Vulnerabilities > CVE-2015-2151 - Permissions, Privileges, and Access Controls vulnerability in multiple products

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
fedoraproject
debian
xen
CWE-264
nessus

Summary

The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-3935.NASL
    descriptionAdditional patch for XSA-98 on arm64 HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151] Information leak via internal x86 system device emulation, Information leak through version information hypercall, fix a typo in xen.fedora.systemd.patch Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-03-23
    plugin id81987
    published2015-03-23
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81987
    titleFedora 22 : xen-4.5.0-6.fc22 (2015-3935)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2015-3935.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(81987);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-2044", "CVE-2015-2045", "CVE-2015-2151", "CVE-2015-2152");
      script_bugtraq_id(73015, 73068);
      script_xref(name:"FEDORA", value:"2015-3935");
    
      script_name(english:"Fedora 22 : xen-4.5.0-6.fc22 (2015-3935)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Additional patch for XSA-98 on arm64 HVM qemu unexpectedly enabling
    emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor
    memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151]
    Information leak via internal x86 system device emulation, Information
    leak through version information hypercall, fix a typo in
    xen.fedora.systemd.patch
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1196274"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1200724"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152483.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?60d38e84"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC22", reference:"xen-4.5.0-6.fc22")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-0450.NASL
    descriptionUpdated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id89968
    published2016-03-17
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89968
    titleCentOS 5 : kernel (CESA-2016:0450)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:0450 and 
    # CentOS Errata and Security Advisory 2016:0450 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(89968);
      script_version("2.6");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2013-2596", "CVE-2015-2151");
      script_xref(name:"RHSA", value:"2016:0450");
    
      script_name(english:"CentOS 5 : kernel (CESA-2016:0450)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix two security issues and two bugs are
    now available for Red Hat Enterprise Linux 5.
    
    Red Hat Product Security has rated this update as having Important
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    * An integer overflow flaw was found in the way the Linux kernel's
    Frame Buffer device implementation mapped kernel memory to user space
    via the mmap syscall. A local user able to access a frame buffer
    device file (/dev/fb*) could possibly use this flaw to escalate their
    privileges on the system. (CVE-2013-2596, Important)
    
    * It was found that the Xen hypervisor x86 CPU emulator implementation
    did not correctly handle certain instructions with segment overrides,
    potentially resulting in a memory corruption. A malicious guest user
    could use this flaw to read arbitrary data relating to other guests,
    cause a denial of service on the host, or potentially escalate their
    privileges on the host. (CVE-2015-2151, Important)
    
    This update also fixes the following bugs :
    
    * Previously, the CPU power of a CPU group could be zero. As a
    consequence, a kernel panic occurred at 'find_busiest_group+570' with
    do_divide_error. The provided patch ensures that the division is only
    performed if the CPU power is not zero, and the aforementioned panic
    no longer occurs. (BZ#1209728)
    
    * Prior to this update, a bug occurred when performing an online
    resize of an ext4 file system which had been previously converted from
    ext3. As a consequence, the kernel crashed. The provided patch fixes
    online resizing for such file systems by limiting the blockgroup
    search loop for non-extent files, and the mentioned kernel crash no
    longer occurs. (BZ#1301100)
    
    All kernel users are advised to upgrade to these updated packages,
    which contain backported patches to correct these issues. The system
    must be rebooted for this update to take effect."
      );
      # https://lists.centos.org/pipermail/centos-announce/2016-March/021734.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?05d02f12"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2151");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-PAE-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/03/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-5", reference:"kernel-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-debug-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-debug-devel-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-devel-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-doc-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-headers-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-xen-2.6.18-409.el5")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"kernel-xen-devel-2.6.18-409.el5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0613-1.NASL
    descriptionThe XEN hypervisor received updates to fix various security issues and bugs. The following security issues were fixed : - CVE-2015-2151: XSA-123: A hypervisor memory corruption due to x86 emulator flaw. - CVE-2015-2045: XSA-122: Information leak through version information hypercall. - CVE-2015-2044: XSA-121: Information leak via internal x86 system device emulation. - CVE-2015-2152: XSA-119: HVM qemu was unexpectedly enabling emulated VGA graphics backends. - CVE-2014-3615: Information leakage when guest sets high graphics resolution. - CVE-2015-0361: XSA-116: A xen crash due to use after free on hvm guest teardown. - CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation. Also the following bugs were fixed : - bnc#919098 - XEN blktap device intermittently fails to connect - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus - bnc#903680 - Problems with detecting free loop devices on Xen guest startup - bnc#861318 - xentop reports
    last seen2020-06-01
    modified2020-06-02
    plugin id83707
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83707
    titleSUSE SLED12 / SLES12 Security Update : Xen (SUSE-SU-2015:0613-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0035.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86emul: fully ignore segment override for register-only operations (Jan Beulich) (CVE-2015-2151) This is XSA-123
    last seen2020-06-01
    modified2020-06-02
    plugin id81874
    published2015-03-17
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81874
    titleOracleVM 2.2 : xen (OVMSA-2015-0035)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-0450.NASL
    descriptionUpdated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id89956
    published2016-03-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89956
    titleRHEL 5 : kernel (RHSA-2016:0450)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0068.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id84140
    published2015-06-12
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84140
    titleOracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-0450.NASL
    descriptionFrom Red Hat Security Advisory 2016:0450 : Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id89953
    published2016-03-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89953
    titleOracle Linux 5 : kernel (ELSA-2016-0450)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0746-1.NASL
    descriptionThe Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : CVE-2015-2756: XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Also fixed : Regular crashes of dom-0 on different servers due to races in MCE access were fixed. bsc#907755 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id83719
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83719
    titleSUSE SLES11 Security Update : Xen (SUSE-SU-2015:0746-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-434.NASL
    descriptionXen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn
    last seen2020-06-05
    modified2015-06-23
    plugin id84333
    published2015-06-23
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84333
    titleopenSUSE Security Update : xen (openSUSE-2015-434) (Venom)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3181.NASL
    descriptionMultiple security issues have been found in the Xen virtualisation solution : - CVE-2015-2044 Information leak via x86 system device emulation. - CVE-2015-2045 Information leak in the HYPERVISOR_xen_version() hypercall. - CVE-2015-2151 Missing input sanitising in the x86 emulator could result in information disclosure, denial of service or potentially privilege escalation. In addition the Xen developers reported an unfixable limitation in the handling of non-standard PCI devices. Please refer to for further information.
    last seen2020-03-17
    modified2015-03-11
    plugin id81748
    published2015-03-11
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81748
    titleDebian DSA-3181-1 : xen - security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-314.NASL
    descriptionXen was updated to 4.3.4 to fix multiple vulnerabities and non-security bugs. The following vulnerabilities were fixed : - Long latency MMIO mapping operations are not preemptible (XSA-125 CVE-2015-2752 bnc#922705) - Unmediated PCI command register access in qemu (XSA-126 CVE-2015-2756 bnc#922706) - Hypervisor memory corruption due to x86 emulator flaw (bnc#919464 CVE-2015-2151 XSA-123) - Information leak through version information hypercall (bnc#918998 CVE-2015-2045 XSA-122) - Information leak via internal x86 system device emulation (bnc#918995 (CVE-2015-2044 XSA-121) - HVM qemu unexpectedly enabling emulated VGA graphics backends (bnc#919663 CVE-2015-2152 XSA-119) - information leakage when guest sets high resolution (bnc#895528 CVE-2014-3615) The following non-security bugs were fixed : - L3: XEN blktap device intermittently fails to connect (bnc#919098) - Problems with detecting free loop devices on Xen guest startup (bnc#903680) - xentop reports
    last seen2020-06-05
    modified2015-04-21
    plugin id82907
    published2015-04-21
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82907
    titleopenSUSE Security Update : xen (openSUSE-2015-314)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0032.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86emul: fully ignore segment override for register-only operations For ModRM encoded instructions with register operands we must not overwrite ea.mem.seg (if a - bogus in that case - segment override was present) as it aliases with ea.reg. This is CVE-2015-2151 / XSA-123. (CVE-2015-2151)
    last seen2020-06-01
    modified2020-06-02
    plugin id81768
    published2015-03-12
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81768
    titleOracleVM 3.2 : xen (OVMSA-2015-0032)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-3721.NASL
    descriptionHVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151] Information leak via internal x86 system device emulation, Information leak through version information hypercall Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-03-25
    plugin id82051
    published2015-03-25
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82051
    titleFedora 20 : xen-4.3.3-12.fc20 (2015-3721)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0747-1.NASL
    descriptionThe Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : CVE-2015-2756: XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Also fixed : Fully virtualized guest install from network source failed with
    last seen2020-06-01
    modified2020-06-02
    plugin id83720
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83720
    titleSUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:0747-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201604-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id90380
    published2016-04-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90380
    titleGLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0248.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id111992
    published2018-08-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111992
    titleOracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_83A2841727E311E5A4A5002590263BF5.NASL
    descriptionThe Xen Project reports : Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded.
    last seen2020-06-01
    modified2020-06-02
    plugin id84708
    published2015-07-14
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84708
    titleFreeBSD : xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw (83a28417-27e3-11e5-a4a5-002590263bf5)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160315_KERNEL_ON_SL5_X.NASL
    description - An integer overflow flaw was found in the way the Linux kernel
    last seen2020-03-18
    modified2016-03-16
    plugin id89957
    published2016-03-16
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89957
    titleScientific Linux Security Update : kernel on SL5.x i386/x86_64 (20160315)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0031.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - x86emul: fully ignore segment override for register-only operations For ModRM encoded instructions with register operands we must not overwrite ea.mem.seg (if a - bogus in that case - segment override was present) as it aliases with ea.reg. This is CVE-2015-2151 / XSA-123. (CVE-2015-2151)
    last seen2020-06-01
    modified2020-06-02
    plugin id81767
    published2015-03-12
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81767
    titleOracleVM 3.3 : xen (OVMSA-2015-0031)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0744-1.NASL
    descriptionThe Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id83717
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83717
    titleSUSE SLES10 Security Update : Xen (SUSE-SU-2015:0744-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0745-1.NASL
    descriptionThe Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : CVE-2015-2756: XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. XSA-125: Long latency MMIO mapping operations were not preemptible. CVE-2015-2151: XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. CVE-2015-2045: XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. CVE-2015-2044: XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id83718
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83718
    titleSUSE SLES11 Security Update : Xen (SUSE-SU-2015:0745-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-3944.NASL
    descriptionAdditional patch for XSA-98 on arm64 HVM qemu unexpectedly enabling emulated VGA graphics backends [XSA-119, CVE-2015-2152] Hypervisor memory corruption due to x86 emulator flaw [XSA-123, CVE-2015-2151] enable building pngs from fig files which is working again, fix oxenstored.service preset preuninstall script, arm: vgic: incorrect rate limiting of guest triggered logging, Information leak via internal x86 system device emulation, Information leak through version information hypercall Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-03-25
    plugin id82054
    published2015-03-25
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82054
    titleFedora 21 : xen-4.4.1-16.fc21 (2015-3944)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_XEN-201503-150330.NASL
    descriptionThe Virtualization service XEN was updated to fix various bugs and security issues. The following security issues have been fixed : - XSA-126: Unmediated PCI command register access in qemu could have lead to denial of service attacks against the host, if PCI cards are passed through to guests. (CVE-2015-2756) - XSA-125: Long latency MMIO mapping operations were not preemptible. - XSA-123: Instructions with register operands ignored eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override could have, however, corrupted a pointer used subsequently to store the result of the instruction. (CVE-2015-2151) - XSA-122: The code handling certain sub-operations of the HYPERVISOR_xen_version hypercall failed to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. (CVE-2015-2045) - XSA-121: Emulation routines in the hypervisor dealing with certain system devices checked whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor stack contents were copied into the destination of the operation, thus becoming visible to the guest. (CVE-2015-2044) Also fixed : - Fully virtualized guest install from network source failed with
    last seen2020-06-01
    modified2020-06-02
    plugin id82990
    published2015-04-22
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82990
    titleSuSE 11.3 Security Update : Xen (SAT Patch Number 10560)

Redhat

advisories
bugzilla
id1196274
titleCVE-2015-2151 xen: hypervisor memory corruption due to x86 emulator flaw (xsa123)
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • commentkernel earlier than 0:2.6.18-409.el5 is currently running
        ovaloval:com.redhat.rhsa:tst:20160450025
      • commentkernel earlier than 0:2.6.18-409.el5 is set to boot up on next boot
        ovaloval:com.redhat.rhsa:tst:20160450026
    • OR
      • AND
        • commentkernel-doc is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450001
        • commentkernel-doc is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314002
      • AND
        • commentkernel is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450003
        • commentkernel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314008
      • AND
        • commentkernel-PAE-devel is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450005
        • commentkernel-PAE-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314022
      • AND
        • commentkernel-devel is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450007
        • commentkernel-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314016
      • AND
        • commentkernel-xen-devel is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450009
        • commentkernel-xen-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314020
      • AND
        • commentkernel-headers is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450011
        • commentkernel-headers is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314006
      • AND
        • commentkernel-debug is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450013
        • commentkernel-debug is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314014
      • AND
        • commentkernel-debug-devel is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450015
        • commentkernel-debug-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314004
      • AND
        • commentkernel-PAE is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450017
        • commentkernel-PAE is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314024
      • AND
        • commentkernel-xen is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450019
        • commentkernel-xen is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314018
      • AND
        • commentkernel-kdump is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450021
        • commentkernel-kdump is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314010
      • AND
        • commentkernel-kdump-devel is earlier than 0:2.6.18-409.el5
          ovaloval:com.redhat.rhsa:tst:20160450023
        • commentkernel-kdump-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhba:tst:20080314012
rhsa
idRHSA-2016:0450
released2016-03-15
severityImportant
titleRHSA-2016:0450: kernel security update (Important)
rpms
  • kernel-0:2.6.18-409.el5
  • kernel-PAE-0:2.6.18-409.el5
  • kernel-PAE-debuginfo-0:2.6.18-409.el5
  • kernel-PAE-devel-0:2.6.18-409.el5
  • kernel-debug-0:2.6.18-409.el5
  • kernel-debug-debuginfo-0:2.6.18-409.el5
  • kernel-debug-devel-0:2.6.18-409.el5
  • kernel-debuginfo-0:2.6.18-409.el5
  • kernel-debuginfo-common-0:2.6.18-409.el5
  • kernel-devel-0:2.6.18-409.el5
  • kernel-doc-0:2.6.18-409.el5
  • kernel-headers-0:2.6.18-409.el5
  • kernel-kdump-0:2.6.18-409.el5
  • kernel-kdump-debuginfo-0:2.6.18-409.el5
  • kernel-kdump-devel-0:2.6.18-409.el5
  • kernel-xen-0:2.6.18-409.el5
  • kernel-xen-debuginfo-0:2.6.18-409.el5
  • kernel-xen-devel-0:2.6.18-409.el5