Vulnerabilities > CVE-2016-3159 - Improper Access Control vulnerability in multiple products

CVSS 1.7 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

local

low complexity

nessus

NVD

Published: 2016-04-13

Updated: 2019-02-21

Summary

The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.

Vulnerable Configurations

Part	Description	Count
OS	Oracle Oracle VM Server 3.3 Oracle VM Server 3.4	2
OS	Xen XEN XEN 4.3.0 XEN XEN 4.3.1 XEN XEN 4.3.2 XEN XEN 4.3.3 XEN XEN 4.3.4 XEN XEN 4.4.0 XEN XEN 4.4.1 XEN XEN 4.4.2 XEN XEN 4.4.3 XEN XEN 4.4.4 XEN XEN 4.5.0 XEN XEN 4.5.1 XEN XEN 4.5.2 XEN XEN 4.5.3 XEN XEN 4.6.0 XEN XEN 4.6.1	55
OS	Fedoraproject Fedoraproject Fedora 22 Fedoraproject Fedora 23	2
OS	Debian Debian Debian Linux 8.0	1

Common Weakness Enumeration (CWE)

CWE-284 - Improper Access Control

Common Attack Pattern Enumeration and Classification (CAPEC)

Embedding Scripts within Scripts
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0081.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0081 for details.
last seen	2020-06-01
modified	2020-06-02
plugin id	91756
published	2016-06-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91756
title	OracleVM 3.2 : xen (OVMSA-2016-0081)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2016-0081. # include("compat.inc"); if (description) { script_id(91756); script_version("2.6"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2013-6375", "CVE-2014-3615", "CVE-2015-5307", "CVE-2015-7504", "CVE-2015-7835", "CVE-2015-7969", "CVE-2015-7971", "CVE-2015-8339", "CVE-2015-8340", "CVE-2015-8550", "CVE-2015-8554", "CVE-2015-8555", "CVE-2016-1570", "CVE-2016-1571", "CVE-2016-2270", "CVE-2016-3158", "CVE-2016-3159", "CVE-2016-3710", "CVE-2016-3712", "CVE-2016-3960"); script_bugtraq_id(63830, 69654); script_name(english:"OracleVM 3.2 : xen (OVMSA-2016-0081)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0081 for details." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000495.html" ); script_set_attribute( attribute:"solution", value:"Update the affected xen / xen-devel / xen-tools packages." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/11/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.223.26")) flag++; if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.223.26")) flag++; if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.223.26")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-2533-1.NASL
description	This update for xen fixes several issues. These security issues were fixed : - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264). - CVE-2016-3158: The xrstor function did not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allowed local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits (bsc#973188). - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allowed local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits (bsc#973188). - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-01
modified	2020-06-02
plugin id	94269
published	2016-10-26
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/94269
title	SUSE SLES12 Security Update : xen (SUSE-SU-2016:2533-1) (Bunker Buster)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0089.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0089 for details.
last seen	2020-06-01
modified	2020-06-02
plugin id	92601
published	2016-07-28
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92601
title	OracleVM 3.3 : xen (OVMSA-2016-0089)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-571.NASL
description	Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2014-3672 (XSA-180) Andrew Sorensen discovered that a HVM domain can exhaust the hosts disk space by filling up the log file. CVE-2016-3158, CVE-2016-3159 (XSA-172) Jan Beulich from SUSE discovered that Xen does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors. A malicious domain can take advantage of this flaw to obtain address space usage and timing information, about another domain, at a fairly low rate. CVE-2016-3710 (XSA-179) Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds read and write flaw in the QEMU VGA module. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2016-3712 (XSA-179) Zuozhi Fzz of Alibaba Inc discovered potential integer overflow or out-of-bounds read access issues in the QEMU VGA module. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). CVE-2016-3960 (XSA-173) Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360 discovered an integer overflow in the x86 shadow pagetable code. A HVM guest using shadow pagetables can cause the host to crash. A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, potentially leading to privilege escalation. CVE-2016-4480 (XSA-176) Jan Beulich discovered that incorrect page table handling could result in privilege escalation inside a Xen guest instance. CVE-2016-6258 (XSA-182) Jérémie Boutoille discovered that incorrect pagetable handling in PV instances could result in guest to host privilege escalation. Additionally this Xen Security Advisory without a CVE was fixed : XSA-166 Konrad Rzeszutek Wilk and Jan Beulich discovered that ioreq handling is possibly susceptible to a multiple read issue. For Debian 7
last seen	2020-03-17
modified	2016-08-01
plugin id	92635
published	2016-08-01
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/92635
title	Debian DLA-571-1 : xen security update (Bunker Buster)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3554.NASL
description	Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2016-3158, CVE-2016-3159 (XSA-172) Jan Beulich from SUSE discovered that Xen does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors. A malicious domain can take advantage of this flaw to obtain address space usage and timing information, about another domain, at a fairly low rate. - CVE-2016-3960 (XSA-173) Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360 discovered an integer overflow in the x86 shadow pagetable code. A HVM guest using shadow pagetables can cause the host to crash. A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, potentially leading to privilege escalation.
last seen	2020-06-01
modified	2020-06-02
plugin id	90638
published	2016-04-22
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90638
title	Debian DSA-3554-1 : xen - security update

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-2528-1.NASL
description	This update for xen fixes several issues. These security issues were fixed : - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update (bsc#995792) - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables (bsc#995785) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the host via vectors related to the information transfer buffer (bsc#983984) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982960) - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264) - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller (FSC) support did not properly check DMA length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command (bsc#980724) - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI Controller (FSC) support did not properly check command buffer length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the host via unspecified vectors (bsc#980716) - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-01
modified	2020-06-02
plugin id	94267
published	2016-10-26
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/94267
title	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2528-1) (Bunker Buster)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-2093-1.NASL
description	This update for xen to version 4.5.3 fixes the several issues. These security issues were fixed : - CVE-2016-6258: Potential privilege escalation in PV guests (XSA-182) (bsc#988675). - CVE-2016-6259: Missing SMAP whitelisting in 32-bit exception / event delivery (XSA-183) (bsc#988676). - CVE-2016-5337: The megasas_ctrl_get_info function allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983973). - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the host via vectors related to the information transfer buffer (bsc#983984). - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982960). - CVE-2016-4453: The vmsvga_fifo_run function allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982225). - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggered an out-of-bounds read (bsc#982224). - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982286). - CVE-2016-5105: Stack information leakage while reading configuration (bsc#982024). - CVE-2016-5106: Out-of-bounds write while setting controller properties (bsc#982025). - CVE-2016-5107: Out-of-bounds read in megasas_lookup_frame() function (bsc#982026). - CVE-2016-4963: The libxl device-handling allowed local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore (bsc#979670). - CVE-2016-4962: The libxl device-handling allowed local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore (bsc#979620). - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data routines (bsc#981276). - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264). - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller (FSC) support did not properly check DMA length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command (bsc#980724). - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI Controller (FSC) support did not properly check command buffer length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the host via unspecified vectors (bsc#980716). - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-01
modified	2020-06-02
plugin id	93296
published	2016-09-02
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93296
title	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:2093-1) (Bunker Buster)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-2100-1.NASL
description	This update for xen fixes the several issues. These security issues were fixed : - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264). - CVE-2016-3158: The xrstor function did not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allowed local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits (bsc#973188). - CVE-2016-3159: The fpu_fxrstor function in arch/x86/i387.c did not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allowed local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits (bsc#973188). - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-01
modified	2020-06-02
plugin id	93298
published	2016-09-02
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93298
title	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2100-1) (Bunker Buster)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-5F196E4E4A.NASL
description	update to 4.5.3 ---- broken AMD FPU FIP/FDP/FOP leak workaround [XSA-172, CVE-2016-3158, CVE-2016-3159] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-04-13
plugin id	90460
published	2016-04-13
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90460
title	Fedora 22 : xen-4.5.3-1.fc22 (2016-5f196e4e4a)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-E5432CA977.NASL
description	update to 4.5.3 ---- broken AMD FPU FIP/FDP/FOP leak workaround [XSA-172, CVE-2016-3158, CVE-2016-3159] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-04-13
plugin id	90470
published	2016-04-13
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90470
title	Fedora 23 : xen-4.5.3-1.fc23 (2016-e5432ca977)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-2725-1.NASL
description	This update for xen fixes several issues. These security issues were fixed : - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update (bsc#995792) - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables (bsc#995785) - CVE-2016-5403: Unbounded memory allocation allowed a guest administrator to cause a denial of service of the host (bsc#990923) - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with ESP/NCR53C9x controller emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the host via vectors involving DMA read into ESP command buffer (bsc#990843) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the host via vectors related to the information transfer buffer (bsc#983984) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c might have allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982960) - CVE-2016-4453: The vmsvga_fifo_run function allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982225) - CVE-2016-4454: The vmsvga_fifo_read_raw function allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggered an out-of-bounds read (bsc#982224) - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264) - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller (FSC) support did not properly check DMA length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command (bsc#980724) - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI Controller (FSC) support did not properly check command buffer length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the host via unspecified vectors (bsc#980716) - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-01
modified	2020-06-02
plugin id	94608
published	2016-11-07
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/94608
title	SUSE SLES11 Security Update : xen (SUSE-SU-2016:2725-1) (Bunker Buster)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-1169.NASL
description	This update for xen fixes the following issues : These security issues were fixed : - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables (bsc#995785) - CVE-2016-7093: Xen allowed local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation (bsc#995789) - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update (bsc#995792) - CVE-2016-7154: Use-after-free vulnerability in the FIFO event channel code in Xen allowed local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number (bsc#997731) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (boo#994761) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994772) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (boo#994775) - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support, causing an OOB read access (bsc#994625) - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE VMXNET3 NIC device support allowed privileged user inside guest to crash the Qemu instance resulting in DoS (bsc#994421) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (boo#990923) - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with ESP/NCR53C9x controller emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the host via vectors involving DMA read into ESP command buffer (bsc#990843) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983973) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983984) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982960) - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982225) - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982224) - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982286) - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982024) - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982025) - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982026) - CVE-2016-4963: The libxl device-handling allowed local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore (bsc#979670) - CVE-2016-4962: The libxl device-handling allowed local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore (bsc#979620) - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data routines (bsc#981276) - CVE-2014-3672: The qemu implementation in libvirt Xen allowed local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr (bsc#981264) - CVE-2016-4441: The get_cmd function in the 53C9X Fast SCSI Controller (FSC) support did not properly check DMA length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command (bsc#980724) - CVE-2016-4439: The esp_reg_write function in the 53C9X Fast SCSI Controller (FSC) support did not properly check command buffer length, which allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the host via unspecified vectors (bsc#980716) - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-05
modified	2016-10-12
plugin id	93999
published	2016-10-12
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/93999
title	openSUSE Security Update : xen (openSUSE-2016-1169) (Bunker Buster)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-1170.NASL
description	This update for xen fixes the following issues : These security issues were fixed : - CVE-2016-7092: The get_page_from_l3e function in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables (bsc#995785) - CVE-2016-7093: Xen allowed local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation (bsc#995789) - CVE-2016-7094: Buffer overflow in Xen allowed local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update (bsc#995792) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (boo#994761) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994772) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (boo#994775) - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support, causing an OOB read access (bsc#994625) - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE VMXNET3 NIC device support allowed privileged user inside guest to crash the Qemu instance resulting in DoS (bsc#994421) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-6259: Xen did not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allowed local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check (bsc#988676) - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (boo#990923) - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with ESP/NCR53C9x controller emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the host via vectors involving DMA read into ESP command buffer (bsc#990843) - CVE-2016-6258: The PV pagetable code in arch/x86/mm.c in Xen allowed local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries (bsc#988675) - CVE-2016-6259: Xen did not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allowed local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check (bsc#988676) - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983973) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983984) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982960) - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982225) - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982224) - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982286) - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982024) - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982025) - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982026) - CVE-2016-4963: The libxl device-handling allowed local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore (bsc#979670) - CVE-2016-4962: The libxl device-handling allowed local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore (bsc#979620) - CVE-2016-4952: Out-of-bounds access issue in pvsci_ring_init_msg/data routines (bsc#981276) - CVE-2016-3710: The VGA module improperly performed bounds checking on banked access to video memory, which allowed local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the
last seen	2020-06-05
modified	2016-10-12
plugin id	94000
published	2016-10-12
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/94000
title	openSUSE Security Update : xen (openSUSE-2016-1170) (Bunker Buster)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0088.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: commit=aff08b43b1a504aa14a0fce65302ccf515b69fdf - Remove unsafe bits from the mod_l?_entry fastpath (Andrew Cooper) (CVE-2016-6258) - x86/mm: fully honor PS bits in guest page table walks (Jan Beulich) (CVE-2016-4480) (CVE-2016-4480) - libxl: Document ~/serial/ correctly (Ian Jackson) (CVE-2016-4962) - libxl: Cleanup: Have libxl__alloc_vdev use /libxl (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend for nic in getinfo (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend for nic in libxl_devid_to_device_nic (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend for vtpm in getinfo (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend for vtpm list (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend for disk in getinfo (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend for disk eject event (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend in libxl__device_nextid (Ian Jackson) (CVE-2016-4962) - libxl: Do not trust frontend in libxl__devices_destroy (Ian Jackson) (CVE-2016-4962) - libxl: Provide libxl__backendpath_parse_domid (Ian Jackson) (CVE-2016-4962) - libxl: Record backend/frontend paths in /libxl/$DOMID (Ian Jackson) (CVE-2016-4962) - x86: limit GFNs to 32 bits for shadowed superpages. (Tim Deegan) (CVE-2016-3960) - x86: fix information leak on AMD CPUs (Jan Beulich) (CVE-2016-3158) (CVE-2016-3159) (CVE-2016-3158) (CVE-2016-3159) (CVE-2016-3158) (CVE-2016-3159) - x86: enforce consistent cachability of MMIO mappings (Jan Beulich) (CVE-2016-2270) (CVE-2016-2270)
last seen	2020-06-01
modified	2020-06-02
plugin id	92600
published	2016-07-28
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92600
title	OracleVM 3.4 : xen (OVMSA-2016-0088) (Bunker Buster)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References