlier than 0:2.6.18-371.4.1.el5 is currently running
        ovaloval:com.redhat.rhsa:tst:20140108025
      • commentkernel earlier than 0:2.6.18-371.4.1.el5 is set to boot up on next boot
        ovaloval:com.redhat.rhsa:tst:20140108026
    • OR
      • AND
        • commentkernel-doc is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108001
        • commentkernel-doc is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314002
      • AND
        • commentkernel-devel is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108003
        • commentkernel-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314016
      • AND
        • commentkernel is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108005
        • commentkernel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314008
      • AND
        • commentkernel-xen is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108007
        • commentkernel-xen is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314018
      • AND
        • commentkernel-headers is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108009
        • commentkernel-headers is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314006
      • AND
        • commentkernel-debug-devel is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108011
        • commentkernel-debug-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314004
      • AND
        • commentkernel-xen-devel is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108013
        • commentkernel-xen-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314020
      • AND
        • commentkernel-debug is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108015
        • commentkernel-debug is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314014
      • AND
        • commentkernel-kdump-devel is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108017
        • commentkernel-kdump-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314012
      • AND
        • commentkernel-kdump is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108019
        • commentkernel-kdump is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314010
      • AND
        • commentkernel-PAE is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108021
        • commentkernel-PAE is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314024
      • AND
        • commentkernel-PAE-devel is earlier than 0:2.6.18-371.4.1.el5
          ovaloval:com.redhat.rhsa:tst:20140108023
        • commentkernel-PAE-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314022
rhsa
idRHSA-2014:0108
released2014-01-29
severityModerate
titleRHSA-2014:0108: kernel security and bug fix update (Moderate)
rpms
  • kernel-0:2.6.18-371.4.1.el5
  • kernel-PAE-0:2.6.18-371.4.1.el5
  • kernel-PAE-debuginfo-0:2.6.18-371.4.1.el5
  • kernel-PAE-devel-0:2.6.18-371.4.1.el5
  • kernel-debug-0:2.6.18-371.4.1.el5
  • kernel-debug-debuginfo-0:2.6.18-371.4.1.el5
  • kernel-debug-devel-0:2.6.18-371.4.1.el5
  • kernel-debuginfo-0:2.6.18-371.4.1.el5
  • kernel-debuginfo-common-0:2.6.18-371.4.1.el5
  • kernel-devel-0:2.6.18-371.4.1.el5
  • kernel-doc-0:2.6.18-371.4.1.el5
  • kernel-headers-0:2.6.18-371.4.1.el5
  • kernel-kdump-0:2.6.18-371.4.1.el5
  • kernel-kdump-debuginfo-0:2.6.18-371.4.1.el5
  • kernel-kdump-devel-0:2.6.18-371.4.1.el5
  • kernel-xen-0:2.6.18-371.4.1.el5
  • kernel-xen-debuginfo-0:2.6.18-371.4.1.el5
  • kernel-xen-devel-0:2.6.18-371.4.1.el5