Vulnerabilities > CVE-2018-12891

047910
CVSS 4.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
local
low complexity
debian
xen
nessus

Summary

An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86 HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability.

Nessus

  • NASL familyMisc.
    NASL idXEN_SERVER_XSA-264.NASL
    descriptionAccording to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a local denial of service vulnerability. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen2020-06-01
    modified2020-06-02
    plugin id111379
    published2018-07-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111379
    titleXen Project x86 Paravirtualization Local DoS (XSA-264)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111379);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id("CVE-2018-12891");
      script_bugtraq_id(104570);
      script_xref(name:"IAVB", value:"2018-B-0094");
    
      script_name(english:"Xen Project x86 Paravirtualization Local DoS (XSA-264)");
      script_summary(english:"Checks 'xl info' output for the Xen hypervisor version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Xen hypervisor installation is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Xen hypervisor
    installed on the remote host is affected by a local denial of service
    vulnerability.
    
    Note that Nessus has checked the changeset versions based on the
    xen.git change log. Nessus did not check guest hardware configurations
    or if patches were applied manually to the source code before a
    recompile and reinstall.");
      script_set_attribute(attribute:"see_also", value:"http://xenbits.xen.org/xsa/advisory-264.html");
      script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/gitweb/?p=xen.git;a=summary");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12891");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/27");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("xen_server_detect.nbin");
      script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    app_name = "Xen Hypervisor";
    install  = get_single_install(app_name:app_name);
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    version         = install['version'];
    display_version = install['display_version'];
    path            = install['path'];
    managed_status  = install['Managed status'];
    changeset       = install['Changeset'];
    
    if (!empty_or_null(changeset))
      display_version += " (changeset " + changeset + ")";
    
    # Installations that are vendor-managed are handled by OS-specific local package checks
    if (managed_status == "managed")
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
    
    fixes['4.6']['fixed_ver']           = '4.6.6';
    fixes['4.6']['fixed_ver_display']   = '4.6.6 (changeset 2642b56)';
    fixes['4.6']['affected_ver_regex']  = '^4\\.6\\.';
    fixes['4.6']['affected_changesets'] = make_list("03938ba", "542f711",
      "90dc163", "61a9fc5", "a671bd6", "365ecff", "237236a", "aa5a889",
      "3e3c11b", "8a2e1db", "cb0230a", "4336ffa", "3df7d47", "5ccba18",
      "991dd4c", "331a1af", "035c96f", "bfe8f3e", "4f0509d", "2f99d68",
      "0d3904f", "342a02f", "2d8e87e", "ac659af", "c1be09e", "e7b723b",
      "cd5232a", "f9f9634", "6981351", "12b9fca", "916ef0d", "055abe4",
      "c4333f5", "3d6970d", "a0db1f2", "6a74f4e", "5278a9a", "c53663a",
      "c5339c5", "3b96676", "2f3cde3", "acd8661", "5ddc3f8", "927aca7",
      "b4b553d", "b766574", "10898d7", "0b38930", "33f70b8", "cf03d32",
      "525c381", "4c1e2d3", "021009e", "4972c38", "bd461fc", "c9c1bb6",
      "0fbf30a", "7e20b9b", "d1618f4", "9d534c1", "dbb3553", "e54a8c6",
      "8005ed3", "9a852e0", "d779cc1", "c93bcf9", "15adcf3", "d7b8190",
      "2b1457f", "a357880", "ee23fcc", "5651015", "225e9c7", "3c70619",
      "1222333", "75bdd69", "8994cf3", "642c603", "c25ea9a", "feba571",
      "0163087", "44c2666", "db743b0", "41a5cce", "4e1b9e9", "4d21549",
      "ff4800c", "2613a1b", "8335c8a", "ab20c5c", "9089da9", "8edfc82",
      "af5b61a", "ec05090", "75263f7", "f7e273a", "03c7d2c", "9ce1a71",
      "a735c7a", "44ad7f6", "91dc902", "a065841", "c6e9e60", "f94c11d",
      "45ddc4e", "1ca93b7", "8c0c36e", "6e43623", "47d3e73", "ea80245",
      "37bb22b", "9b0c2a2", "8d3fe28", "be63d66", "9454e30", "aad5a67",
      "d8b0ebf", "f0208a4", "42b2c82", "57318e1", "9f22d72", "e0353b4",
      "76f1549", "9bac910", "c7a43e3", "913d4f8", "c5881c5", "b0239cd",
      "78fd0c3", "9079e0d", "1658a87", "22b6dfa", "a8cd231", "629eddd",
      "64c03bb", "b4660b4", "1ac8162", "747df3c", "5ae011e", "f974d32",
      "3300ad3", "d708b69");
    
    fixes['4.7']['fixed_ver']           = '4.7.5';
    fixes['4.7']['fixed_ver_display']   = '4.7.5 (changeset 253c3ec)';
    fixes['4.7']['affected_ver_regex']  = '^4\\.7\\.';
    fixes['4.7']['affected_changesets'] = make_list("839826b", "55674ed",
      "0feed48", "a8d37ee", "117ef5e", "536d16c", "196932a", "0d44ee0",
      "f9b8c11", "ed4f56d", "3f5bd56", "03bf349", "375c01e", "acdf07d",
      "53c6a02", "466ab42", "870d737", "fb665b3", "6678f08", "bd63f04",
      "340c686", "55c1e84", "88f810a", "ea94f1e", "9299683", "8c699a0",
      "0b5b62a", "ff11aaf", "f666dab", "366e041", "5d271d5", "5d8c6fd",
      "226c231", "6de86cf", "ce22cc3", "4f713cf", "0b6c7b4", "2bc2e1f",
      "11fd624", "3478fb7", "0bc0693", "be0d7af", "d355f02", "236b8be",
      "e9281ad", "fb70754", "a6a2b5a", "54ff338", "1bd5a36", "5fc0102",
      "a8ef075", "e613050", "2fbc006", "1619cff", "5c81317", "912aa9b",
      "63b140f", "62b1879", "9680710", "dca80ab");
    
    fixes['4.8']['fixed_ver']           = '4.8.4';
    fixes['4.8']['fixed_ver_display']   = '4.8.4-pre (changeset d615412)';
    fixes['4.8']['affected_ver_regex']  = '^4\\.8\\.';
    fixes['4.8']['affected_changesets'] = make_list("9a7fa68", "b736afd",
      "b9b9d9e", "028656f", "c1aaad5", "c5a5692", "1522a81", "37b3dfd",
      "f8a489f", "0954b11", "266d511", "2d97baa", "61fc6a4", "73b68d2",
      "811c168", "eef72b8", "ae0a87e", "b494c13", "c36aaca", "1afb894",
      "845d2b6", "9d73586", "7f4ae16", "05b41f2", "618a96e", "455a429",
      "1fd1973", "ef14d39", "c696ef0", "68d02a7", "b0ea18e", "e60a287",
      "9419337", "cc0bb3b", "197e605", "eaa9d0a", "d66898a", "f2837b5",
      "0f475fe", "210bd51", "b4ad8a6", "4cdd4cc", "193130f", "7f2959f",
      "9cba9ae", "f99bc15", "44c709e", "c10ddc1", "2bef7bf", "326d25f",
      "3f59d0b", "a89390b", "40c4ab8", "90676b7", "1052a21", "a2f02df",
      "501718a", "957ff30", "1e9ac23", "95befc6", "372583c", "202aaf8",
      "e4e9632", "a753be1", "8f9846f", "0864795", "866deda", "c67e19f",
      "bc6414f", "883c8db", "7db1c43", "813fe21", "3cadc8b", "f7bf4d2",
      "14217cb", "ce185fb", "a2700ca", "b19b206", "a442d40", "1901f62",
      "1581910", "15f57b8", "7ef31c0", "bc8aa42", "30a153d", "da92664",
      "6b08396", "f6ae9c0", "ad9ddc3", "22d2146", "f9adc12", "e27fd5c",
      "03f9474", "c31070f", "1093876", "141be84", "bb49733", "48faa50",
      "5938aa1", "d11783c", "8e1e3c7", "99ed786", "76bdfe8", "fee4689",
      "c0bfde6", "64c1742", "8615385", "e09a5c2", "ff570a3", "e6bcb41",
      "29e7171", "c3d195c", "2cd189e", "afdad6a", "532ccf4", "da49e51",
      "ca9583d", "479b879", "2eefd92", "60c50f2", "1838e21", "5732a8e",
      "987b08d", "eadcd83", "ef2464c", "17bfbc8", "499391b", "87cb0e2", "393de92");
    
    fixes['4.9']['fixed_ver']           = '4.9.3';
    fixes['4.9']['fixed_ver_display']   = '4.9.3-pre (changeset c50b1f6)';
    fixes['4.9']['affected_ver_regex']  = '^4\\.9\\.';
    fixes['4.9']['affected_changesets'] = make_list("238007d", "0b1904c",
      "859fc55", "1c6b8f2", "f51d368", "8689cd1", "fc72347", "27b0dcd",
      "8d874a8", "1284b90", "12259ff", "516ac8a", "ed217c9", "11eb72e",
      "3f85ebb", "1ed3466", "37c3cb4", "2aca1d7", "22a6433", "8a29d83",
      "14a2ad6", "c6d09b2", "e5de993", "c2029b4", "5633efa", "13cb0c2",
      "da140c6", "39ab89d", "a29695c", "74fa955", "b3277ca", "cf264eb",
      "809d543", "002ea4d", "1f183b5", "150cdd9", "f7889b3", "903f2f6",
      "4bbed1c", "2303a9d", "d674b6e", "52fa2f7", "62bd851", "c06ec81",
      "dbb06d3", "24fa3fa", "b9b5a03", "35a71c6", "b844573", "48dd543",
      "7866e11", "db7accf", "921bff4", "c147505", "dc527ff", "781e23a",
      "72ca580", "47d41f6", "7a59015", "259bee9", "6d4c4f0", "3e010f5");
    
    fixes['4.10']['fixed_ver']           = '4.10.2';
    fixes['4.10']['fixed_ver_display']   = '4.10.2-pre (changeset 1d5a9ec)';
    fixes['4.10']['affected_ver_regex']  = '^4\\.10\\.';
    fixes['4.10']['affected_changesets'] = make_list("eeb1576", "4b9dc6d",
      "52447b3", "7b35e78", "8d48204", "b3a7f2f", "fb78102", "245eaee",
      "18833a8", "72e5b16", "27a4161", "23114db", "6300cdd", "2a0913e",
      "daaf3dd", "c2b84e7", "908ddbb", "c75bbf1", "e9dc0a6", "470daef",
      "c9fdfbb", "49aebf4", "48ad1ab", "98a285c", "cb2a83f", "51b7b5d",
      "840d683", "ec50d21", "a035518", "8342e3f", "aaf66de", "7e21b75",
      "f155f55", "3a903b3", "2e2f337", "850e5ad", "13fa2a4", "ade8f98",
      "a7f8880", "3bb756b", "1aa6305", "d93ae63", "6b8d820", "f253feb");
    
    fix = NULL;
    foreach ver_branch (keys(fixes))
    {
      if (version =~ fixes[ver_branch]['affected_ver_regex'])
      {
        ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
        if (ret < 0)
          fix = fixes[ver_branch]['fixed_ver_display'];
        else if (ret == 0)
        {
          if (empty_or_null(changeset))
            fix = fixes[ver_branch]['fixed_ver_display'];
          else
            foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
              if (changeset == affected_changeset)
                fix = fixes[ver_branch]['fixed_ver_display'];
        }
      }
    }
    
    if (empty_or_null(fix))
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
    
    items  = make_array(
      "Installed version", display_version,
      "Fixed version", fix,
      "Path", path
    );
    
    order  = make_list("Path", "Installed version", "Fixed version");
    report = report_items_str(report_items:items, ordered_fields:order) + '\n';
    
    security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-803.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1087289: Fix xen scheduler crash. This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2018-08-07
    plugin id111565
    published2018-08-07
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111565
    titleopenSUSE Security Update : xen (openSUSE-2018-803)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2059-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1087289: Fix xen scheduler crash. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111348
    published2018-07-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111348
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:2059-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-1A467757CE.NASL
    descriptionpreemption checks bypassed in x86 PV MM handling [XSA-264, CVE-2018-12891] x86: #DB exception safety check can be triggered by a guest [XSA-265, CVE-2018-12893] libxl fails to honour readonly flag on HVM emulated SCSI disks [XSA-266, CVE-2018-12892] ---- Speculative register leakage from lazy FPU context switching [XSA-267, CVE-2018-3665] fix for change in iasl output Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-07-24
    plugin id111236
    published2018-07-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111236
    titleFedora 27 : xen (2018-1a467757ce)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2081-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-12891: Fix preemption checks bypass in x86 PV MM handling (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl failure to honour readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix #DB exception safety check that could be triggered by a guest (XSA-265) (bsc#1097522). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-3665: Fix lazy FP Save/Restore (XSA-267) (bsc#1095242). Bug fixes : - bsc#1027519: Update to Xen 4.7.6 bug fix only release. - bsc#1087289: Xen BUG at sched_credit.c:1663. - bsc#1094725: `virsh blockresize` does not work with Xen qdisks. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111433
    published2018-07-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111433
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2018:2081-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2069-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-12617: Fix integer overflow that causes segmentation fault in qmp_guest_file_read() with g_malloc() (bsc#1098744). - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1079730: Fix failed
    last seen2020-06-01
    modified2020-06-02
    plugin id111371
    published2018-07-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111371
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2018:2069-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2528-1.NASL
    descriptionThis update for xen fixes the following issues: These security issue were fixed : - CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis (bsc#1091107, bsc#1027519). - CVE-2018-12617: An integer overflow that could cause a segmentation fault in qmp_guest_file_read() with g_malloc() in qemu-guest-agent was fixed (bsc#1098744) - CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (bsc#1095242) - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (bsc#1092631) - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (bsc#1074562) - CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (bsc#1074562) - CVE-2018-12891: Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. (bsc#1097521) - CVE-2018-12893: One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. (bsc#1097522) - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (bsc#1096224) - CVE-2018-10982: An issue was discovered in Xen allowed x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. (bsc#1090822) - CVE-2018-10981: An issue was discovered in Xen that allowed x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. (bsc#1090823) Following bugs were fixed : - After updating to kernel 3.0.101-0.47.106.32-xen system crashes in check_bugs() (bsc#1097206) - bsc#1079730 - in xen-kmp, unplug emulated devices after migration This is required since xen-4.10 and/or qemu-2.10 because the state of unplug is not propagated from one dom0 to another. Without this unplug qemu
    last seen2020-06-01
    modified2020-06-02
    plugin id112147
    published2018-08-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112147
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2081-2.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2018-12891: Fix preemption checks bypass in x86 PV MM handling (XSA-264) (bsc#1097521). CVE-2018-12892: Fix libxl failure to honour readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). CVE-2018-12893: Fix #DB exception safety check that could be triggered by a guest (XSA-265) (bsc#1097522). CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). CVE-2018-3665: Fix lazy FP Save/Restore (XSA-267) (bsc#1095242). Bug fixes: bsc#1027519: Update to Xen 4.7.6 bug fix only release. bsc#1087289: Xen BUG at sched_credit.c:1663. bsc#1094725: `virsh blockresize` does not work with Xen qdisks. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118277
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118277
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2018:2081-2)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-533.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen. - bsc#1087289: Fix xen scheduler crash. This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123224
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123224
    titleopenSUSE Security Update : xen (openSUSE-2019-533)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2056-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-12617: Fix integer overflow that causes segmentation fault in qmp_guest_file_read() with g_malloc() (bsc#1098744). - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1079730: Fix failed
    last seen2020-06-01
    modified2020-06-02
    plugin id111346
    published2018-07-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111346
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2018:2056-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1981-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen. - bsc#1087289: Fix xen scheduler crash. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120050
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120050
    titleSUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2018:1981-1)
  • NASL familyMisc.
    NASL idCITRIX_XENSERVER_CTX235748.NASL
    descriptionThe version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id111378
    published2018-07-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111378
    titleCitrix XenServer Multiple Vulnerabilities (CTX235748)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-A7862A75F5.NASL
    descriptionpreemption checks bypassed in x86 PV MM handling [XSA-264, CVE-2018-12891] (#1595959) x86: #DB exception safety check can be triggered by a guest [XSA-265, CVE-2018-12893] (#1595958) libxl fails to honour readonly flag on HVM emulated SCSI disks [XSA-266, CVE-2018-12892] (#1595957) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120682
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120682
    titleFedora 28 : xen (2018-a7862a75f5)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1577.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id118892
    published2018-11-13
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118892
    titleDebian DLA-1577-1 : xen security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2037-1.NASL
    descriptionThis update for xen fixes the following issues: Security issues fixed : - CVE-2018-12617: Fix integer overflow that causes segmentation fault in qmp_guest_file_read() with g_malloc() (bsc#1098744). - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1079730: Fix failed
    last seen2020-06-01
    modified2020-06-02
    plugin id111261
    published2018-07-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111261
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2018:2037-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4236.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor : - CVE-2018-12891 It was discovered that insufficient validation of PV MMU operations may result in denial of service. - CVE-2018-12892 It was discovered that libxl fails to honour the
    last seen2020-06-01
    modified2020-06-02
    plugin id110787
    published2018-06-29
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110787
    titleDebian DSA-4236-1 : xen - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201810-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could cause a Denial of Service condition or disclose sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id118506
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118506
    titleGLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-766.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242). - CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521). - CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523). - CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522). Bug fixes : - bsc#1027519: Add upstream patches from January. - bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen. - bsc#1087289: Fix xen scheduler crash. This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-05
    modified2018-07-30
    plugin id111418
    published2018-07-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111418
    titleopenSUSE Security Update : xen (openSUSE-2018-766)