Vulnerabilities > CVE-2017-10919 - Unspecified vulnerability in XEN

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
xen
nessus

Summary

Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-C3149B5FCB.NASL
    descriptionxen: various flaws (#1463247) blkif responses leak backend stack data [XSA-216] page transfer may allow PV guest to elevate privilege [XSA-217] Races in the grant table unmap code [XSA-218] x86: insufficient reference counts during shadow emulation [XSA-219] x86: PKRU and BND* leakage between vCPU-s [XSA-220] stale P2M mappings due to insufficient error checking [XSA-222] ARM guest disabling interrupt may crash Xen [XSA-223] grant table operations mishandle reference counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs [XSA-225] NULL pointer deref in event channel poll [XSA-221] (#1463231) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-23
    plugin id101028
    published2017-06-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101028
    titleFedora 25 : xen (2017-c3149b5fcb)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-c3149b5fcb.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101028);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10913", "CVE-2017-10915", "CVE-2017-10916", "CVE-2017-10917", "CVE-2017-10918", "CVE-2017-10919", "CVE-2017-10920", "CVE-2017-10923");
      script_xref(name:"FEDORA", value:"2017-c3149b5fcb");
      script_xref(name:"IAVB", value:"2017-B-0074");
    
      script_name(english:"Fedora 25 : xen (2017-c3149b5fcb)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "xen: various flaws (#1463247) blkif responses leak backend stack data
    [XSA-216] page transfer may allow PV guest to elevate privilege
    [XSA-217] Races in the grant table unmap code [XSA-218] x86:
    insufficient reference counts during shadow emulation [XSA-219] x86:
    PKRU and BND* leakage between vCPU-s [XSA-220] stale P2M mappings due
    to insufficient error checking [XSA-222] ARM guest disabling interrupt
    may crash Xen [XSA-223] grant table operations mishandle reference
    counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs
    [XSA-225] NULL pointer deref in event channel poll [XSA-221]
    (#1463231)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-c3149b5fcb"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"xen-4.7.2-7.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3969.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor : - CVE-2017-10912 Jann Horn discovered that incorrectly handling of page transfers might result in privilege escalation. - CVE-2017-10913 / CVE-2017-10914 Jann Horn discovered that race conditions in grant handling might result in information leaks or privilege escalation. - CVE-2017-10915 Andrew Cooper discovered that incorrect reference counting with shadow paging might result in privilege escalation. - CVE-2017-10916 Andrew Cooper discovered an information leak in the handling of the Memory Protection Extensions (MPX) and Protection Key (PKU) CPU features. This only affects Debian stretch. - CVE-2017-10917 Ankur Arora discovered a NULL pointer dereference in event polling, resulting in denial of service. - CVE-2017-10918 Julien Grall discovered that incorrect error handling in physical-to-machine memory mappings may result in privilege escalation, denial of service or an information leak. - CVE-2017-10919 Julien Grall discovered that incorrect handling of virtual interrupt injection on ARM systems may result in denial of service. - CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922 Jan Beulich discovered multiple places where reference counting on grant table operations was incorrect, resulting in potential privilege escalation. - CVE-2017-12135 Jan Beulich found multiple problems in the handling of transitive grants which could result in denial of service and potentially privilege escalation. - CVE-2017-12136 Ian Jackson discovered that race conditions in the allocator for grant mappings may result in denial of service or privilege escalation. This only affects Debian stretch. - CVE-2017-12137 Andrew Cooper discovered that incorrect validation of grants may result in privilege escalation. - CVE-2017-12855 Jan Beulich discovered that incorrect grant status handling, thus incorrectly informing the guest that the grant is no longer in use. - XSA-235 (no CVE yet) Wei Liu discovered that incorrect locking of add-to-physmap operations on ARM may result in denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id103146
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103146
    titleDebian DSA-3969-1 : xen - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-5C6A9B07A3.NASL
    descriptionxen: various flaws (#1463247) blkif responses leak backend stack data [XSA-216] page transfer may allow PV guest to elevate privilege [XSA-217] Races in the grant table unmap code [XSA-218] x86: insufficient reference counts during shadow emulation [XSA-219] x86: PKRU and BND* leakage between vCPU-s [XSA-220] NULL pointer deref in event channel poll [XSA-221] (#1463231) stale P2M mappings due to insufficient error checking [XSA-222] ARM guest disabling interrupt may crash Xen [XSA-223] grant table operations mishandle reference counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs [XSA-225] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101638
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101638
    titleFedora 26 : xen (2017-5c6a9b07a3)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B3BDAF58BC.NASL
    descriptionxen: various flaws (#1463247) blkif responses leak backend stack data [XSA-216] page transfer may allow PV guest to elevate privilege [XSA-217] Races in the grant table unmap code [XSA-218] x86: insufficient reference counts during shadow emulation [XSA-219] x86: PKRU and BND* leakage between vCPU-s [XSA-220] stale P2M mappings due to insufficient error checking [XSA-222] ARM guest disabling interrupt may crash Xen [XSA-223] grant table operations mishandle reference counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs [XSA-225] NULL pointer deref in event channel poll [XSA-221] (#1463231) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-03
    plugin id101183
    published2017-07-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101183
    titleFedora 24 : xen (2017-b3bdaf58bc)