Vulnerabilities > CVE-2016-10025 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 7 | |
Application | 4 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-2.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-01-03 plugin id 96250 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96250 title openSUSE Security Update : xen (openSUSE-2017-2) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-2. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(96250); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/10"); script_cve_id("CVE-2016-10013", "CVE-2016-10024", "CVE-2016-10025", "CVE-2016-9932"); script_xref(name:"IAVB", value:"2017-B-0008-S"); script_name(english:"openSUSE Security Update : xen (openSUSE-2017-2)"); script_summary(english:"Check for the openSUSE-2017-2 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1012651" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014298" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014300" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016340" ); script_set_attribute(attribute:"solution", value:"Update the affected xen packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"xen-debugsource-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-devel-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-libs-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-libs-debuginfo-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-tools-domU-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-tools-domU-debuginfo-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-doc-html-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-tools-4.7.1_04-6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-tools-debuginfo-4.7.1_04-6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen-debugsource / xen-devel / xen-libs-32bit / xen-libs / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-BC02BFF7F5.NASL description two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-03 plugin id 96216 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96216 title Fedora 24 : xen (2016-bc02bff7f5) NASL family Misc. NASL id CITRIX_XENSERVER_CTX219378.NASL description The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in x86 instruction CMPXCHG8B due to legacy operand size overrides not being properly ignored when handling prefixes. A guest attacker can exploit this to disclose potentially sensitive information on the host system. Note that the ability to read a small amount of hypervisor memory is restricted to privileged-mode code in all guests except on Citrix XenServer 6.2 SP1 and 6.0.2CC, where the attack may also be performed from non-privileged-mode code in HVM guest VMs. (CVE-2016-9932) - A denial of service vulnerability exists when a guest asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF. A guest attacker can exploit this to cause the host to hang or crash. (CVE-2016-10024) - A denial of service vulnerability exists due to a NULL pointer dereference flaw that is triggered when the hvmemul_vmfunc() function pointer uses inappropriate NULL checks before indirect function calls. A guest attacker can exploit this to cause the hypervisor to crash. Note that the ability of privileged-mode code in HVM guest VMs to crash the host is restricted to AMD systems running Citrix XenServer 7.0. (CVE-2016-10025) last seen 2020-06-01 modified 2020-06-02 plugin id 96778 published 2017-01-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96778 title Citrix XenServer Multiple Vulnerabilities (CTX219378) NASL family Misc. NASL id XEN_SERVER_XSA-203.NASL description According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by a NULL pointer dereference flaw due to a failure to utilize necessary NULL checks before doing indirect function calls through the hvmemul_vmfunc() function pointer. A guest attacker can exploit this issue to cause the hypervisor to crash, resulting in a denial of service condition. Please note the following items : - Only HVM guests can exploit the vulnerability. PV guests cannot exploit the vulnerability. - Only x86 systems are vulnerable that use SVM (AMD virtualization extensions) rather than VMX (Intel virtualization extensions). This applies to HVM guests on AMD x86 CPUs. Therefore, AMD x86 hardware is vulnerable whereas Intel hardware is not. - ARM systems are not affected by the vulnerability. Note that Nessus has not tested for this vulnerability but has instead relied only on the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall. last seen 2020-06-01 modified 2020-06-02 plugin id 96959 published 2017-02-02 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96959 title Xen Intel VMX hvmemul_vmfunc() NULL Pointer Dereference DoS (XSA-203) NASL family Fedora Local Security Checks NASL id FEDORA_2016-92E3EA2D1B.NASL description two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-28 plugin id 96158 published 2016-12-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96158 title Fedora 25 : xen (2016-92e3ea2d1b) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3208-1.NASL description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96076 published 2016-12-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96076 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3208-1)
References
- http://www.securityfocus.com/bid/95026
- http://www.securityfocus.com/bid/95026
- http://www.securitytracker.com/id/1037518
- http://www.securitytracker.com/id/1037518
- http://xenbits.xen.org/xsa/advisory-203.html
- http://xenbits.xen.org/xsa/advisory-203.html
- https://support.citrix.com/article/CTX219378
- https://support.citrix.com/article/CTX219378