Vulnerabilities > CVE-2017-17045 - Use After Free vulnerability in XEN

047910
CVSS 8.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
xen
CWE-416
nessus

Summary

An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idXEN_SERVER_XSA-247.NASL
    descriptionAccording to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a guest-to-host privilege escalation vulnerability. This issue only affects HVM guests. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen2020-06-01
    modified2020-06-02
    plugin id104899
    published2017-11-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104899
    titleXen Hypervisor Guest-to-Host Privilege Escalation (XSA-247)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104899);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id("CVE-2017-17045");
      script_xref(name:"IAVB", value:"2017-B-0165");
    
      script_name(english:"Xen Hypervisor Guest-to-Host Privilege Escalation (XSA-247)");
      script_summary(english:"Checks 'xl info' output for the Xen hypervisor version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Xen hypervisor installation is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Xen hypervisor
    installed on the remote host is affected by a guest-to-host privilege
    escalation vulnerability.
    
    This issue only affects HVM guests.
    
    Note that Nessus has checked the changeset versions based on the
    xen.git change log. Nessus did not check guest hardware configurations
    or if patches were applied manually to the source code before a
    recompile and reinstall.");
      script_set_attribute(attribute:"see_also", value:"http://xenbits.xen.org/xsa/advisory-247.html");
      script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/gitweb/?p=xen.git;a=summary");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17045");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/30");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("xen_server_detect.nbin");
      script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    app_name = "Xen Hypervisor";
    install  = get_single_install(app_name:app_name);
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    version         = install['version'];
    display_version = install['display_version'];
    path            = install['path'];
    managed_status  = install['Managed status'];
    changeset       = install['Changeset'];
    
    if (!empty_or_null(changeset))
      display_version += " (changeset " + changeset + ")";
    
    # Installations that are vendor-managed are handled by OS-specific local package checks
    if (managed_status == "managed")
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
    
    # XSA-247
    fixes['4.5']['fixed_ver']           = '4.5.5';
    fixes['4.5']['fixed_ver_display']   = '4.5.5 (changeset ea1620f)';
    fixes['4.5']['affected_ver_regex']  = '^4\\.5\\.';
    fixes['4.5']['affected_changesets'] = make_list("ca708d3", "d144bda",
      "41f6dd0", "b0be3c2", "42ea1dc", "08aa260", "03b06d3", "77666b6",
      "bbeb763", "5fdf16f", "0e9967d", "da4f24d", "b7582ac", "196371c",
      "7afc8ad", "72c107b", "5659aa5", "a224de6", "6442fa9", "db487a6",
      "709230f", "83724d9", "04b8c4c", "0b2ceae", "e3f0768", "d5a5231",
      "c5b0fe5", "136ff4e", "42c8ba5", "d38489d", "df59014", "3217129",
      "4964e86", "c079597", "6ec173b", "a373456", "0780e81", "e5ef76d",
      "25eaa86", "ae02360", "5597df9", "c5de05e", "773094e", "e39a248",
      "7b3712a", "be35327", "8825df1", "d7e3725", "6eb61e4", "b1fcfed",
      "5779d6a", "afdd77e", "c18367a", "7b7fd80", "b30e165", "62ef9b2",
      "8071724", "235b5d5", "a28b99d", "ff294fc", "bc01e2d", "da50922",
      "386cc94", "139960f", "ec3ddd6", "988929a", "1c48dff", "20d4248",
      "9610422", "cd76cd3", "455fd66", "b820c31", "ac3d8bc", "cde86fc",
      "1678521", "83cb2db", "43d06ef", "2b17bf4", "1a2bda5", "0bd7faf",
      "e3426e2", "37281bc", "27be856", "bdf3ef1", "cc325c0", "8e7b84d",
      "387b8ae", "34fbae7", "1530da2", "274a1f6", "b679cfa", "877b760",
      "cfe165d", "84e4e56", "e4ae4b0");
    
    fixes['4.7']['fixed_ver']           = '4.7.5';
    fixes['4.7']['fixed_ver_display']   = '4.7.5-pre (changeset b3981ea)';
    fixes['4.7']['affected_ver_regex']  = '^4\\.7\\.';
    fixes['4.7']['affected_changesets'] = make_list("184f259", "67966a9",
      "af3f585");
    
    fixes['4.9']['fixed_ver']           = '4.9.2';
    fixes['4.9']['fixed_ver_display']   = '4.9.2-pre (changeset 0a0dcdc)';
    fixes['4.9']['affected_ver_regex']  = '^4\\.9\\.';
    fixes['4.9']['affected_changesets'] = make_list("fb51cab", "61c13ed",
      "52ad651");
    
    fix = NULL;
    foreach ver_branch (keys(fixes))
    {
      if (version =~ fixes[ver_branch]['affected_ver_regex'])
      {
        ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
        if (ret < 0)
          fix = fixes[ver_branch]['fixed_ver_display'];
        else if (ret == 0)
        {
          if (empty_or_null(changeset))
            fix = fixes[ver_branch]['fixed_ver_display'];
          else
            foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
              if (changeset == affected_changeset)
                fix = fixes[ver_branch]['fixed_ver_display'];
    
        }
    
      }
    
    }
    
    if (empty_or_null(fix))
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
    
    items  = make_array("Installed version", display_version,
                        "Fixed version", fix,
                        "Path", path);
    order  = make_list("Path", "Installed version", "Fixed version");
    report = report_items_str(report_items:items, ordered_fields:order) + '\n';
    
    security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
    
  • NASL familyMisc.
    NASL idCITRIX_XENSERVER_CTX230138.NASL
    descriptionThe version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX230138 advisory.
    last seen2020-05-03
    modified2017-12-07
    plugin id105083
    published2017-12-07
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105083
    titleCitrix XenServer Multiple Vulnerabilities (CTX230138)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105083);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/30");
    
      script_cve_id(
        "CVE-2017-7980",
        "CVE-2017-15592",
        "CVE-2017-17044",
        "CVE-2017-17045"
      );
      script_bugtraq_id(
        97955,
        101513,
        102008,
        102013
      );
    
      script_name(english:"Citrix XenServer Multiple Vulnerabilities (CTX230138)");
      script_summary(english:"Checks for patches.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A server virtualization platform installed on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Citrix XenServer installed on the remote host is
    missing a security hotfix. It is, therefore, affected by multiple
    vulnerabilities as noted in the CTX230138 advisory.");
      script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX230138");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate hotfix according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17045");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/07");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenserver");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("citrix_xenserver_version.nbin");
      script_require_keys("Host/XenServer/version", "Host/local_checks_enabled");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    app_name = "Citrix XenServer";
    version = get_kb_item_or_exit("Host/XenServer/version");
    get_kb_item_or_exit("Host/local_checks_enabled");
    patches = get_kb_item("Host/XenServer/patches");
    vuln = FALSE;
    fix = '';
    
    if (version =~ "^7\.2($|[^0-9])")
    {
      if ("XS72E010" >!< patches) # CTX229541
      {
        fix = "XS72E010";
        vuln = TRUE;
      }
      if ("XS72E012" >!< patches) # CTX230161
      {
        if (empty_or_null(fix))
          fix = "XS72E012";
        else
          fix += " and XS72E012";
        vuln = TRUE;
      }
    }
    else if (version =~ "^7\.1($|[^0-9])")
    {
      # LTSR CU1 CTX229540 & CTX230160, LTSR CTX229545 & CTX230159
      # No patch applied
      if ("XS71ECU" >!< patches && "XS71E018" >!< patches && "XS71E019" >!< patches)
      {
        fix = "XS71ECU1006 and XS71ECU1008, or XS71E018 and XS71E019";
        vuln = TRUE;
      }
      # LTSR CU1 patch applied
      else if ("XS71ECU" >!< patches && ("XS71ECU1006" >< patches || "XS71ECU1008" >< patches))
      {
        if ("XS71ECU1006" >!< patches) # CTX229540
        {
          fix = "XS71ECU1006";
          vuln = TRUE;
        }
        else if ("XS71ECU1008" >!< patches) # CTX230160
        {
          fix = "XS71ECU1008";
          vuln = TRUE;
        }
      }
      # LTSR patch applied
      else if ("XS71E018" >< patches || "XS71E019" >< patches)
      {
        if ("XS71E018" >!< patches) # CTX229545
        {
          fix = "XS71E018";
          vuln = TRUE;
        }
        else if ("XS71E019" >!< patches) # CTX230159
        {
          fix = "XS71E019";
          vuln = TRUE;
        }
      }
    }
    else if (version =~ "^7\.0($|[^0-9])")
    {
      if ("XS70E048" >!< patches) # CTX229539
      {
        fix = "XS70E048";
        vuln = TRUE;
      }
      if ("XS70E049" >!< patches) # CTX229544
      {
        if (empty_or_null(fix))
          fix = "XS70E049";
        else
          fix += " and XS70E049";
        vuln = TRUE;
      }
    }
    else if (version =~ "^6\.5($|[^0-9])")
    {
      fix = "XS65ESP1064"; # CTX229543
      if (fix >!< patches) vuln = TRUE;
    }
    else if (version =~ "^6\.2($|[^0-9])")
    {
      fix = "XS62ESP1066"; # CTX229096
      if (fix >!< patches) vuln = TRUE;
    }
    else if (version =~ "^6\.0\.2($|[^0-9])")
    {
      fix = "XS602ECC050"; # CTX229095
      if (fix >!< patches) vuln = TRUE;
    }
    
    if (vuln)
    {
      port = 0;
      report = report_items_str(
        report_items:make_array(
          "Installed version", version,
          "Missing hotfix", fix
        ),
        ordered_fields:make_list("Installed version", "Missing hotfix")
      );
      security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1230.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code. For Debian 7
    last seen2020-03-17
    modified2018-01-08
    plugin id105621
    published2018-01-08
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105621
    titleDebian DLA-1230-1 : xen security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1230-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105621);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2017-17044", "CVE-2017-17045", "CVE-2017-17563", "CVE-2017-17564", "CVE-2017-17565", "CVE-2017-17566");
    
      script_name(english:"Debian DLA-1230-1 : xen security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been discovered in the Xen hypervisor,
    which could result in denial of service, information leaks, privilege
    escalation or the execution of arbitrary code.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    4.1.6.lts1-11.
    
    We recommend that you upgrade your xen packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/01/msg00003.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/xen"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-4.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-ocaml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-ocaml-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxenstore3.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-docs-4.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-4.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xenstore-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libxen-4.1", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"libxen-dev", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"libxen-ocaml", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"libxen-ocaml-dev", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"libxenstore3.0", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-docs-4.1", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-hypervisor-4.1-amd64", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-hypervisor-4.1-i386", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-system-amd64", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-system-i386", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-utils-4.1", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xen-utils-common", reference:"4.1.6.lts1-11")) flag++;
    if (deb_check(release:"7.0", prefix:"xenstore-utils", reference:"4.1.6.lts1-11")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0178.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff
    last seen2020-06-01
    modified2020-06-02
    plugin id105251
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105251
    titleOracleVM 3.2 : xen (OVMSA-2017-0178)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2017-0178.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105251);
      script_version("3.5");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2017-15592", "CVE-2017-17044", "CVE-2017-17045");
    
      script_name(english:"OracleVM 3.2 : xen (OVMSA-2017-0178)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17
        00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016
        15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not
        permit a guest to populate PoD pages for itself PoD is
        supposed to be entirely transparent to guest, but this
        interface has been left exposed for a long time. The use
        of PoD requires careful co-ordination by the toolstack
        with the XENMEM_[get,set]_pod_target hypercalls, and
        xenstore ballooning target. The best a guest can do
        without toolstack cooperation crash. Furthermore, there
        are combinations of features (e.g. c/s c63868ff 'libxl:
        disallow PCI device assignment for HVM guest when PoD is
        enabled') which a toolstack might wish to explicitly
        prohibit (in this case, because the two simply don't
        function in combination). In such cases, the guest
        mustn't be able to subvert the configuration chosen by
        the toolstack.
    
        Conflict: xen/common/memory.c
    
      - Due to the history performance reason, we decide to
        disable PoD feature in old OVM product. Please don't set
        maxmem>memory XSA-246,XSA-247 [bug 27120669]
        (CVE-2017-17044, CVE-2017-17045)
    
      - x86/shadow: correct SH_LINEAR mapping detection in
        sh_guess_wrmap The fix for XSA-243 / CVE-2017-15592 (c/s
        bf2b4eadcf379) introduced a change in behaviour for
        sh_guest_wrmap, where it had to cope with no shadow
        linear mapping being present. As the name suggests,
        guest_vtable is a mapping of the guests pagetable, not
        Xen's pagetable, meaning that it isn't the pagetable we
        need to check for the shadow linear slot in. The
        practical upshot is that a shadow HVM vcpu which
        switches into 4-level paging mode, with an L4 pagetable
        that contains a mapping which aliases Xen's
        SH_LINEAR_PT_VIRT_START will fool the safety check for
        whether a SHADOW_LINEAR mapping is present. As the check
        passes (when it should have failed), Xen subsequently
        falls over the missing mapping with a pagefault such as:
        (XEN) Pagetable walk from ffff8140a0503880: (XEN)
        L4[0x102] = 000000046c218063 ffffffffffffffff (XEN)
        L3[0x102] = 000000046c218063 ffffffffffffffff (XEN)
        L2[0x102] = 000000046c218063 ffffffffffffffff (XEN)
        L1[0x103] = 0000000000000000 ffffffffffffffff This is
        part of XSA-243. (CVE-2017-15592)
    
      - dpci: Fix a race during unbinding of MSI interrupt The
        check of hvm_irq_dpci->mapping and read of flags are not
        protected in same critical area, so the unbind of MSI
        interrupt may intercepts between them. Like below scene:
        CPU0 CPU1
    
        ---- ---- hvm_do_IRQ_dpci !test_bit(mirq,
        dpci->mapping)) return 0  spin_lock(&d->event_lock) 
        hvm_irq_dpci->mirq[machine_gsi].flags = 0 
        clear_bit(machine_gsi, hvm_irq_dpci->mapping) 
        spin_unlock(&d->event_lock)  <SoftIRQ> hvm_dirq_assist
        spin_lock(&d->event_lock)  if (
        pt_irq_need_timer(hvm_irq_dpci->mirq[pirq].flags))
        set_timer  spin_unlock(&d->event_lock)  Then set_timer
        is mistakenly called which access uninitialized timer
        struct. Then page fault happen and a backtrace like
        below: (XEN) Xen call trace: (XEN) [<ffff82c480124c92>]
        set_timer+0x92/0x170 (XEN) [<ffff82c48013bb03>]
        hvm_dirq_assist+0x1c3/0x1e0 (XEN) [<ffff82c4801235ff>]
        do_tasklet_work_percpu+0x7f/0x120 (XEN)
        [<ffff82c480121915>] __do_softirq+0x65/0x90 (XEN)
        [<ffff82c4801f7fb6>] process_softirqs+0x6/0x10 (XEN)
        (XEN) Pagetable walk from 0000000000000008: (XEN)
        L4[0x000] = 0000002104cc1067 0000000000289430 (XEN)
        L3[0x000] = 000000212ecd8067 00000000002b3447 (XEN)
        L2[0x000] = 0000000000000000 ffffffffffffffff (XEN)
        (XEN) **************************************** (XEN)
        Panic on CPU 41: (XEN) FATAL PAGE FAULT (XEN)
        [error_code=0002] (XEN) Faulting linear address:
        0000000000000008 (XEN)
        **************************************** This issue is
        OVM3.2 only as OVM3.3 or above already has similar fix
        in pt_pirq_iterate"
      );
      # https://oss.oracle.com/pipermail/oraclevm-errata/2017-December/000810.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?88e7e3ea"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected xen / xen-devel / xen-tools packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.223.99")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.223.99")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.223.99")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201801-14.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201801-14 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could potentially execute arbitrary code with the privileges of the Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id106038
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106038
    titleGLSA-201801-14 : Xen: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201801-14.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106038);
      script_version("1.3");
      script_cvs_date("Date: 2019/04/05 23:25:06");
    
      script_cve_id("CVE-2017-12134", "CVE-2017-12135", "CVE-2017-12136", "CVE-2017-12137", "CVE-2017-15588", "CVE-2017-15589", "CVE-2017-15590", "CVE-2017-15591", "CVE-2017-15592", "CVE-2017-15593", "CVE-2017-15594", "CVE-2017-15595", "CVE-2017-17044", "CVE-2017-17045", "CVE-2017-17046", "CVE-2017-17563", "CVE-2017-17564", "CVE-2017-17565", "CVE-2017-17566");
      script_xref(name:"GLSA", value:"201801-14");
    
      script_name(english:"GLSA-201801-14 : Xen: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201801-14
    (Xen: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in Xen. Please review the
          referenced CVE identifiers for details.
      
    Impact :
    
        A local attacker could potentially execute arbitrary code with the
          privileges of the Xen (QEMU) process on the host, gain privileges on the
          host system, or cause a Denial of Service condition.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201801-14"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Xen users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/xen-4.9.1-r1'
        All Xen tools users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose
          '>=app-emulation/xen-tools-4.9.1-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-emulation/xen", unaffected:make_list("ge 4.9.1-r1"), vulnerable:make_list("lt 4.9.1-r1"))) flag++;
    if (qpkg_check(package:"app-emulation/xen-tools", unaffected:make_list("ge 4.9.1-r1"), vulnerable:make_list("lt 4.9.1-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Xen");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-4BFCD57172.NASL
    descriptionxen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105869
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105869
    titleFedora 27 : xen (2017-4bfcd57172)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-4bfcd57172.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105869);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-17044", "CVE-2017-17045");
      script_xref(name:"FEDORA", value:"2017-4bfcd57172");
    
      script_name(english:"Fedora 27 : xen (2017-4bfcd57172)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "xen: various flaws (#1518214) x86: infinite loop due to missing PoD
    error checking [XSA-246] Missing p2m error checking in PoD code
    [XSA-247]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-4bfcd57172"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"xen-4.9.1-2.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0177.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Due to the history performance reason, we decide to disable PoD feature in old OVM product.XSA-246,XSA-247 [bug 27121016] (CVE-2017-17044, CVE-2017-17045) - From 2a99aa99fc84a45f505f84802af56b006d14c52e Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Fri, 19 Aug 2016 15:08:10 +0100 Subject: [PATCH] xen/physmap: Do not permit a guest to populate PoD pages for itself PoD is supposed to be entirely transparent to guest, but this interface has been left exposed for a long time. The use of PoD requires careful co-ordination by the toolstack with the XENMEM_[get,set]_pod_target hypercalls, and xenstore ballooning target. The best a guest can do without toolstack cooperation crash. Furthermore, there are combinations of features (e.g. c/s c63868ff
    last seen2020-06-01
    modified2020-06-02
    plugin id105250
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105250
    titleOracleVM 3.3 : xen (OVMSA-2017-0177)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0176.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=b90f0a4fa66aea67e743c393ba307612a2fec379 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - p2m: Check return value of p2m_set_entry when decreasing reservation (George Dunlap) [Orabug: 27216264] (CVE-2017-17045) - p2m: Always check to see if removing a p2m entry actually worked (George Dunlap) [Orabug: 27216264] (CVE-2017-17045) - x86/pod: prevent infinite loop when shattering large pages (Julien Grall) [Orabug: 27216261] (CVE-2017-17044) - xen/physmap: Do not permit a guest to populate PoD pages for itself (Elena Ufimtseva) [Orabug: 27216261] (CVE-2017-17044) - xend/pxm: Include pxm in XenStore when hotplugging PCI devices (Konrad Rzeszutek Wilk) [Orabug: 27206706] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=2f4972e50ebd2a470b19bfdb1fc6ce91e77614e0 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: assign vcpus to nodes by interleaving (Elena Ufimtseva) - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=c9c2df2dc87e18c9dcf584aedf859ab50b62883a - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vNUMA: disable vNUMA if fail to find vcpus for pinning (Elena Ufimtseva) [Orabug: 27091931] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=fe4d54f49f8cf07f9e9d8077b7c85d287fb5c90c - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap (Andrew Cooper) [Orabug: 27148184] (CVE-2017-15592) (CVE-2017-15592) - x86: don
    last seen2020-06-01
    modified2020-06-02
    plugin id105249
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105249
    titleOracleVM 3.4 : xen (OVMSA-2017-0176)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0248.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id111992
    published2018-08-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111992
    titleOracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4050.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id104819
    published2017-11-29
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104819
    titleDebian DSA-4050-1 : xen - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-16A414B3C5.NASL
    descriptionanother patch related to the [XSA-240, CVE-2017-15595] issue xen: various flaws (#1525018) x86 PV guests may gain access to internally used page [XSA-248] broken x86 shadow mode refcount overflow check [XSA-249] improper x86 shadow mode refcount error handling [XSA-250] improper bug check in x86 log-dirty handling [XSA-251] ---- xen: various flaws (#1518214) x86: infinite loop due to missing PoD error checking [XSA-246] Missing p2m error checking in PoD code [XSA-247] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-03
    plugin id105511
    published2018-01-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105511
    titleFedora 26 : xen (2017-16a414b3c5)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0005.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0005 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id105717
    published2018-01-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105717
    titleOracleVM 3.4 : xen (OVMSA-2018-0005) (Meltdown) (Spectre)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1559.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id118503
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118503
    titleDebian DLA-1559-1 : xen security update