Vulnerabilities > CVE-2016-10024 - Improper Input Validation vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
HIGH Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-2.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-01-03 plugin id 96250 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96250 title openSUSE Security Update : xen (openSUSE-2017-2) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-2. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(96250); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/10"); script_cve_id("CVE-2016-10013", "CVE-2016-10024", "CVE-2016-10025", "CVE-2016-9932"); script_xref(name:"IAVB", value:"2017-B-0008-S"); script_name(english:"openSUSE Security Update : xen (openSUSE-2017-2)"); script_summary(english:"Check for the openSUSE-2017-2 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1012651" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014298" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014300" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016340" ); script_set_attribute(attribute:"solution", value:"Update the affected xen packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"xen-debugsource-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-devel-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-libs-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-libs-debuginfo-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-tools-domU-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-tools-domU-debuginfo-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-doc-html-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-tools-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-tools-debuginfo-4.7.1_04-6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen-debugsource / xen-devel / xen-libs-32bit / xen-libs / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3241-1.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96087 published 2016-12-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96087 title SUSE SLES12 Security Update : xen (SUSE-SU-2016:3241-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:3241-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(96087); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/10"); script_cve_id("CVE-2016-10013", "CVE-2016-10024", "CVE-2016-9932"); script_xref(name:"IAVB", value:"2017-B-0008-S"); script_name(english:"SUSE SLES12 Security Update : xen (SUSE-SU-2016:3241-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1012651" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1014298" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016340" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10013/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10024/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9932/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20163241-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?de0b98aa" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 12:zypper in -t patch SUSE-SLE-SAP-12-2016-1885=1 SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2016-1885=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/26"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-debugsource-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-doc-html-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-kmp-default-4.4.4_05_k3.12.60_52.63-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-kmp-default-debuginfo-4.4.4_05_k3.12.60_52.63-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-32bit-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-debuginfo-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-4.4.4_05-22.28.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.4.4_05-22.28.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-BC02BFF7F5.NASL description two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-03 plugin id 96216 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96216 title Fedora 24 : xen (2016-bc02bff7f5) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-783.NASL description Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2016-10013 (xsa-204) Xen mishandles SYSCALL singlestep during emulation which can lead to privilege escalation. The vulnerability is only exposed to 64-bit x86 HVM guests. CVE-2016-10024 (xsa-202) PV guests may be able to mask interrupts causing a Denial of Service. For Debian 7 last seen 2020-03-17 modified 2017-01-16 plugin id 96491 published 2017-01-16 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96491 title Debian DLA-783-1 : xen security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-5.NASL description This updates xen to version 4.4.4_06 to fix the following issues : - An unprivileged user in a guest could gain guest could escalate privilege to that of the guest kernel, if it had could invoke the instruction emulator. Only 64-bit x86 HVM guest were affected. Linux guest have not been vulnerable. (boo#1016340, CVE-2016-10013) - An unprivileged user in a 64 bit x86 guest could gain information from the host, crash the host or gain privilege of the host (boo#1009107, CVE-2016-9383) - An unprivileged guest process could (unintentionally or maliciously) obtain or ocorrupt sensitive information of other programs in the same guest. Only x86 HVM guests have been affected. The attacker needs to be able to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777) - A guest on x86 systems could read small parts of hypervisor stack data (boo#1012651, CVE-2016-9932) - A malicious guest kernel could hang or crash the host system (boo#1014298, CVE-2016-10024) - A malicious guest administrator could escalate their privilege to that of the host. Only affects x86 HVM guests using qemu older version 1.6.0 or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637) - An unprivileged guest user could escalate privilege to that of the guest administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100, CVE-2016-9386) - An unprivileged guest user could escalate privilege to that of the guest administrator (on AMD CPUs) or crash the system (on Intel CPUs) on 32-bit x86 HVM guests. Only guest operating systems that allowed a new task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382) - A malicious guest administrator could crash the host on x86 PV guests only (boo#1009104, CVE-2016-9385) - A malicious guest administrator could get privilege of the host emulator process on x86 HVM guests. (boo#1009109, CVE-2016-9381) - A vulnerability in pygrub allowed a malicious guest administrator to obtain the contents of sensitive host files, or even delete those files (boo#1009111, CVE-2016-9379, CVE-2016-9380) - A privileged guest user could cause an infinite loop in the RTL8139 ethernet emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007157, CVE-2016-8910) - A privileged guest user could cause an infinite loop in the intel-hda sound emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007160, CVE-2016-8909) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero vulnerability of the JAZZ RC4030 chipset emulation (boo#1005004 CVE-2016-8667) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero issue of the 16550A UART emulation (boo#1005005, CVE-2016-8669) - A privileged guest user could cause an infinite loop in the USB xHCI emulation, causing a DoS situation on the host (boo#1004016, CVE-2016-8576) - A privileged guest user could cause an infinite loop in the ColdFire Fash Ethernet Controller emulation, causing a DoS situation on the host (boo#1003030, CVE-2016-7908) - A privileged guest user could cause an infinite loop in the AMD PC-Net II emulation, causing a DoS situation on the host (boo#1003032, CVE-2016-7909) - Cause a reload of clvm in the block-dmmd script to avoid a blocking lvchange call (boo#1002496) - Also unplug SCSI disks in qemu-xen-traditional for upstream unplug protocol. Before a single SCSI storage devices added to HVM guests could appear multiple times in the guest. (boo#953518) - Fix a kernel panic / black screen when trying to boot a XEN kernel on some UEFI firmwares (boo#1000195) last seen 2020-06-05 modified 2017-01-03 plugin id 96253 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96253 title openSUSE Security Update : xen (openSUSE-2017-5) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0153.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 103830 published 2017-10-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103830 title OracleVM 3.4 : xen (OVMSA-2017-0153) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-4.NASL description This updates xen to version 4.5.5 to fix the following issues : - An unprivileged user in a guest could gain guest could escalate privilege to that of the guest kernel, if it had could invoke the instruction emulator. Only 64-bit x86 HVM guest were affected. Linux guest have not been vulnerable. (boo#1016340, CVE-2016-10013) - An unprivileged user in a 64 bit x86 guest could gain information from the host, crash the host or gain privilege of the host (boo#1009107, CVE-2016-9383) - An unprivileged guest process could (unintentionally or maliciously) obtain or ocorrupt sensitive information of other programs in the same guest. Only x86 HVM guests have been affected. The attacker needs to be able to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777) - A guest on x86 systems could read small parts of hypervisor stack data (boo#1012651, CVE-2016-9932) - A malicious guest kernel could hang or crash the host system (boo#1014298, CVE-2016-10024) - The epro100 emulated network device caused a memory leak in the host when unplugged in the guest. A privileged user in the guest could use this to cause a DoS on the host or potentially crash the guest process on the host (boo#1013668, CVE-2016-9101) - The ColdFire Fast Ethernet Controller was vulnerable to an infinite loop that could be trigged by a privileged user in the guest, leading to DoS (boo#1013657, CVE-2016-9776) - A malicious guest administrator could escalate their privilege to that of the host. Only affects x86 HVM guests using qemu older version 1.6.0 or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637) - An unprivileged guest user could escalate privilege to that of the guest administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100, CVE-2016-9386) - An unprivileged guest user could escalate privilege to that of the guest administrator (on AMD CPUs) or crash the system (on Intel CPUs) on 32-bit x86 HVM guests. Only guest operating systems that allowed a new task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382) - A malicious guest administrator could crash the host on x86 PV guests only (boo#1009104, CVE-2016-9385) - An unprivileged guest user was able to crash the guest. (boo#1009108, CVE-2016-9377, CVE-2016-9378) - A malicious guest administrator could get privilege of the host emulator process on x86 HVM guests. (boo#1009109, CVE-2016-9381) - A vulnerability in pygrub allowed a malicious guest administrator to obtain the contents of sensitive host files, or even delete those files (boo#1009111, CVE-2016-9379, CVE-2016-9380) - A privileged guest user could cause an infinite loop in the RTL8139 ethernet emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007157, CVE-2016-8910) - A privileged guest user could cause an infinite loop in the intel-hda sound emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007160, CVE-2016-8909) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero vulnerability of the JAZZ RC4030 chipset emulation (boo#1005004 CVE-2016-8667) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero issue of the 16550A UART emulation (boo#1005005, CVE-2016-8669) - A privileged guest user could cause a memory leak in the USB EHCI emulation, causing a DoS situation on the host (boo#1003870, CVE-2016-7995) - A privileged guest user could cause an infinite loop in the USB xHCI emulation, causing a DoS situation on the host (boo#1004016, CVE-2016-8576) - A privileged guest user could cause an infinite loop in the ColdFire Fash Ethernet Controller emulation, causing a DoS situation on the host (boo#1003030, CVE-2016-7908) - A privileged guest user could cause an infinite loop in the AMD PC-Net II emulation, causing a DoS situation on the host (boo#1003032, CVE-2016-7909) - Cause a reload of clvm in the block-dmmd script to avoid a blocking lvchange call (boo#1002496) last seen 2020-06-05 modified 2017-01-03 plugin id 96252 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96252 title openSUSE Security Update : xen (openSUSE-2017-4) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-56.NASL description The remote host is affected by the vulnerability described in GLSA-201612-56 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly execute arbitrary code with the privileges of the process, could gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96231 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96231 title GLSA-201612-56 : Xen: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0718-1.NASL description This update for xen fixes several issues. These security issues were fixed : - CVE-2016-10155: The virtual hardware watchdog last seen 2020-06-01 modified 2020-06-02 plugin id 97828 published 2017-03-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97828 title SUSE SLES11 Security Update : xen (SUSE-SU-2017:0718-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3847.NASL description Jan Beulich and Jann Horn discovered multiple vulnerabilities in the Xen hypervisor, which may lead to privilege escalation, guest-to-host breakout, denial of service or information leaks. In additional to the CVE identifiers listed above, this update also addresses the vulnerabilities announced as XSA-213, XSA-214 and XSA-215. last seen 2020-06-01 modified 2020-06-02 plugin id 100071 published 2017-05-10 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100071 title Debian DSA-3847-1 : xen - security update NASL family Misc. NASL id CITRIX_XENSERVER_CTX219378.NASL description The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in x86 instruction CMPXCHG8B due to legacy operand size overrides not being properly ignored when handling prefixes. A guest attacker can exploit this to disclose potentially sensitive information on the host system. Note that the ability to read a small amount of hypervisor memory is restricted to privileged-mode code in all guests except on Citrix XenServer 6.2 SP1 and 6.0.2CC, where the attack may also be performed from non-privileged-mode code in HVM guest VMs. (CVE-2016-9932) - A denial of service vulnerability exists when a guest asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF. A guest attacker can exploit this to cause the host to hang or crash. (CVE-2016-10024) - A denial of service vulnerability exists due to a NULL pointer dereference flaw that is triggered when the hvmemul_vmfunc() function pointer uses inappropriate NULL checks before indirect function calls. A guest attacker can exploit this to cause the hypervisor to crash. Note that the ability of privileged-mode code in HVM guest VMs to crash the host is restricted to AMD systems running Citrix XenServer 7.0. (CVE-2016-10025) last seen 2020-06-01 modified 2020-06-02 plugin id 96778 published 2017-01-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96778 title Citrix XenServer Multiple Vulnerabilities (CTX219378) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3207-1.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96075 published 2016-12-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96075 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3207-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0248.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 111992 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111992 title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0007.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: xen commit=9f3030e391274b89deb80c86a6343dac473916b3 - BUILDINFO: QEMU upstream commit=f663d3dd4e968756d33e29cb2c2c956cabbdd4ca - BUILDINFO: QEMU traditional commit=bc33fbc6f9a004dc11dcc18f1c5c755a60b65b73 - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86: force EFLAGS.IF on when exiting to PV guests (Jan Beulich) [Orabug: 25235009] (CVE-2016-10024) - Rombios: large disk support for LBA48 to L-CHS translation (Bhavesh Davda) [Orabug: 25304859] - x86/emul: Correct the handling of eflags with SYSCALL (Andrew Cooper) [Orabug: 25294731] (CVE-2016-10013) last seen 2020-06-01 modified 2020-06-02 plugin id 96520 published 2017-01-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96520 title OracleVM 3.4 : xen (OVMSA-2017-0007) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3AE078CAC7EB11E6AE1B002590263BF5.NASL description The Xen Project reports : Certain PV guest kernel operations (page table writes in particular) need emulation, and use Xen last seen 2020-06-01 modified 2020-06-02 plugin id 96058 published 2016-12-22 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96058 title FreeBSD : xen-kernel -- x86 PV guests may be able to mask interrupts (3ae078ca-c7eb-11e6-ae1b-002590263bf5) NASL family Misc. NASL id XEN_SERVER_XSA-202.NASL description According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by a denial of service vulnerability due to a flaw in the x86 instruction emulator whenever a guest asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF. An attacker who has guest kernel administrator privileges can exploit this issue to cause the host to hang or crash. Please note the following items : - Only x86 PV guests can exploit the vulnerability. - Neither ARM guests nor x86 HVM guests can exploit the vulnerability. Note that Nessus has not tested for this vulnerability but has instead relied only on the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall. last seen 2020-06-01 modified 2020-06-02 plugin id 96958 published 2017-02-02 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96958 title Xen Asynchronous Modification EFLAGS.IF Clearing DoS (XSA-202) NASL family Fedora Local Security Checks NASL id FEDORA_2016-92E3EA2D1B.NASL description two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-28 plugin id 96158 published 2016-12-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96158 title Fedora 25 : xen (2016-92e3ea2d1b) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0009.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - From: Jan Beulich Subject: x86: force EFLAGS.IF on when exiting to PV guests Guest kernels modifying instructions in the process of being emulated for another of their vCPU-s may effect EFLAGS.IF to be cleared upon next exiting to guest context, by converting the being emulated instruction to CLI (at the right point in time). Prevent any such bad effects by always forcing EFLAGS.IF on. And to cover hypothetical other similar issues, also force EFLAGS.[IOPL,NT,VM] to zero. This is XSA-202. Conflict: xen/arch/x86/x86_64/compat/entry.S (CVE-2016-10024) - From 4d246723a85a03406e4969a260291e11b8e05960 Mon Sep 17 00:00:00 2001 x86: use MOV instead of PUSH/POP when saving/restoring register state (CVE-2016-10024) - From: Andrew Cooper Date: Sun, 18 Dec 2016 15:42:59 +0000 Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL A singlestep #DB is determined by the resulting eflags value from the execution of SYSCALL, not the original eflags value. By using the original eflags value, we negate the guest kernels attempt to protect itself from a privilege escalation by masking TF. Introduce a tf boolean and have the SYSCALL emulation recalculate it after the instruction is complete. This is XSA-204 Conflict: xen/arch/x86/x86_emulate/x86_emulate.c (CVE-2016-10013) last seen 2020-06-01 modified 2020-06-02 plugin id 96522 published 2017-01-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96522 title OracleVM 3.2 : xen (OVMSA-2017-0009) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3208-1.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96076 published 2016-12-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96076 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3208-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3221-1.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96081 published 2016-12-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96081 title SUSE SLES11 Security Update : xen (SUSE-SU-2016:3221-1)
References
- http://www.debian.org/security/2017/dsa-3847
- http://www.debian.org/security/2017/dsa-3847
- http://www.securityfocus.com/bid/95021
- http://www.securityfocus.com/bid/95021
- http://www.securitytracker.com/id/1037517
- http://www.securitytracker.com/id/1037517
- http://xenbits.xen.org/xsa/advisory-202.html
- http://xenbits.xen.org/xsa/advisory-202.html
- https://security.gentoo.org/glsa/201612-56
- https://security.gentoo.org/glsa/201612-56
- https://support.citrix.com/article/CTX219378
- https://support.citrix.com/article/CTX219378