Vulnerabilities > CVE-2017-7228 - Improper Validation of Array Index vulnerability in XEN
Attack vector
LOCAL Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Exploit-Db
| description | Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout. CVE-2017-7228. Local exploit for Multiple platform. Tags: Local |
| file | exploits/multiple/local/41870.txt |
| id | EDB-ID:41870 |
| last seen | 2017-04-12 |
| modified | 2017-04-11 |
| platform | multiple |
| port | |
| published | 2017-04-11 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41870/ |
| title | Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout |
| type | local |
Nessus
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0096.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0096 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 99977 published 2017-05-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99977 title OracleVM 3.2 : xen (OVMSA-2017-0096) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2017-0096. # include("compat.inc"); if (description) { script_id(99977); script_version("3.12"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2014-8106", "CVE-2016-9603", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-7228"); script_bugtraq_id(71477); script_xref(name:"IAVB", value:"2017-B-0024"); script_name(english:"OracleVM 3.2 : xen (OVMSA-2017-0096)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0096 for details." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2017-May/000691.html" ); script_set_attribute( attribute:"solution", value:"Update the affected xen / xen-devel / xen-tools packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.223.62")) flag++; if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.223.62")) flag++; if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.223.62")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0983-1.NASL description This update for xen to version 4.7.2 fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99302 published 2017-04-12 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99302 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0983-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:0983-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(99302); script_version("3.12"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2017-6505", "CVE-2017-7228"); script_xref(name:"IAVB", value:"2017-B-0042"); script_name(english:"SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0983-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for xen to version 4.7.2 fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1014136" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1015348" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1022555" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1026236" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1028235" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1029128" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1029827" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1030144" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1030442" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-6505/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7228/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20170983-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f09697ec" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-572=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-572=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-572=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-debugsource-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-doc-html-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-debuginfo-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-domU-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"xen-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"xen-debugsource-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"xen-libs-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.2_02-36.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-4.7.2_02-36.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1080-1.NASL description This update for xen fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026636). - CVE-2016-9603: A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99579 published 2017-04-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99579 title SUSE SLES12 Security Update : xen (SUSE-SU-2017:1080-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:1080-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(99579); script_version("3.9"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2016-9603", "CVE-2017-2633", "CVE-2017-6414", "CVE-2017-6505", "CVE-2017-7228"); script_name(english:"SUSE SLES12 Security Update : xen (SUSE-SU-2017:1080-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for xen fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026636). - CVE-2016-9603: A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1022555" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1026636" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1027570" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1028235" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1028655" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1029827" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1030144" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1030442" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-9603/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-2633/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-6414/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-6505/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-7228/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20171080-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e66278b1" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 12:zypper in -t patch SUSE-SLE-SAP-12-2017-626=1 SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2017-626=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-debugsource-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-doc-html-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-kmp-default-4.4.4_16_k3.12.61_52.69-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-kmp-default-debuginfo-4.4.4_16_k3.12.61_52.69-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-32bit-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-debuginfo-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-4.4.4_16-22.36.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.4.4_16-22.36.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-907.NASL description CVE-2017-7228 (XSA-212) An insufficient check on XENMEM_exchange may allow PV guests to access all of system memory. For Debian 7 last seen 2020-03-17 modified 2017-04-24 plugin id 99601 published 2017-04-24 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99601 title Debian DLA-907-1 : xen security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-907-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(99601); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-7228"); script_name(english:"Debian DLA-907-1 : xen security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "CVE-2017-7228 (XSA-212) An insufficient check on XENMEM_exchange may allow PV guests to access all of system memory. For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-6. We recommend that you upgrade your xen packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/04/msg00026.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/xen" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-ocaml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-ocaml-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxenstore3.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-docs-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xenstore-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libxen-4.1", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"libxen-dev", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"libxen-ocaml", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"libxen-ocaml-dev", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"libxenstore3.0", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-docs-4.1", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-hypervisor-4.1-amd64", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-hypervisor-4.1-i386", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-system-amd64", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-system-i386", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-utils-4.1", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xen-utils-common", reference:"4.1.6.lts1-6")) flag++; if (deb_check(release:"7.0", prefix:"xenstore-utils", reference:"4.1.6.lts1-6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-492.NASL description This update for xen to version 4.7.2 fixes the following issues : These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). These non-security issues were fixed : - bsc#1015348: libvirtd didn last seen 2020-06-05 modified 2017-04-21 plugin id 99559 published 2017-04-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99559 title openSUSE Security Update : xen (openSUSE-2017-492) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-492. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(99559); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-6505", "CVE-2017-7228"); script_name(english:"openSUSE Security Update : xen (openSUSE-2017-492)"); script_summary(english:"Check for the openSUSE-2017-492 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for xen to version 4.7.2 fixes the following issues : These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). These non-security issues were fixed : - bsc#1015348: libvirtd didn't not start during boot - bsc#1014136: kdump couldn't dump a kernel on SLES12-SP2 with Xen hypervisor. - bsc#1026236: Fixed paravirtualized performance - bsc#1022555: Timeout in 'execution of /etc/xen/scripts/block add' - bsc#1029827: Forward port xenstored - bsc#1029128: Make xen to really produce xen.efi with gcc48 This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014136" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1015348" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1022555" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1026236" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1027519" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1028235" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1029128" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1029827" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1030144" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1030442" ); script_set_attribute(attribute:"solution", value:"Update the affected xen packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"xen-debugsource-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-devel-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-libs-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-libs-debuginfo-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-tools-domU-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"xen-tools-domU-debuginfo-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-doc-html-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-tools-4.7.2_02-11.3.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"xen-tools-debuginfo-4.7.2_02-11.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen-debugsource / xen-devel / xen-libs-32bit / xen-libs / etc"); }NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0153.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 103830 published 2017-10-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103830 title OracleVM 3.4 : xen (OVMSA-2017-0153) NASL family Misc. NASL id CITRIX_XENSERVER_CTX222565.NASL description The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities : - A flaw exists when invoking the instruction emulator that is triggered during the handling of SYSCALL by single-stepping applications. A local attacker can exploit this to execute code with elevated privileges on the guest. (CVE-2016-10013) - An out-of-array memory access error exists in the memory_exchange() function within file common/memory.c due to improper checking of XENMEM_exchange input. An attacker on a 64-bit PV guest VM who has administrative privileges can exploit this issue to access arbitrary system memory locations, which can then be potentially used for further compromising the host. (CVE-2017-7228) - A memory leak issue exits due to improper cleanup being performed during guest destruction. An attacker on the guest can exploit this, by repeatedly rebooting, to exhaust memory on the host system, resulting in a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 99377 published 2017-04-14 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99377 title Citrix XenServer multiple vulnerabilities (CTX222565) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0142.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 102835 published 2017-08-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102835 title OracleVM 3.4 : xen (OVMSA-2017-0142) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3847.NASL description Jan Beulich and Jann Horn discovered multiple vulnerabilities in the Xen hypervisor, which may lead to privilege escalation, guest-to-host breakout, denial of service or information leaks. In additional to the CVE identifiers listed above, this update also addresses the vulnerabilities announced as XSA-213, XSA-214 and XSA-215. last seen 2020-06-01 modified 2020-06-02 plugin id 100071 published 2017-05-10 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100071 title Debian DSA-3847-1 : xen - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1081-1.NASL description This update for xen fixes the following issues: These security issues were fixed : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - XSA-206: Unprivileged guests issuing writes to xenstore were able to stall progress of the control domain or driver domain, possibly leading to a Denial of Service (DoS) of the entire host (bsc#1030144). - CVE-2016-9603: A privileged user within the guest VM can cause a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026636). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99580 published 2017-04-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99580 title SUSE SLES11 Security Update : xen (SUSE-SU-2017:1081-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0094.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: xen commit=8ee9cbea8e71c968e602d5b4974601d283d61d28 - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86: correct create_bounce_frame (Boris Ostrovsky) [Orabug: 25927745] - x86: discard type information when stealing pages (Boris Ostrovsky) - multicall: deal with early exit conditions (Boris Ostrovsky) [Orabug: 25927612] - BUILDINFO: xen commit=66e33522666436a4b6c13fbaa77b4942876bb5f7 - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - kexec: Add spinlock for the whole hypercall. (Konrad Rzeszutek Wilk) - kexec: clear kexec_image slot when unloading kexec image (Bhavesh Davda) [Orabug: 25861731] - BUILDINFO: xen commit=337c8edcc582f8bfb1bcfcb5a475c5fc18ff2def - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - memory: properly check guest memory ranges in XENMEM_exchange handling (Jan Beulich) [Orabug: 25760559] (CVE-2017-7228) - xenstored: Log when the write transaction rate limit bites (Ian Jackson) [Orabug: 25745225] - xenstored: apply a write transaction rate limit (Ian Jackson) - BUILDINFO: xen commit=17b0cd2109c42553e9c8c34d3a2b8252abead104 - BUILDINFO: QEMU upstream commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335 - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - xm: Fix the error message displayed by last seen 2020-06-01 modified 2020-06-02 plugin id 99975 published 2017-05-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99975 title OracleVM 3.4 : xen (OVMSA-2017-0094) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0248.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 111992 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111992 title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre) NASL family Fedora Local Security Checks NASL id FEDORA_2017-054729AB08.NASL description Qemu: 9pfs: host memory leakage via v9fs_create [CVE-2017-7377] (#1437873) x86: broken check in memory_exchange() permits PV guest breakout [XSA-212, CVE-2017-7228] (#1438804) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-04-10 plugin id 99256 published 2017-04-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99256 title Fedora 25 : xen (2017-054729ab08) NASL family Fedora Local Security Checks NASL id FEDORA_2017-03DC811BE6.NASL description Qemu: 9pfs: host memory leakage via v9fs_create [CVE-2017-7377] (#1437873) ---- add additional patch for [XSA-206] (#1436690) ---- xenstore denial of service via repeated update [XSA-206] (#1436690) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-04-17 plugin id 99405 published 2017-04-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99405 title Fedora 24 : xen (2017-03dc811be6) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0095.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0095 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 99976 published 2017-05-04 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99976 title OracleVM 3.3 : xen (OVMSA-2017-0095) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_90BECF7C1ACF11E7970F002590263BF5.NASL description The Xen Project reports : The XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks. last seen 2020-06-01 modified 2020-06-02 plugin id 99240 published 2017-04-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99240 title FreeBSD : xen-kernel -- broken check in memory_exchange() permits PV guest breakout (90becf7c-1acf-11e7-970f-002590263bf5) NASL family Misc. NASL id XEN_SERVER_XSA-212.NASL description According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an out-of-array memory access error in the memory_exchange() function in file common/memory.c due to improper checking of XENMEM_exchange input. An attacker on a 64-bit PV guest VM who has administrative privileges can exploit this issue to access arbitrary system memory locations, which can then be potentially used for further compromising the host. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall. last seen 2020-06-01 modified 2020-06-02 plugin id 99399 published 2017-04-14 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99399 title Xen Hypervisor XENMEM_exchange Memory Disclosure (XSA-212) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1058-1.NASL description This update for xen fixes the following security issues : - CVE-2017-7228: Broken check in memory_exchange() permited PV guest breakout (bsc#1030442). - CVE-2017-6414: Memory leak in the vcard_apdu_new function in card_7816.c in libcacard allowed local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object (bsc#1027570). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028235). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99507 published 2017-04-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99507 title SUSE SLES11 Security Update : xen (SUSE-SU-2017:1058-1)
Seebug
| bulletinFamily | exploit |
| description | Detailed analysis: [Pandavirtualization: Exploiting the Xen hypervisor ](<https://googleprojectzero.blogspot.tw/2017/04/pandavirtualization-exploiting-xen.html>) This bug report describes a vulnerability in memory_exchange() that permits PV guest kernels to write to an arbitrary virtual address with the hypervisor privileges. The vulnerability was introduced through a broken fix for CVE-2012-5513 / XSA-29. The fix for CVE-2012-5513 / XSA-29 introduced the following check in the memory_exchange() hypercall handler: if ( ! guest_handle_okay(exch. in. extent_start, exch. in. nr_extents) || ! guest_handle_okay(exch. out. extent_start, exch. out. nr_extents) ) { rc = -EFAULT; goto fail_early; } guest_handle_okay() calls array_access_ok(), which calls access_ok(), which is implemented as follows: /* * Valid if in +ve half of the 48-bit address space, or above * The Xen-reserved area. * This is also valid for range checks (addr, addr+size). As long * as the start address is outside the Xen-reserved area then we * will access a non-canonical address (and thus fault) before * ever reaching VIRT_START. */ #define __addr_ok(addr) \ (((unsigned long)(addr) < (1UL<<47)) || \ ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) #define access_ok(addr, size) \ (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) As the comment states, access_ok() only checks the address, not the size, if the address points to the guest memory, based on the assumption that any caller of access_ok() will access guest memory linearly, starting at the supplied address. Callers that want to access a subrange of the memory referenced by a guest of the handle are supposed to use guest_handle_subrange_okay(), which takes an additional start offset parameter, instead of guest_handle_okay(). memory_exchange() uses guest_handle_okay(), but only accesses the guest memory arrays referenced by exch. in. extent_start and exch. out. extent_start starting at exch. nr_exchanged, a 64-bit offset. The intent behind exch. nr_exchanged is that guests always set it to 0 and the nonzero values are only set when a hypercall has to be restarted because of preemption, but this isn't enforced. Therefore, by invoking this hypercall with a crafted arguments, it is possible to write to an arbitrary memory location that is encoded as exch. out. extent_start + 8 * exch. nr_exchanged where exch. out. extent_start points to guest memory and exch. nr_exchanged is an attacker-chosen 64-bit value. I have attached a proof of concept. This PoC demonstrates the issue by overwriting the first 8 bytes of the IDT entry for #PF, causing the next pagefault to doublefault. To run the PoC, unpack it in a normal 64-bit PV domain and run the following commands in the domain as root: `root@pv-guest:~# cd crashpoc root@pv-guest:~/crashpoc# make-C /lib/modules/$(uname-r)/build M=$(pwd) make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' LD /root/crashpoc/built-in. o CC [M] /root/crashpoc/module. o nasm-f elf64-o /root/crashpoc/native. o /root/crashpoc/native. asm LD [M] /root/crashpoc/test. o Building modules, stage 2. MODPOST 1 modules WARNING: could not find /root/crashpoc/. native. o. cmd for /root/crashpoc/native. o CC /root/crashpoc/test. mod. o LD [M] /root/crashpoc/test. ko make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' root@pv-guest:~/crashpoc# insmod test. ko root@pv-guest:~/crashpoc# rmmod test` The machine on which I tested the PoC was running the Xen 4.6.0-1ubuntu4 (from Ubuntu 16.04.2). Executing the PoC caused the following console output: `(XEN) *** DOUBLE FAULT *** (XEN)----[ Xen-4.6.0 x86_64 debug=n Tainted: C]---- (XEN) CPU: 0 (XEN) RIP: e033:[<0000557b46f56860>] 0000557b46f56860 (XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor (XEN) rax: 00007fffe9cfafd0 rbx: 00007fffe9cfd160 rcx: 0000557b47ebd040 (XEN) rdx: 0000000000000001 rsi: 0000000000000004 rdi: 0000557b47ec52e0 (XEN) rbp: 00007fffe9cfd158 rsp: 00007fffe9cfaf30 r8: 0000557b46f7df00 (XEN) r9: 0000557b46f7dec0 r10: 0000557b46f7df00 r11: 0000557b47ec5878 (XEN) r12: 0000557b47ebd040 r13: 00007fffe9cfb0c0 r14: 0000557b47ec52e0 (XEN) r15: 0000557b47ed5e70 cr0: 0000000080050033 cr4: 00000000001506a0 (XEN) cr3: 0000000098e2e000 cr2: 00007fffe9cfaf93 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033 (XEN) (XEN) **************************************** (XEN) Panic on CPU 0: (XEN) DOUBLE FAULT -- system shutdown (XEN) **************************************** (XEN) (XEN) Reboot in five seconds...` I strongly recommend changing the semantics of access_ok() so that it guarantees that any access to an address inside the specified range is valid. Alternatively, add some prefix, e.g. "UNSAFE_", to the names of access_ok() and appropriate wrappers to prevent people from using these functions improperly. Currently, in my opinion, the function name access_ok() is misleading. I have not allocated a CVE number for this issue. When disclosing this issue, please credit me as "Jann Horn of Google Project Zero". Attachment: [xen_memory_exchange_crashpoc. tar](<https://bugs.chromium.org/p/project-zero/issues/attachment?aid=275151>) |
| id | SSV:92927 |
| last seen | 2017-11-19 |
| modified | 2017-04-09 |
| published | 2017-04-09 |
| reporter | Root |
| title | Xen: broken check in memory_exchange() permits PV guest breakout(CVE-2017-7228) |
References
- http://xenbits.xen.org/xsa/advisory-212.html
- http://openwall.com/lists/oss-security/2017/04/04/3
- http://www.securityfocus.com/bid/97375
- https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html
- https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt
- http://www.securitytracker.com/id/1038223
- https://www.exploit-db.com/exploits/41870/
- http://www.debian.org/security/2017/dsa-3847