Vulnerabilities > CVE-2018-10981 - Infinite Loop vulnerability in multiple products

047910
CVSS 4.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
local
low complexity
debian
xen
CWE-835
nessus

Summary

An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-A7AC26523D.NASL
    descriptionx86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86 vHPET interrupt injection errors [XSA-261] (#1576089) qemu may drive Xen into unbounded loop [XSA-262] ---- update to xen-4.10.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120686
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120686
    titleFedora 28 : xen (2018-a7ac26523d)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-a7ac26523d.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120686);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-10981", "CVE-2018-10982", "CVE-2018-8897");
      script_xref(name:"FEDORA", value:"2018-a7ac26523d");
    
      script_name(english:"Fedora 28 : xen (2018-a7ac26523d)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "x86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86
    vHPET interrupt injection errors [XSA-261] (#1576089) qemu may drive
    Xen into unbounded loop [XSA-262]
    
    ----
    
    update to xen-4.10.1
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-a7ac26523d"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8897");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"xen-4.10.1-2.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-547.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-3639: Spectre V4 &ndash; Speculative Store Bypass aka
    last seen2020-06-05
    modified2018-06-04
    plugin id110309
    published2018-06-04
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110309
    titleopenSUSE Security Update : xen (openSUSE-2018-547) (Spectre)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-547.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110309);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-10981", "CVE-2018-10982", "CVE-2018-3639");
    
      script_name(english:"openSUSE Security Update : xen (openSUSE-2018-547) (Spectre)");
      script_summary(english:"Check for the openSUSE-2018-547 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2018-3639: Spectre V4 &ndash; Speculative Store
        Bypass aka 'Memory Disambiguation' (bsc#1092631)
    
        This feature can be controlled by the 'ssbd=on/off'
        commandline flag for the XEN hypervisor.
    
      - CVE-2018-10982: x86 vHPET interrupt injection errors
        (XSA-261 bsc#1090822)
    
      - CVE-2018-10981: qemu may drive Xen into unbounded loop
        (XSA-262 bsc#1090823) 
    
    Other bugfixes :
    
      - Upstream patches from Jan (bsc#1027519)
    
      - additional fixes related to Page Table Isolation (XPTI).
        (bsc#1074562 XSA-254)
    
      - qemu-system-i386 cannot handle more than 4 HW NICs
        (bsc#1090296)
    
    This update was imported from the SUSE:SLE-12-SP3:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074562"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1090296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1090822"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1090823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1092631"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/01");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"xen-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-debugsource-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-devel-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-doc-html-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-libs-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-libs-debuginfo-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-debuginfo-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-domU-4.9.2_06-22.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-domU-debuginfo-4.9.2_06-22.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-debugsource / xen-devel / xen-doc-html / xen-libs / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2528-1.NASL
    descriptionThis update for xen fixes the following issues: These security issue were fixed : - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). - CVE-2018-12617: An integer overflow that could cause a segmentation fault in qmp_guest_file_read() with g_malloc() in qemu-guest-agent was fixed (bsc#1098744) - CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (bsc#1095242) - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1092631) - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (bsc#1074562) - CVE-2018-12891: Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. (bsc#1097521) - CVE-2018-12893: One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. (bsc#1097522) - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (bsc#1096224) - CVE-2018-10982: An issue was discovered in Xen allowed x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. (bsc#1090822) - CVE-2018-10981: An issue was discovered in Xen that allowed x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. (bsc#1090823) Following bugs were fixed : - After updating to kernel 3.0.101-0.47.106.32-xen system crashes in check_bugs() (bsc#1097206) - bsc#1079730 - in xen-kmp, unplug emulated devices after migration This is required since xen-4.10 and/or qemu-2.10 because the state of unplug is not propagated from one dom0 to another. Without this unplug qemu
    last seen2020-06-01
    modified2020-06-02
    plugin id112147
    published2018-08-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112147
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2528-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(112147);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2018-10981", "CVE-2018-10982", "CVE-2018-11806", "CVE-2018-12617", "CVE-2018-12891", "CVE-2018-12893", "CVE-2018-3639", "CVE-2018-3646", "CVE-2018-3665");
    
      script_name(english:"SUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues: These security issue
    were fixed :
    
      - CVE-2018-3646: Systems with microprocessors utilizing
        speculative execution and address translations may have
        allowed unauthorized disclosure of information residing
        in the L1 data cache to an attacker with local user
        access with guest OS privilege via a terminal page fault
        and a side-channel analysis (bsc#1091107, bsc#1027519).
    
      - CVE-2018-12617: An integer overflow that could cause a
        segmentation fault in qmp_guest_file_read() with
        g_malloc() in qemu-guest-agent was fixed (bsc#1098744)
    
      - CVE-2018-3665: System software utilizing Lazy FP state
        restore technique on systems using Intel Core-based
        microprocessors may potentially allow a local process to
        infer data from another process through a speculative
        execution side channel. (bsc#1095242)
    
      - CVE-2018-3639: Systems with microprocessors utilizing
        speculative execution and speculative execution of
        memory reads before the addresses of all prior memory
        writes are known may allow unauthorized disclosure of
        information to an attacker with local user access via a
        side-channel analysis, aka Speculative Store Bypass
        (SSB), Variant 4. (bsc#1092631)
    
      - CVE-2017-5715: Systems with microprocessors utilizing
        speculative execution and indirect branch prediction may
        allow unauthorized disclosure of information to an
        attacker with local user access via a side-channel
        analysis. (bsc#1074562)
    
      - CVE-2017-5753: Systems with microprocessors utilizing
        speculative execution and branch prediction may allow
        unauthorized disclosure of information to an attacker
        with local user access via a side-channel analysis.
        (bsc#1074562)
    
      - CVE-2017-5754: Systems with microprocessors utilizing
        speculative execution and indirect branch prediction may
        allow unauthorized disclosure of information to an
        attacker with local user access via a side-channel
        analysis of the data cache. (bsc#1074562)
    
      - CVE-2018-12891: Certain PV MMU operations may take a
        long time to process. For that reason Xen explicitly
        checks for the need to preempt the current vCPU at
        certain points. A few rarely taken code paths did bypass
        such checks. By suitably enforcing the conditions
        through its own page table contents, a malicious guest
        may cause such bypasses to be used for an unbounded
        number of iterations. A malicious or buggy PV guest may
        cause a Denial of Service (DoS) affecting the entire
        host. Specifically, it may prevent use of a physical CPU
        for an indeterminate period of time. (bsc#1097521)
    
      - CVE-2018-12893: One of the fixes in XSA-260 added some
        safety checks to help prevent Xen livelocking with debug
        exceptions. Unfortunately, due to an oversight, at least
        one of these safety checks can be triggered by a guest.
        A malicious PV guest can crash Xen, leading to a Denial
        of Service. Only x86 PV guests can exploit the
        vulnerability. x86 HVM and PVH guests cannot exploit the
        vulnerability. An attacker needs to be able to control
        hardware debugging facilities to exploit the
        vulnerability, but such permissions are typically
        available to unprivileged users. (bsc#1097522)
    
      - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a
        heap-based buffer overflow via incoming fragmented
        datagrams. (bsc#1096224)
    
      - CVE-2018-10982: An issue was discovered in Xen allowed
        x86 HVM guest OS users to cause a denial of service
        (unexpectedly high interrupt number, array overrun, and
        hypervisor crash) or possibly gain hypervisor privileges
        by setting up an HPET timer to deliver interrupts in
        IO-APIC mode, aka vHPET interrupt injection.
        (bsc#1090822)
    
      - CVE-2018-10981: An issue was discovered in Xen that
        allowed x86 HVM guest OS users to cause a denial of
        service (host OS infinite loop) in situations where a
        QEMU device model attempts to make invalid transitions
        between states of a request. (bsc#1090823) Following
        bugs were fixed :
    
      - After updating to kernel 3.0.101-0.47.106.32-xen system
        crashes in check_bugs() (bsc#1097206)
    
      - bsc#1079730 - in xen-kmp, unplug emulated devices after
        migration This is required since xen-4.10 and/or
        qemu-2.10 because the state of unplug is not propagated
        from one dom0 to another. Without this unplug qemu's
        block-backend will be unable to open qcow2 disks on the
        receiving dom0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074562"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079730"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1090822"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1090823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1091107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092631"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1095242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096224"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1097206"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1097521"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1097522"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1098744"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5715/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5753/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5754/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10981/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10982/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-11806/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-12617/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-12891/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-12893/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3639/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3646/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3665/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182528-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?07f34b23"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
    slessp3-xen-13752=1
    
    SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
    sleposp3-xen-13752=1
    
    SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
    dbgsp3-xen-13752=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/28");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "i386|i486|i586|i686|x86_64") audit(AUDIT_ARCH_NOT, "i386 / i486 / i586 / i686 / x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-kmp-default-4.2.5_21_3.0.101_0.47.106.43-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-libs-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-tools-domU-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-doc-html-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-doc-pdf-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-libs-32bit-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-tools-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.43-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"xen-kmp-default-4.2.5_21_3.0.101_0.47.106.43-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"xen-libs-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"xen-tools-domU-4.2.5_21-45.25.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.43-45.25.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-7CD077DDD3.NASL
    descriptionx86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86 vHPET interrupt injection errors [XSA-261, CVE-2018-10982] (#1576089) qemu may drive Xen into unbounded loop [XSA-262, CVE-2018-10981] (#1576680) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-05-29
    plugin id110169
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110169
    titleFedora 26 : xen (2018-7cd077ddd3)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0221.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=5ee0a217664a1fde547afa506e92e4998ed26699 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - Red-tape: Update the repo with CVE XSA-262 (Boris Ostrovsky) [Orabug: 27948889] (CVE-2018-10981) - Red-tape: Update the repo with CVE XSA-261 (Boris Ostrovsky) [Orabug: 27948864] (CVE-2018-10982) - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=a20dadee84429112c3b5f245180f72d990063d20 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - x86/HVM: guard against emulator driving ioreq state in weird ways (Jan Beulich) [Orabug: 27948889] - x86/vpt: add support for IO-APIC routed interrupts (Xen Project Security Team) [Orabug: 27948864] - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=c6b30b4f49430b1314928a4d98a5e9e754895e4d - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - vnuma: unset smt even if vnuma is off (Elena Ufimtseva) [Orabug: 27950640] - x86/paging: don
    last seen2020-06-01
    modified2020-06-02
    plugin id109989
    published2018-05-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109989
    titleOracleVM 3.4 : xen (OVMSA-2018-0221)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0218.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0218 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id109987
    published2018-05-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109987
    titleOracleVM 3.4 : xen (OVMSA-2018-0218) (Meltdown) (Spectre)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0272.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0272 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id118963
    published2018-11-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118963
    titleOracleVM 3.2 : xen (OVMSA-2018-0272) (Foreshadow) (Spectre)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0248.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id111992
    published2018-08-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111992
    titleOracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4201.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor : - CVE-2018-8897 Andy Lutomirski and Nick Peterson discovered that incorrect handling of debug exceptions could result in privilege escalation. - CVE-2018-10471 An error was discovered in the mitigations against Meltdown which could result in denial of service. - CVE-2018-10472 Anthony Perard discovered that incorrect parsing of CDROM images can result in information disclosure. - CVE-2018-10981 Jan Beulich discovered that malformed device models could result in denial of service. - CVE-2018-10982 Roger Pau Monne discovered that incorrect handling of high precision event timers could result in denial of service and potentially privilege escalation.
    last seen2020-06-01
    modified2020-06-02
    plugin id109816
    published2018-05-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109816
    titleDebian DSA-4201-1 : xen - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1456-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-3639: Spectre V4 &Atilde;&cent;&Acirc;&#128;&Acirc;&#147; Speculative Store Bypass aka
    last seen2020-06-01
    modified2020-06-02
    plugin id110222
    published2018-05-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110222
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:1456-1) (Spectre)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201810-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could cause a Denial of Service condition or disclose sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id118506
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118506
    titleGLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-98684F429B.NASL
    descriptionx86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86 vHPET interrupt injection errors [XSA-261] (#1576089) qemu may drive Xen into unbounded loop [XSA-262] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-05-17
    plugin id109875
    published2018-05-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109875
    titleFedora 27 : xen (2018-98684f429b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1383.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 7
    last seen2020-03-17
    modified2018-05-29
    plugin id110159
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110159
    titleDebian DLA-1383-1 : xen security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1559.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id118503
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118503
    titleDebian DLA-1559-1 : xen security update
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0271.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0271 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id118962
    published2018-11-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118962
    titleOracleVM 3.3 : xen (OVMSA-2018-0271) (Foreshadow) (Spectre)