Vulnerabilities > CVE-2017-17044 - Infinite Loop vulnerability in XEN

CVSS 6.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

xen

CWE-835

nessus

NVD

Published: 2017-11-28

Updated: 2019-10-03

Summary

An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.

Vulnerable Configurations

Part	Description	Count
OS	Xen XEN XEN - XEN XEN 3.0.2 XEN XEN 3.0.3 XEN XEN 3.0.4 XEN XEN 3.1.3 XEN XEN 3.1.4 XEN XEN 3.2.0 XEN XEN 3.2.1 XEN XEN 3.2.2 XEN XEN 3.2.3 XEN XEN 3.3.0 XEN XEN 3.3.1 XEN XEN 3.3.2 XEN XEN 3.4.0 XEN XEN 3.4.1 XEN XEN 3.4.2 XEN XEN 3.4.3 XEN XEN 3.4.4 XEN XEN 4.0.0 XEN XEN 4.0.1 XEN XEN 4.0.2 XEN XEN 4.0.3 XEN XEN 4.0.4 XEN XEN 4.1.0 XEN XEN 4.1.1 XEN XEN 4.1.2 XEN XEN 4.1.3 XEN XEN 4.1.4 XEN XEN 4.1.5 XEN XEN 4.1.6 XEN XEN 4.1.6.1 XEN XEN 4.2.0 XEN XEN 4.2.1 XEN XEN 4.2.2 XEN XEN 4.2.3 XEN XEN 4.2.4 XEN XEN 4.2.5 XEN XEN 4.3.0 XEN XEN 4.3.1 XEN XEN 4.3.2 XEN XEN 4.3.3 XEN XEN 4.3.4 XEN XEN 4.4.0 XEN XEN 4.4.1 XEN XEN 4.4.2 XEN XEN 4.4.3 XEN XEN 4.4.4 XEN XEN 4.5.0 XEN XEN 4.5.1 XEN XEN 4.5.2 XEN XEN 4.5.3 XEN XEN 4.5.4 XEN XEN 4.5.5 XEN XEN 4.6.0 XEN XEN 4.6.1 XEN XEN 4.6.2 XEN XEN 4.6.3 XEN XEN 4.6.4 XEN XEN 4.6.5 XEN XEN 4.6.6 XEN XEN 4.7.0 XEN XEN 4.7.1 XEN XEN 4.7.2 XEN XEN 4.7.3 XEN XEN 4.7.4 XEN XEN 4.7.5 XEN XEN 4.7.6 XEN XEN 4.8.0 XEN XEN 4.8.1 XEN XEN 4.8.2 XEN XEN 4.8.3 XEN XEN 4.8.4 XEN XEN 4.8.5 XEN XEN 4.9.0 XEN XEN 4.9.1	239

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Nessus

NASL family	Misc.
NASL id	CITRIX_XENSERVER_CTX230138.NASL
description	The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX230138 advisory.
last seen	2020-05-03
modified	2017-12-07
plugin id	105083
published	2017-12-07
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105083
title	Citrix XenServer Multiple Vulnerabilities (CTX230138)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105083); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/30"); script_cve_id( "CVE-2017-7980", "CVE-2017-15592", "CVE-2017-17044", "CVE-2017-17045" ); script_bugtraq_id( 97955, 101513, 102008, 102013 ); script_name(english:"Citrix XenServer Multiple Vulnerabilities (CTX230138)"); script_summary(english:"Checks for patches."); script_set_attribute(attribute:"synopsis", value: "A server virtualization platform installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX230138 advisory."); script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX230138"); script_set_attribute(attribute:"solution", value: "Apply the appropriate hotfix according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17045"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/16"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenserver"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("citrix_xenserver_version.nbin"); script_require_keys("Host/XenServer/version", "Host/local_checks_enabled"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "Citrix XenServer"; version = get_kb_item_or_exit("Host/XenServer/version"); get_kb_item_or_exit("Host/local_checks_enabled"); patches = get_kb_item("Host/XenServer/patches"); vuln = FALSE; fix = ''; if (version =~ "^7\.2($\|[^0-9])") { if ("XS72E010" >!< patches) # CTX229541 { fix = "XS72E010"; vuln = TRUE; } if ("XS72E012" >!< patches) # CTX230161 { if (empty_or_null(fix)) fix = "XS72E012"; else fix += " and XS72E012"; vuln = TRUE; } } else if (version =~ "^7\.1($\|[^0-9])") { # LTSR CU1 CTX229540 & CTX230160, LTSR CTX229545 & CTX230159 # No patch applied if ("XS71ECU" >!< patches && "XS71E018" >!< patches && "XS71E019" >!< patches) { fix = "XS71ECU1006 and XS71ECU1008, or XS71E018 and XS71E019"; vuln = TRUE; } # LTSR CU1 patch applied else if ("XS71ECU" >!< patches && ("XS71ECU1006" >< patches \|\| "XS71ECU1008" >< patches)) { if ("XS71ECU1006" >!< patches) # CTX229540 { fix = "XS71ECU1006"; vuln = TRUE; } else if ("XS71ECU1008" >!< patches) # CTX230160 { fix = "XS71ECU1008"; vuln = TRUE; } } # LTSR patch applied else if ("XS71E018" >< patches \|\| "XS71E019" >< patches) { if ("XS71E018" >!< patches) # CTX229545 { fix = "XS71E018"; vuln = TRUE; } else if ("XS71E019" >!< patches) # CTX230159 { fix = "XS71E019"; vuln = TRUE; } } } else if (version =~ "^7\.0($\|[^0-9])") { if ("XS70E048" >!< patches) # CTX229539 { fix = "XS70E048"; vuln = TRUE; } if ("XS70E049" >!< patches) # CTX229544 { if (empty_or_null(fix)) fix = "XS70E049"; else fix += " and XS70E049"; vuln = TRUE; } } else if (version =~ "^6\.5($\|[^0-9])") { fix = "XS65ESP1064"; # CTX229543 if (fix >!< patches) vuln = TRUE; } else if (version =~ "^6\.2($\|[^0-9])") { fix = "XS62ESP1066"; # CTX229096 if (fix >!< patches) vuln = TRUE; } else if (version =~ "^6\.0\.2($\|[^0-9])") { fix = "XS602ECC050"; # CTX229095 if (fix >!< patches) vuln = TRUE; } if (vuln) { port = 0; report = report_items_str( report_items:make_array( "Installed version", version, "Missing hotfix", fix ), ordered_fields:make_list("Installed version", "Missing hotfix") ); security_report_v4(port:port, severity:SECURITY_HOLE, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1230.NASL
description	Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code. For Debian 7
last seen	2020-03-17
modified	2018-01-08
plugin id	105621
published	2018-01-08
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105621
title	Debian DLA-1230-1 : xen security update
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1230-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105621); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-17044", "CVE-2017-17045", "CVE-2017-17563", "CVE-2017-17564", "CVE-2017-17565", "CVE-2017-17566"); script_name(english:"Debian DLA-1230-1 : xen security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code. For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-11. We recommend that you upgrade your xen packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/xen" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-ocaml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-ocaml-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxenstore3.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-docs-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xenstore-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libxen-4.1", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"libxen-dev", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"libxen-ocaml", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"libxen-ocaml-dev", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"libxenstore3.0", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-docs-4.1", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-hypervisor-4.1-amd64", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-hypervisor-4.1-i386", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-system-amd64", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-system-i386", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-utils-4.1", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xen-utils-common", reference:"4.1.6.lts1-11")) flag++; if (deb_check(release:"7.0", prefix:"xenstore-utils", reference:"4.1.6.lts1-11")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2017-0178.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff
last seen	2020-06-01
modified	2020-06-02
plugin id	105251
published	2017-12-14
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105251
title	OracleVM 3.2 : xen (OVMSA-2017-0178)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2017-0178. # include("compat.inc"); if (description) { script_id(105251); script_version("3.5"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2017-15592", "CVE-2017-17044", "CVE-2017-17045"); script_name(english:"OracleVM 3.2 : xen (OVMSA-2017-0178)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff 'libxl: disallow PCI device assignment for HVM guest when PoD is enabled') which a toolstack might wish to explicitly prohibit (in this case, because the two simply don't function in combination). In such cases, the guest mustn't be able to subvert the configuration chosen by the toolstack. Conflict: xen/common/memory.c - Due to the history performance reason, we decide to disable PoD feature in old OVM product. Please don't set maxmem>memory XSA-246,XSA-247 [bug 27120669] (CVE-2017-17044, CVE-2017-17045) - x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change in behaviour for sh_guest_wrmap, where it had to cope with no shadow linear mapping being present. As the name suggests, guest_vtable is a mapping of the guests pagetable, not Xen's pagetable, meaning that it isn't the pagetable we need to check for the shadow linear slot in. The practical upshot is that a shadow HVM vcpu which switches into 4-level paging mode, with an L4 pagetable that contains a mapping which aliases Xen's SH_LINEAR_PT_VIRT_START will fool the safety check for whether a SHADOW_LINEAR mapping is present. As the check passes (when it should have failed), Xen subsequently falls over the missing mapping with a pagefault such as: (XEN) Pagetable walk from ffff8140a0503880: (XEN) L4[0x102] = 000000046c218063 ffffffffffffffff (XEN) L3[0x102] = 000000046c218063 ffffffffffffffff (XEN) L2[0x102] = 000000046c218063 ffffffffffffffff (XEN) L1[0x103] = 0000000000000000 ffffffffffffffff This is part of XSA-243. (CVE-2017-15592) - dpci: Fix a race during unbinding of MSI interrupt The check of hvm_irq_dpci->mapping and read of flags are not protected in same critical area, so the unbind of MSI interrupt may intercepts between them. Like below scene: CPU0 CPU1 ---- ---- hvm_do_IRQ_dpci !test_bit(mirq, dpci->mapping)) return 0 spin_lock(&d->event_lock) hvm_irq_dpci->mirq[machine_gsi].flags = 0 clear_bit(machine_gsi, hvm_irq_dpci->mapping) spin_unlock(&d->event_lock) <SoftIRQ> hvm_dirq_assist spin_lock(&d->event_lock) if ( pt_irq_need_timer(hvm_irq_dpci->mirq[pirq].flags)) set_timer spin_unlock(&d->event_lock) Then set_timer is mistakenly called which access uninitialized timer struct. Then page fault happen and a backtrace like below: (XEN) Xen call trace: (XEN) [<ffff82c480124c92>] set_timer+0x92/0x170 (XEN) [<ffff82c48013bb03>] hvm_dirq_assist+0x1c3/0x1e0 (XEN) [<ffff82c4801235ff>] do_tasklet_work_percpu+0x7f/0x120 (XEN) [<ffff82c480121915>] __do_softirq+0x65/0x90 (XEN) [<ffff82c4801f7fb6>] process_softirqs+0x6/0x10 (XEN) (XEN) Pagetable walk from 0000000000000008: (XEN) L4[0x000] = 0000002104cc1067 0000000000289430 (XEN) L3[0x000] = 000000212ecd8067 00000000002b3447 (XEN) L2[0x000] = 0000000000000000 ffffffffffffffff (XEN) (XEN) ************************************** (XEN) Panic on CPU 41: (XEN) FATAL PAGE FAULT (XEN) [error_code=0002] (XEN) Faulting linear address: 0000000000000008 (XEN) ************************************** This issue is OVM3.2 only as OVM3.3 or above already has similar fix in pt_pirq_iterate" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2017-December/000810.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?88e7e3ea" ); script_set_attribute( attribute:"solution", value:"Update the affected xen / xen-devel / xen-tools packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/18"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.223.99")) flag++; if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.223.99")) flag++; if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.223.99")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools"); }

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201801-14.NASL
description	The remote host is affected by the vulnerability described in GLSA-201801-14 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could potentially execute arbitrary code with the privileges of the Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	106038
published	2018-01-15
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106038
title	GLSA-201801-14 : Xen: Multiple vulnerabilities
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201801-14. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(106038); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:06"); script_cve_id("CVE-2017-12134", "CVE-2017-12135", "CVE-2017-12136", "CVE-2017-12137", "CVE-2017-15588", "CVE-2017-15589", "CVE-2017-15590", "CVE-2017-15591", "CVE-2017-15592", "CVE-2017-15593", "CVE-2017-15594", "CVE-2017-15595", "CVE-2017-17044", "CVE-2017-17045", "CVE-2017-17046", "CVE-2017-17563", "CVE-2017-17564", "CVE-2017-17565", "CVE-2017-17566"); script_xref(name:"GLSA", value:"201801-14"); script_name(english:"GLSA-201801-14 : Xen: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201801-14 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could potentially execute arbitrary code with the privileges of the Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201801-14" ); script_set_attribute( attribute:"solution", value: "All Xen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-emulation/xen-4.9.1-r1' All Xen tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-emulation/xen-tools-4.9.1-r1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-emulation/xen", unaffected:make_list("ge 4.9.1-r1"), vulnerable:make_list("lt 4.9.1-r1"))) flag++; if (qpkg_check(package:"app-emulation/xen-tools", unaffected:make_list("ge 4.9.1-r1"), vulnerable:make_list("lt 4.9.1-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Xen"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-4BFCD57172.NASL
description	xen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-01-15
plugin id	105869
published	2018-01-15
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105869
title	Fedora 27 : xen (2017-4bfcd57172)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-4bfcd57172. # include("compat.inc"); if (description) { script_id(105869); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-17044", "CVE-2017-17045"); script_xref(name:"FEDORA", value:"2017-4bfcd57172"); script_name(english:"Fedora 27 : xen (2017-4bfcd57172)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "xen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-4bfcd57172" ); script_set_attribute(attribute:"solution", value:"Update the affected xen package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/28"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC27", reference:"xen-4.9.1-2.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen"); }

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2017-0177.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - Due to the history performance reason, we decide to disable PoD feature in old OVM product.XSA-246,XSA-247 [bug 27121016] (CVE-2017-17044, CVE-2017-17045) - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff
last seen	2020-06-01
modified	2020-06-02
plugin id	105250
published	2017-12-14
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105250
title	OracleVM 3.3 : xen (OVMSA-2017-0177)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2017-0176.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=b90f0a4fa66aea67e743c393ba307612a2fec379 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - p2m: Check return value of p2m_set_entry when decreasing reservation (George Dunlap) [Orabug: 27216264] (CVE-2017-17045) - p2m: Always check to see if removing a p2m entry actually worked (George Dunlap) [Orabug: 27216264] (CVE-2017-17045) - x86/pod: prevent infinite loop when shattering large pages (Julien Grall) [Orabug: 27216261] (CVE-2017-17044) - xen/physmap: Do not permit a guest to populate PoD pages for itself (Elena Ufimtseva) [Orabug: 27216261] (CVE-2017-17044) - xend/pxm: Include pxm in XenStore when hotplugging PCI devices (Konrad Rzeszutek Wilk) [Orabug: 27206706] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=2f4972e50ebd2a470b19bfdb1fc6ce91e77614e0 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: assign vcpus to nodes by interleaving (Elena Ufimtseva) - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=c9c2df2dc87e18c9dcf584aedf859ab50b62883a - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: disable vNUMA if fail to find vcpus for pinning (Elena Ufimtseva) [Orabug: 27091931] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=fe4d54f49f8cf07f9e9d8077b7c85d287fb5c90c - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap (Andrew Cooper) [Orabug: 27148184] (CVE-2017-15592) (CVE-2017-15592) - x86: don
last seen	2020-06-01
modified	2020-06-02
plugin id	105249
published	2017-12-14
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105249
title	OracleVM 3.4 : xen (OVMSA-2017-0176)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2018-0248.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
last seen	2020-06-01
modified	2020-06-02
plugin id	111992
published	2018-08-20
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111992
title	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4050.NASL
description	Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code.
last seen	2020-06-01
modified	2020-06-02
plugin id	104819
published	2017-11-29
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104819
title	Debian DSA-4050-1 : xen - security update

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-16A414B3C5.NASL
description	another patch related to the [XSA-240, CVE-2017-15595] issue xen: various flaws (#1525018) x86 PV guests may gain access to internally used page [XSA-248] broken x86 shadow mode refcount overflow check [XSA-249] improper x86 shadow mode refcount error handling [XSA-250] improper bug check in x86 log-dirty handling [XSA-251] ---- xen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-01-03
plugin id	105511
published	2018-01-03
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105511
title	Fedora 26 : xen (2017-16a414b3c5)

NASL family	Misc.
NASL id	XEN_SERVER_XSA-246.NASL
description	According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an infinite loop guest-to-host denial of service vulnerability. This issue only affects x86 systems that have 2MiB or 1GiB HAP pages enabled. ARM systems are not affected. x86 PV VMs can not trigger this vulnerability. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
last seen	2020-06-01
modified	2020-06-02
plugin id	104898
published	2017-11-30
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104898
title	Xen Hypervisor Infinite Loop Guest-to-Host DoS (XSA-246)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2018-0005.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0005 for details.
last seen	2020-06-01
modified	2020-06-02
plugin id	105717
published	2018-01-10
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105717
title	OracleVM 3.4 : xen (OVMSA-2018-0005) (Meltdown) (Spectre)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1559.NASL
description	Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	118503
published	2018-10-31
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/118503
title	Debian DLA-1559-1 : xen security update

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References