Vulnerabilities > CVE-2018-19966 - Interpretation Conflict vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
xen
debian
CWE-436
nessus

Summary

An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.

Vulnerable Configurations

Part Description Count
OS
Xen
13
OS
Debian
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • HTTP Request Splitting
    HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
  • HTTP Response Smuggling
    An attacker injects content into a server response that is interpreted differently by intermediaries than it is by the target browser. To do this, it takes advantage of inconsistent or incorrect interpretations of the HTTP protocol by various applications. For example, it might use different block terminating characters (CR or LF alone), adding duplicate header fields that browsers interpret as belonging to separate responses, or other techniques. Consequences of this attack can include response-splitting, cross-site scripting, apparent defacement of targeted sites, cache poisoning, or similar actions.
  • HTTP Request Smuggling
    HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4070-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2018-18849: Fixed an out of bounds memory access issue was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin (bsc#1114423). CVE-2018-18883: Fixed a NULL pointer dereference that could have been triggered by nested VT-x that where not properly restricted (XSA-278)(bsc#1114405). CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045). CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047). CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040). Non-security issues fixed: Added upstream bug fixes (bsc#1027519). Fixed XEN SLE12-SP1 domU hang on SLE12-SP3 HV (bsc#1108940). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2018-12-13
    plugin id119648
    published2018-12-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119648
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:4070-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:4070-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119648);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/28");
    
      script_cve_id("CVE-2018-18849", "CVE-2018-18883", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:4070-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
    CVE-2018-18849: Fixed an out of bounds memory access issue was found
    in the LSI53C895A SCSI Host Bus Adapter emulation while writing a
    message in lsi_do_msgin (bsc#1114423).
    
    CVE-2018-18883: Fixed a NULL pointer dereference that could have been
    triggered by nested VT-x that where not properly restricted
    (XSA-278)(bsc#1114405).
    
    CVE-2018-19965: Fixed denial of service issue from attempting to use
    INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045).
    
    CVE-2018-19966: Fixed issue introduced by XSA-240 that could have
    caused conflicts with shadow paging (XSA-280)(bsc#1115047).
    
    CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing /
    improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).
    
    Non-security issues fixed: Added upstream bug fixes (bsc#1027519).
    
    Fixed XEN SLE12-SP1 domU hang on SLE12-SP3 HV (bsc#1108940).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18849/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18883/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19965/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20184070-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?14d54f65"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2018-2896=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-2896=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-2896=1
    
    SUSE CaaS Platform ALL :
    
    To install this update, use the SUSE CaaS Platform Velum dashboard. It
    will inform you if it detects new updates and let you then trigger
    updating of the complete cluster in a controlled way.
    
    SUSE CaaS Platform 3.0 :
    
    To install this update, use the SUSE CaaS Platform Velum dashboard. It
    will inform you if it detects new updates and let you then trigger
    updating of the complete cluster in a controlled way."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-debugsource-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-doc-html-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-libs-32bit-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-libs-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-libs-debuginfo-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-tools-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-tools-debuginfo-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-tools-domU-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"xen-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"xen-debugsource-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"xen-libs-32bit-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"xen-libs-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.9.3_03-3.47.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"xen-libs-debuginfo-4.9.3_03-3.47.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1624.NASL
    descriptionThis update for xen fixes the following issues : Update to Xen 4.10.2 bug fix release (bsc#1027519). Security vulnerabilities fixed : - CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) - CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) - CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-280) (bsc#1115047) - CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405) - CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling, which allowed guests to enable Branch Trace Store and may cause a Denial of Service (DoS) of the entire host. (XSA-269) (bsc#1103276) - CVE-2018-15469: Fixed use of v2 grant tables on ARM, which were not properly implemented and may cause a Denial of Service (DoS). (XSA-268) (bsc#1103275) - CVE-2018-15470: Fixed an issue in the logic in oxenstored for handling writes, which allowed a guest to write memory unbounded leading to system-wide Denial of Service (DoS). (XSA-272) (bsc#1103279) - CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal Fault (XSA-273) (bsc#1091107) Other bugs fixed : - Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) - Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) - Fixed a kernel oops related to fs/dcache.c called by d_materialise_unique() (bsc#1094508) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-05
    modified2018-12-31
    plugin id119951
    published2018-12-31
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119951
    titleopenSUSE Security Update : xen (openSUSE-2018-1624) (Foreshadow)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-1624.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119951);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-15468", "CVE-2018-15469", "CVE-2018-15470", "CVE-2018-18883", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-3646");
    
      script_name(english:"openSUSE Security Update : xen (openSUSE-2018-1624) (Foreshadow)");
      script_summary(english:"Check for the openSUSE-2018-1624 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Update to Xen 4.10.2 bug fix release (bsc#1027519).
    
    Security vulnerabilities fixed :
    
      - CVE-2018-19961, CVE-2018-19962: Fixed an issue related
        to insufficient TLB flushing with AMD IOMMUs, which
        potentially allowed a guest to escalate its privileges,
        may cause a Denial of Service (DoS) affecting the entire
        host, or may be able to access data it is not supposed
        to access. (XSA-275) (bsc#1115040)
    
      - CVE-2018-19965: Fixed an issue related to the INVPCID
        instruction in case non-canonical addresses are
        accessed, which may allow a guest to cause Xen to crash,
        resulting in a Denial of Service (DoS) affecting the
        entire host. (XSA-279) (bsc#1115045)
    
      - CVE-2018-19966: Fixed an issue related to a previous fix
        for XSA-240, which conflicted with shadow paging and
        allowed a guest to cause Xen to crash, resulting in a
        Denial of Service (DoS). (XSA-280) (bsc#1115047)
    
      - CVE-2018-18883: Fixed an issue related to inproper
        restriction of nested VT-x, which allowed a guest to
        cause Xen to crash, resulting in a Denial of Service
        (DoS). (XSA-278) (bsc#1114405)
    
      - CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling,
        which allowed guests to enable Branch Trace Store and
        may cause a Denial of Service (DoS) of the entire host.
        (XSA-269) (bsc#1103276)
    
      - CVE-2018-15469: Fixed use of v2 grant tables on ARM,
        which were not properly implemented and may cause a
        Denial of Service (DoS). (XSA-268) (bsc#1103275)
    
      - CVE-2018-15470: Fixed an issue in the logic in
        oxenstored for handling writes, which allowed a guest to
        write memory unbounded leading to system-wide Denial of
        Service (DoS). (XSA-272) (bsc#1103279)
    
      - CVE-2018-3646: Mitigations for VMM aspects of L1
        Terminal Fault (XSA-273) (bsc#1091107)
    
    Other bugs fixed :
    
      - Fixed an issue related to a domU hang on SLE12-SP3 HV
        (bsc#1108940)
    
      - Fixed an issue with xpti=no-dom0 not working as expected
        (bsc#1105528)
    
      - Fixed a kernel oops related to fs/dcache.c called by
        d_materialise_unique() (bsc#1094508)
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1078292"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1094508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103279"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115047"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/29");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"xen-debugsource-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-devel-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-libs-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-libs-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-tools-domU-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-tools-domU-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-doc-html-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-libs-32bit-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-libs-32bit-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-tools-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-tools-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-debugsource / xen-devel / xen-doc-html / xen-libs / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4369.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor : - CVE-2018-19961 / CVE-2018-19962 Paul Durrant discovered that incorrect TLB handling could result in denial of service, privilege escalation or information leaks. - CVE-2018-19965 Matthew Daley discovered that incorrect handling of the INVPCID instruction could result in denial of service by PV guests. - CVE-2018-19966 It was discovered that a regression in the fix to address CVE-2017-15595 could result in denial of service, privilege escalation or information leaks by a PV guest. - CVE-2018-19967 It was discovered that an error in some Intel CPUs could result in denial of service by a guest instance.
    last seen2020-03-17
    modified2019-01-15
    plugin id121168
    published2019-01-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121168
    titleDebian DSA-4369-1 : xen - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4369. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121168);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");
    
      script_cve_id("CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-19967");
      script_xref(name:"DSA", value:"4369");
    
      script_name(english:"Debian DSA-4369-1 : xen - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been discovered in the Xen hypervisor :
    
      - CVE-2018-19961 / CVE-2018-19962
        Paul Durrant discovered that incorrect TLB handling
        could result in denial of service, privilege escalation
        or information leaks.
    
      - CVE-2018-19965
        Matthew Daley discovered that incorrect handling of the
        INVPCID instruction could result in denial of service by
        PV guests.
    
      - CVE-2018-19966
        It was discovered that a regression in the fix to
        address CVE-2017-15595 could result in denial of
        service, privilege escalation or information leaks by a
        PV guest.
    
      - CVE-2018-19967
        It was discovered that an error in some Intel CPUs could
        result in denial of service by a guest instance."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-19961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-19962"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-19965"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-19966"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-15595"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-19967"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/xen"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/xen"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4369"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the xen packages.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 4.8.5+shim4.10.2+xsa282-1+deb9u11."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"libxen-4.8", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"libxen-dev", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"libxenstore3.0", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-hypervisor-4.8-amd64", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-hypervisor-4.8-arm64", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-hypervisor-4.8-armhf", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-system-amd64", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-system-arm64", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-system-armhf", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-utils-4.8", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xen-utils-common", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    if (deb_check(release:"9.0", prefix:"xenstore-utils", reference:"4.8.5+shim4.10.2+xsa282-1+deb9u11")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1530.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-18849: Fixed an out of bounds memory access issue was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin (bsc#1114423). - CVE-2018-18883: Fixed a NULL pointer dereference that could have been triggered by nested VT-x that where not properly restricted (XSA-278)(bsc#1114405). - CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045). - CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047). - CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040). Non-security issues fixed : - Added upstream bug fixes (bsc#1027519). This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2018-12-13
    plugin id119642
    published2018-12-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119642
    titleopenSUSE Security Update : xen (openSUSE-2018-1530)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-1530.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119642);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-18849", "CVE-2018-18883", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966");
    
      script_name(english:"openSUSE Security Update : xen (openSUSE-2018-1530)");
      script_summary(english:"Check for the openSUSE-2018-1530 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2018-18849: Fixed an out of bounds memory access
        issue was found in the LSI53C895A SCSI Host Bus Adapter
        emulation while writing a message in lsi_do_msgin
        (bsc#1114423).
    
      - CVE-2018-18883: Fixed a NULL pointer dereference that
        could have been triggered by nested VT-x that where not
        properly restricted (XSA-278)(bsc#1114405).
    
      - CVE-2018-19965: Fixed denial of service issue from
        attempting to use INVPCID with a non-canonical addresses
        (XSA-279)(bsc#1115045).
    
      - CVE-2018-19966: Fixed issue introduced by XSA-240 that
        could have caused conflicts with shadow paging
        (XSA-280)(bsc#1115047).
    
      - CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB
        flushing / improper large page mappings with AMD IOMMUs
        (XSA-275)(bsc#1115040).
    
    Non-security issues fixed :
    
      - Added upstream bug fixes (bsc#1027519).
    
    This update was imported from the SUSE:SLE-12-SP3:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115047"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"xen-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-debugsource-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-devel-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-doc-html-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-libs-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-libs-debuginfo-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-debuginfo-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-domU-4.9.3_03-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-domU-debuginfo-4.9.3_03-34.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-debugsource / xen-devel / xen-doc-html / xen-libs / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0020-1.NASL
    descriptionThis update for xen fixes the following issues : Security vulnerabilities fixed : CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-280) (bsc#1115047) CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756). CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A SCSI host bus adapter emulation, which allowed a user and/or process to crash the qemu process resulting in a Denial of Service (DoS). (bsc#1114423) Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) Fixed an issue with live migrations, which used to fail when spectre is enabled on xen boot cmdline (bsc#1116380) Upstream bug fixes (bsc#1027519) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-07
    plugin id120987
    published2019-01-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120987
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:0020-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:0020-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120987);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");
    
      script_cve_id("CVE-2018-18849", "CVE-2018-19665", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966");
    
      script_name(english:"SUSE SLES12 Security Update : xen (SUSE-SU-2019:0020-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security vulnerabilities fixed :
    
    CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient
    TLB flushing with AMD IOMMUs, which potentially allowed a guest to
    escalate its privileges, may cause a Denial of Service (DoS) affecting
    the entire host, or may be able to access data it is not supposed to
    access. (XSA-275) (bsc#1115040)
    
    CVE-2018-19965: Fixed an issue related to the INVPCID instruction in
    case non-canonical addresses are accessed, which may allow a guest to
    cause Xen to crash, resulting in a Denial of Service (DoS) affecting
    the entire host. (XSA-279) (bsc#1115045)
    
    CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240,
    which conflicted with shadow paging and allowed a guest to cause Xen
    to crash, resulting in a Denial of Service (DoS). (XSA-280)
    (bsc#1115047)
    
    CVE-2018-19665: Fixed an integer overflow resulting in memory
    corruption in various Bluetooth functions, allowing this to crash qemu
    process resulting in Denial of Service (DoS). (bsc#1117756).
    
    CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A
    SCSI host bus adapter emulation, which allowed a user and/or process
    to crash the qemu process resulting in a Denial of Service (DoS).
    (bsc#1114423)
    
    Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3
    HV (bsc#1108940)
    
    Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528)
    
    Fixed an issue with live migrations, which used to fail when spectre
    is enabled on xen boot cmdline (bsc#1116380)
    
    Upstream bug fixes (bsc#1027519)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1116380"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18849/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19965/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20190020-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?54faf792"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 7:zypper in -t patch
    SUSE-OpenStack-Cloud-7-2019-20=1
    
    SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch
    SUSE-SLE-SAP-12-SP2-2019-20=1
    
    SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2019-20=1
    
    SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-BCL-2019-20=1
    
    SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2019-20=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-debugsource-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-doc-html-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-debuginfo-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-domU-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-debugsource-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-doc-html-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-32bit-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-libs-debuginfo-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-debuginfo-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-domU-4.7.6_05-43.45.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.7.6_05-43.45.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-BCE6498890.NASL
    descriptionxen: various flaws (#1685577) grant table transfer issues on large hosts [XSA-284] race with pass-through device hotplug [XSA-285] x86: steal_page violates page_struct access discipline [XSA-287] x86: Inconsistent PV IOMMU discipline [XSA-288] missing preemption in x86 PV page table unvalidation [XSA-290] x86/PV: page type reference counting issue with failed IOMMU update [XSA-291] x86: insufficient TLB flushing when using PCID [XSA-292] x86: PV kernel context switch corruption [XSA-293] x86 shadow: Insufficient TLB flushing when using PCID [XSA-294] ---- update to xen-4.10.3 ---- - insufficient TLB flushing / improper large page mappings with AMD IOMMUs [XSA-275] (#1651665) - x86: DoS from attempting to use INVPCID with a non-canonical addresses [XSA-279] - Fix for XSA-240 conflicts with shadow paging [XSA-280] ---- guest use of HLE constructs may lock up host [XSA-282] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123046
    published2019-03-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123046
    titleFedora 28 : xen (2019-bce6498890)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-bce6498890.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123046);
      script_version("1.3");
      script_cvs_date("Date: 2020/02/03");
    
      script_cve_id("CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19963", "CVE-2018-19965", "CVE-2018-19966");
      script_xref(name:"FEDORA", value:"2019-bce6498890");
    
      script_name(english:"Fedora 28 : xen (2019-bce6498890)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "xen: various flaws (#1685577) grant table transfer issues on large
    hosts [XSA-284] race with pass-through device hotplug [XSA-285] x86:
    steal_page violates page_struct access discipline [XSA-287] x86:
    Inconsistent PV IOMMU discipline [XSA-288] missing preemption in x86
    PV page table unvalidation [XSA-290] x86/PV: page type reference
    counting issue with failed IOMMU update [XSA-291] x86: insufficient
    TLB flushing when using PCID [XSA-292] x86: PV kernel context switch
    corruption [XSA-293] x86 shadow: Insufficient TLB flushing when using
    PCID [XSA-294]
    
    ----
    
    update to xen-4.10.3
    
    ----
    
      - insufficient TLB flushing / improper large page mappings
        with AMD IOMMUs [XSA-275] (#1651665)
    
      - x86: DoS from attempting to use INVPCID with a
        non-canonical addresses [XSA-279]
    
      - Fix for XSA-240 conflicts with shadow paging [XSA-280]
    
    ----
    
    guest use of HLE constructs may lock up host [XSA-282]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-bce6498890"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"xen-4.10.3-2.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0003-1.NASL
    descriptionThis update for xen fixes the following issues : Update to Xen 4.11.1 bug fix release (bsc#1027519) CVE-2018-17963: Fixed an integer overflow issue in the QEMU emulator, which could occur when a packet with large packet size is processed. A user inside a guest could have used this flaw to crash the qemu process resulting in a Denial of Service (DoS). (bsc#1111014) CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A SCSI host bus adapter emulation, which allowed a user and/or process to crash the qemu process resulting in a Denial of Service (DoS). (bsc#1114423) CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405) CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19963: Fixed the allocation of pages used to communicate with external emulators, which may have cuased Xen to crash, resulting in a Denial of Service (DoS). (XSA-276) (bsc#1115043) CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047) CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) CVE-2018-19964: Fixed the incorrect error handling of p2m page removals, which allowed a guest to cause a deadlock, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-277) (bsc#1115044) CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756). Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-07
    plugin id120983
    published2019-01-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120983
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2019:0003-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:0003-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120983);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");
    
      script_cve_id("CVE-2018-17963", "CVE-2018-18849", "CVE-2018-18883", "CVE-2018-19665", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19963", "CVE-2018-19964", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-19967");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2019:0003-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Update to Xen 4.11.1 bug fix release (bsc#1027519)
    
    CVE-2018-17963: Fixed an integer overflow issue in the QEMU emulator,
    which could occur when a packet with large packet size is processed. A
    user inside a guest could have used this flaw to crash the qemu
    process resulting in a Denial of Service (DoS). (bsc#1111014)
    
    CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A
    SCSI host bus adapter emulation, which allowed a user and/or process
    to crash the qemu process resulting in a Denial of Service (DoS).
    (bsc#1114423)
    
    CVE-2018-18883: Fixed an issue related to inproper restriction of
    nested VT-x, which allowed a guest to cause Xen to crash, resulting in
    a Denial of Service (DoS). (XSA-278) (bsc#1114405)
    
    CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient
    TLB flushing with AMD IOMMUs, which potentially allowed a guest to
    escalate its privileges, may cause a Denial of Service (DoS) affecting
    the entire host, or may be able to access data it is not supposed to
    access. (XSA-275) (bsc#1115040)
    
    CVE-2018-19963: Fixed the allocation of pages used to communicate with
    external emulators, which may have cuased Xen to crash, resulting in a
    Denial of Service (DoS). (XSA-276) (bsc#1115043)
    
    CVE-2018-19965: Fixed an issue related to the INVPCID instruction in
    case non-canonical addresses are accessed, which may allow a guest to
    cause Xen to crash, resulting in a Denial of Service (DoS) affecting
    the entire host. (XSA-279) (bsc#1115045)
    
    CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240,
    which conflicted with shadow paging and allowed a guest to cause Xen
    to crash, resulting in a Denial of Service (DoS) (XSA-280)
    (bsc#1115047)
    
    CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up
    the host, resulting in a Denial of Service (DoS). (XSA-282)
    (bsc#1114988)
    
    CVE-2018-19964: Fixed the incorrect error handling of p2m page
    removals, which allowed a guest to cause a deadlock, resulting in a
    Denial of Service (DoS) affecting the entire host. (XSA-277)
    (bsc#1115044)
    
    CVE-2018-19665: Fixed an integer overflow resulting in memory
    corruption in various Bluetooth functions, allowing this to crash qemu
    process resulting in Denial of Service (DoS). (bsc#1117756).
    
    Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3
    HV (bsc#1108940)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115043"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115044"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17963/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18849/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18883/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19963/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19964/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19965/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19967/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20190003-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3d0f22aa"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t
    patch SUSE-SLE-SDK-12-SP4-2019-3=1
    
    SUSE Linux Enterprise Server 12-SP4:zypper in -t patch
    SUSE-SLE-SERVER-12-SP4-2019-3=1
    
    SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP4-2019-3=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP4", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-debugsource-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-doc-html-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-libs-32bit-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-libs-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-libs-debuginfo-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-tools-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-tools-debuginfo-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-tools-domU-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"xen-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"xen-debugsource-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"xen-libs-32bit-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"xen-libs-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.11.1_02-2.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"xen-libs-debuginfo-4.11.1_02-2.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1046.NASL
    descriptionThis update for xen fixes the following issues : Update to Xen 4.10.2 bug fix release (bsc#1027519). Security vulnerabilities fixed : - CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) - CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) - CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-280) (bsc#1115047) - CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405) - CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling, which allowed guests to enable Branch Trace Store and may cause a Denial of Service (DoS) of the entire host. (XSA-269) (bsc#1103276) - CVE-2018-15469: Fixed use of v2 grant tables on ARM, which were not properly implemented and may cause a Denial of Service (DoS). (XSA-268) (bsc#1103275) - CVE-2018-15470: Fixed an issue in the logic in oxenstored for handling writes, which allowed a guest to write memory unbounded leading to system-wide Denial of Service (DoS). (XSA-272) (bsc#1103279) - CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal Fault (XSA-273) (bsc#1091107) Other bugs fixed : - Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) - Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) - Fixed a kernel oops related to fs/dcache.c called by d_materialise_unique() (bsc#1094508) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123167
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123167
    titleopenSUSE Security Update : xen (openSUSE-2019-1046) (Foreshadow)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-1046.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123167);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/31");
    
      script_cve_id("CVE-2018-15468", "CVE-2018-15469", "CVE-2018-15470", "CVE-2018-18883", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-3646");
    
      script_name(english:"openSUSE Security Update : xen (openSUSE-2019-1046) (Foreshadow)");
      script_summary(english:"Check for the openSUSE-2019-1046 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Update to Xen 4.10.2 bug fix release (bsc#1027519).
    
    Security vulnerabilities fixed :
    
      - CVE-2018-19961, CVE-2018-19962: Fixed an issue related
        to insufficient TLB flushing with AMD IOMMUs, which
        potentially allowed a guest to escalate its privileges,
        may cause a Denial of Service (DoS) affecting the entire
        host, or may be able to access data it is not supposed
        to access. (XSA-275) (bsc#1115040)
    
      - CVE-2018-19965: Fixed an issue related to the INVPCID
        instruction in case non-canonical addresses are
        accessed, which may allow a guest to cause Xen to crash,
        resulting in a Denial of Service (DoS) affecting the
        entire host. (XSA-279) (bsc#1115045)
    
      - CVE-2018-19966: Fixed an issue related to a previous fix
        for XSA-240, which conflicted with shadow paging and
        allowed a guest to cause Xen to crash, resulting in a
        Denial of Service (DoS). (XSA-280) (bsc#1115047)
    
      - CVE-2018-18883: Fixed an issue related to inproper
        restriction of nested VT-x, which allowed a guest to
        cause Xen to crash, resulting in a Denial of Service
        (DoS). (XSA-278) (bsc#1114405)
    
      - CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling,
        which allowed guests to enable Branch Trace Store and
        may cause a Denial of Service (DoS) of the entire host.
        (XSA-269) (bsc#1103276)
    
      - CVE-2018-15469: Fixed use of v2 grant tables on ARM,
        which were not properly implemented and may cause a
        Denial of Service (DoS). (XSA-268) (bsc#1103275)
    
      - CVE-2018-15470: Fixed an issue in the logic in
        oxenstored for handling writes, which allowed a guest to
        write memory unbounded leading to system-wide Denial of
        Service (DoS). (XSA-272) (bsc#1103279)
    
      - CVE-2018-3646: Mitigations for VMM aspects of L1
        Terminal Fault (XSA-273) (bsc#1091107)
    
    Other bugs fixed :
    
      - Fixed an issue related to a domU hang on SLE12-SP3 HV
        (bsc#1108940)
    
      - Fixed an issue with xpti=no-dom0 not working as expected
        (bsc#1105528)
    
      - Fixed a kernel oops related to fs/dcache.c called by
        d_materialise_unique() (bsc#1094508)
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1078292"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1094508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103279"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115047"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"xen-debugsource-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-devel-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-libs-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-libs-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-tools-domU-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"xen-tools-domU-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-doc-html-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-libs-32bit-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-libs-32bit-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-tools-4.10.2_04-lp150.2.12.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"xen-tools-debuginfo-4.10.2_04-lp150.2.12.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-debugsource / xen-devel / xen-doc-html / xen-libs-32bit / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4300-1.NASL
    descriptionThis update for xen fixes the following issues : Update to Xen 4.10.2 bug fix release (bsc#1027519). Security vulnerabilities fixed : CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-280) (bsc#1115047) CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405) CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling, which allowed guests to enable Branch Trace Store and may cause a Denial of Service (DoS) of the entire host. (XSA-269) (bsc#1103276) CVE-2018-15469: Fixed use of v2 grant tables on ARM, which were not properly implemented and may cause a Denial of Service (DoS). (XSA-268) (bsc#1103275) CVE-2018-15470: Fixed an issue in the logic in oxenstored for handling writes, which allowed a guest to write memory unbounded leading to system-wide Denial of Service (DoS). (XSA-272) (bsc#1103279) CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal Fault (XSA-273) (bsc#1091107) Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) Fixed a kernel oops related to fs/dcache.c called by d_materialise_unique() (bsc#1094508) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-02
    plugin id120196
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120196
    titleSUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2018:4300-1) (Foreshadow)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:4300-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120196);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/16");
    
      script_cve_id("CVE-2018-15468", "CVE-2018-15469", "CVE-2018-15470", "CVE-2018-18883", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-3646");
    
      script_name(english:"SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2018:4300-1) (Foreshadow)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Update to Xen 4.10.2 bug fix release (bsc#1027519).
    
    Security vulnerabilities fixed :
    
    CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient
    TLB flushing with AMD IOMMUs, which potentially allowed a guest to
    escalate its privileges, may cause a Denial of Service (DoS) affecting
    the entire host, or may be able to access data it is not supposed to
    access. (XSA-275) (bsc#1115040)
    
    CVE-2018-19965: Fixed an issue related to the INVPCID instruction in
    case non-canonical addresses are accessed, which may allow a guest to
    cause Xen to crash, resulting in a Denial of Service (DoS) affecting
    the entire host. (XSA-279) (bsc#1115045)
    
    CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240,
    which conflicted with shadow paging and allowed a guest to cause Xen
    to crash, resulting in a Denial of Service (DoS). (XSA-280)
    (bsc#1115047)
    
    CVE-2018-18883: Fixed an issue related to inproper restriction of
    nested VT-x, which allowed a guest to cause Xen to crash, resulting in
    a Denial of Service (DoS). (XSA-278) (bsc#1114405)
    
    CVE-2018-15468: Fixed incorrect MSR_DEBUGCTL handling, which allowed
    guests to enable Branch Trace Store and may cause a Denial of Service
    (DoS) of the entire host. (XSA-269) (bsc#1103276)
    
    CVE-2018-15469: Fixed use of v2 grant tables on ARM, which were not
    properly implemented and may cause a Denial of Service (DoS).
    (XSA-268) (bsc#1103275)
    
    CVE-2018-15470: Fixed an issue in the logic in oxenstored for handling
    writes, which allowed a guest to write memory unbounded leading to
    system-wide Denial of Service (DoS). (XSA-272) (bsc#1103279)
    
    CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal Fault
    (XSA-273) (bsc#1091107)
    
    Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3
    HV (bsc#1108940)
    
    Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528)
    
    Fixed a kernel oops related to fs/dcache.c called by
    d_materialise_unique() (bsc#1094508)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078292"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1091107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1103275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1103276"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1103279"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15468/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15469/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15470/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18883/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19965/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3646/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20184300-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3af96718"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Server Applications 15:zypper in -t
    patch SUSE-SLE-Module-Server-Applications-15-2018-3063=1
    
    SUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch
    SUSE-SLE-Module-Basesystem-15-2018-3063=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp);
    if (os_ver == "SLED15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-debugsource-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-devel-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-tools-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-tools-debuginfo-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-debugsource-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-libs-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"xen-debugsource-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"xen-libs-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-4.10.2_04-3.9.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.10.2_04-3.9.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyMisc.
    NASL idXEN_SERVER_XSA-280.NASL
    descriptionAccording to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a vulnerability allowing a guest system to potentially elevate privileges, access protected information, and perform a DoS against the host. A number of caveats exist to determine if a system is vulnerable. Please refer to the vendor advisory for more information. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen2020-06-01
    modified2020-06-02
    plugin id119660
    published2018-12-13
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119660
    titleXen Project XSA-240 Mitigation Shadow Paging Conflict Vulnerability (XSA-280)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119660);
      script_version("1.3");
      script_cvs_date("Date: 2019/11/01");
    
      script_cve_id("CVE-2018-19966");
      script_bugtraq_id(106182);
      script_xref(name:"IAVB", value:"2018-B-0149");
    
      script_name(english:"Xen Project XSA-240 Mitigation Shadow Paging Conflict Vulnerability (XSA-280)");
      script_summary(english:"Checks 'xl info' output for the Xen hypervisor version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Xen hypervisor installation is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Xen hypervisor
    installed on the remote host is affected by a vulnerability allowing
    a guest system to potentially elevate privileges, access protected
    information, and perform a DoS against the host. A number of caveats
    exist to determine if a system is vulnerable. Please refer to the
    vendor advisory for more information.
    
    Note that Nessus has checked the changeset versions based on the
    xen.git change log. Nessus did not check guest hardware configurations
    or if patches were applied manually to the source code before a
    recompile and reinstall.");
      script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-280.html");
      script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/gitweb/?p=xen.git;a=summary");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-19966");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/13");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("xen_server_detect.nbin");
      script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    app_name = "Xen Hypervisor";
    install  = get_single_install(app_name:app_name);
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    version         = install['version'];
    display_version = install['display_version'];
    path            = install['path'];
    managed_status  = install['Managed status'];
    changeset       = install['Changeset'];
    
    if (!empty_or_null(changeset))
      display_version += " (changeset " + changeset + ")";
    
    # Installations that are vendor-managed are handled by OS-specific local package checks
    if (managed_status == "managed")
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
    
    fixes['4.7']['fixed_ver']           = '4.7.6';
    fixes['4.7']['fixed_ver_display']   = '4.7.6 (changeset ab6d56c)';
    fixes['4.7']['affected_ver_regex']  = '^4\\.7\\.';
    fixes['4.7']['affected_changesets'] = make_list("4f3858f", "045d4f7",
      "2b3463f", "efe21ad", "9c82759", "3d3e474", "4e69e43", "3d33cc6",
      "3f7b4ec", "7ba1c7d", "87d5aa4", "9b8375a", "da93914", "0aa4696",
      "f05a33e", "f440b31", "1a90803", "0abc1ae", "1fdb25a", "c9641d4",
      "61c4360", "df66c1c", "59732fd", "3f7fd2b", "bcbd8b9", "dfee811",
      "95ff4e1", "ded2a37", "87dba80", "fe028e6", "a51e6a3", "0e66281",
      "51d9780", "91ca84c", "bce2dd6", "fa807e2", "97aff08", "e90e243",
      "c0e854b", "9858a1f", "a404136", "dc111e9", "0873699", "280a556");
    
    fixes['4.8']['fixed_ver']           = '4.8.5';
    fixes['4.8']['fixed_ver_display']   = '4.8.5-pre (changeset 92f3118)';
    fixes['4.8']['affected_ver_regex']  = '^4\\.8\\.';
    fixes['4.8']['affected_changesets'] = make_list("4be61c4", "538c7c7",
      "14854d0", "f030ad0", "d6798ce", "d792e57", "ba4eb85", "88b5e36",
      "64fd42f", "86cba9b", "49f74ea", "5b6fb33", "8d1afd1", "0dbe6ac",
      "38a7dde", "bd89569", "dee5937", "5670039", "53dfcb0", "d4f07fb",
      "005df91", "8bfab2b", "dc814e1", "5e86977", "d1a5936", "c9fc6b3",
      "21ac6c8", "e52ec4b", "d95b5bb", "565de91", "1c6c2de", "1f56fba",
      "5464d5f", "9e7d5e2", "7849d13", "e819108", "fe78829", "28fc483",
      "712082d", "ed6fcdb", "0406164", "e3d0ce3", "c00fabc", "3478439",
      "b81b74a", "b289403", "47fbc6e", "ee7bcea", "df5bbf7", "d96893f",
      "15508b3", "790ed15", "d838957", "aa45015", "b149b06", "c117d09",
      "e343ee8", "5566272", "f049cd6", "6dc0bc5", "37a1b4a", "f6a31ed",
      "08eda97", "96bf2db", "23975f5", "f3b0cdb", "f5ef10d", "de172b0",
      "3686d09", "4aec0c7");
    
    fixes['4.9']['fixed_ver']           = '4.9.4';
    fixes['4.9']['fixed_ver_display']   = '4.9.4-pre (changeset ca5ede6)';
    fixes['4.9']['affected_ver_regex']  = '^4\\.9\\.';
    fixes['4.9']['affected_changesets'] = make_list("d96e629", "d819a65",
      "15b4ee9", "f97a1d1", "f13983d", "8d6f213", "c4a3f16", "1bd7c17",
      "1ebb803", "042887f", "e61a7cb", "f668bb4", "d635520", "b791d9b",
      "273cc99", "ee2e8a0", "f294d80", "782ca9b", "b7dae43", "62ed524",
      "75c8dbc", "56d90f5", "6000494", "870fcbf", "9b31834", "3eabb91");
    
    fixes['4.10']['fixed_ver']           = '4.10.3';
    fixes['4.10']['fixed_ver_display']   = '4.10.3-pre (changeset 8b1efc9)';
    fixes['4.10']['affected_ver_regex']  = '^4\\.10\\.';
    fixes['4.10']['affected_changesets'] = make_list("2f5a67c", "c1fd070",
      "d5d8074", "421aada", "e907460", "ba6ac89", "4c7cd94", "c841c82",
      "5b15c04", "6e3650d", "4d5a0f2", "b0f1b24", "aa05c39", "c504397",
      "1639352", "b79ac27", "5822be6", "225fbd2", "73788eb", "ed024ef",
      "9f8eff3", "788948b", "61dc015", "d86c9ae", "4519790", "5483835",
      "518726d", "d091a49", "923af25", "5ba0bb0", "173c338");
    
    fixes['4.11']['fixed_ver']           = '4.11.1';
    fixes['4.11']['fixed_ver_display']   = '4.11.1-pre (changeset bbe48b5)';
    fixes['4.11']['affected_ver_regex']  = '^4\\.11\\.';
    fixes['4.11']['affected_changesets'] = make_list("93177f1", "e738850",
      "eb6830a", "b88ccb3", "3b2a779", "946f345", "086a9dd", "dea9fc0",
      "ff9f873", "0f0ad14", "8ad462a", "d67b849", "8f3f58c", "06a50b0",
      "fe10c22", "e243639", "f0b4b69", "d34471f", "26feeb5", "221acbf",
      "8bed728", "18b5947", "94fba9f", "33664f9", "a2e35a7", "451f9c8",
      "d7cbb4b", "bb6d070", "b1a47ef", "5b1592d", "0719a5f", "03fd745",
      "d1caf6e", "a07f444", "74fee1b", "2004a91", "8c8b3cb", "5acdd26",
      "733450b", "d757c29", "6c7d074", "2a47c75", "007752f", "fb78137",
      "665e768", "f4a049e", "02d2c66", "57483c0", "d044f6c", "e6441a8",
      "48fb482", "fa79f9e", "1d32c21", "7b420e8", "8b35b97", "cfdd4e8",
      "218d403", "b52017c", "52b8f9a", "935e9c4", "61cc876", "4254e98",
      "6fe9726", "33ced72", "7de2155", "06d2a76", "543027c", "037fe82",
      "353edf1", "75313e4", "5908b48", "bd51a64", "0a2016c", "b53e0de",
      "a44cf0c", "ac35e05", "10c5482", "4bdeedb", "da33530", "e932371", "1fd87ba");
    
    fix = NULL;
    foreach ver_branch (keys(fixes))
    {
      if (version =~ fixes[ver_branch]['affected_ver_regex'])
      {
        ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
        if (ret < 0)
          fix = fixes[ver_branch]['fixed_ver_display'];
        else if (ret == 0)
        {
          if (empty_or_null(changeset))
            fix = fixes[ver_branch]['fixed_ver_display'];
          else
            foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
              if (changeset == affected_changeset)
                fix = fixes[ver_branch]['fixed_ver_display'];
        }
      }
    }
    
    if (empty_or_null(fix))
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
    
    items  = make_array(
      "Installed version", display_version,
      "Fixed version", fix,
      "Path", path
    );
    
    order  = make_list("Path", "Installed version", "Fixed version");
    report = report_items_str(report_items:items, ordered_fields:order) + '\n';
    
    security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1226.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). - Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140). - Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). - Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). - CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). - CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040). - CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045). - CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047). - Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). - Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). - Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). - Fixed an issue which could allow malicious or buggy x86 PV guest kernels to mount a Denial of Service attack affecting the whole system (bsc#1126197). - Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). - Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). Other issues addressed : - Upstream bug fixes (bsc#1027519) - Fixed an issue where live migrations were failing when spectre was enabled on xen boot cmdline (bsc#1116380). - Fixed an issue where setup of grant_tables and other variables may fail (bsc#1126325). - Fixed a building issue (bsc#1119161). - Fixed an issue where xpti=no-dom0 was not working as expected (bsc#1105528). - Packages should no longer use /var/adm/fillup-templates (bsc#1069468). - Added Xen cmdline option
    last seen2020-06-01
    modified2020-06-02
    plugin id124147
    published2019-04-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124147
    titleopenSUSE Security Update : xen (openSUSE-2019-1226)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-1226.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124147);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/23");
    
      script_cve_id("CVE-2018-19665", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-19967", "CVE-2019-6778", "CVE-2019-9824");
    
      script_name(english:"openSUSE Security Update : xen (openSUSE-2019-1226)");
      script_summary(english:"Check for the openSUSE-2019-1226 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2018-19967: Fixed HLE constructs that allowed guests
        to lock up the host, resulting in a Denial of Service
        (DoS). (XSA-282) (bsc#1114988)
    
      - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu()
        found in slirp (bsc#1123157).
    
      - Fixed an issue which could allow malicious or buggy
        guests with passed through PCI devices to be able to
        escalate their privileges, crash the host, or access
        data belonging to other guests. Additionally memory
        leaks were also possible (bsc#1126140).
    
      - Fixed a race condition issue which could allow malicious
        PV guests to escalate their privilege to that of the
        hypervisor (bsc#1126141).
    
      - Fixed an issue which could allow a malicious
        unprivileged guest userspace process to escalate its
        privilege to that of other userspace processes in the
        same guest and potentially thereby to that of the guest
        operating system (bsc#1126201).
    
      - CVE-2019-9824: Fixed an information leak in SLiRP
        networking implementation which could allow a
        user/process to read uninitialised stack memory contents
        (bsc#1129623).
    
      - CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB
        flushing / improper large page mappings with AMD IOMMUs
        (XSA-275)(bsc#1115040).
    
      - CVE-2018-19965: Fixed denial of service issue from
        attempting to use INVPCID with a non-canonical addresses
        (XSA-279)(bsc#1115045).
    
      - CVE-2018-19966: Fixed issue introduced by XSA-240 that
        could have caused conflicts with shadow paging
        (XSA-280)(bsc#1115047).
    
      - Fixed an issue which could allow malicious PV guests may
        cause a host crash or gain access to data pertaining to
        other guests.Additionally, vulnerable configurations are
        likely to be unstable even in the absence of an attack
        (bsc#1126198).
    
      - Fixed multiple access violations introduced by
        XENMEM_exchange hypercall which could allow a single PV
        guest to leak arbitrary amounts of memory, leading to a
        denial of service (bsc#1126192).
    
      - Fixed an issue which could allow malicious 64bit PV
        guests to cause a host crash (bsc#1127400).
    
      - Fixed an issue which could allow malicious or buggy x86
        PV guest kernels to mount a Denial of Service attack
        affecting the whole system (bsc#1126197).
    
      - Fixed an issue which could allow an untrusted PV domain
        with access to a physical device to DMA into its own
        pagetables leading to privilege escalation
        (bsc#1126195).
    
      - Fixed an issue which could allow a malicious or buggy
        x86 PV guest kernels can mount a Denial of Service
        attack affecting the whole system (bsc#1126196).
    
    Other issues addressed :
    
      - Upstream bug fixes (bsc#1027519)
    
      - Fixed an issue where live migrations were failing when
        spectre was enabled on xen boot cmdline (bsc#1116380).
    
      - Fixed an issue where setup of grant_tables and other
        variables may fail (bsc#1126325).
    
      - Fixed a building issue (bsc#1119161).
    
      - Fixed an issue where xpti=no-dom0 was not working as
        expected (bsc#1105528).
    
      - Packages should no longer use /var/adm/fillup-templates
        (bsc#1069468). 
    
      - Added Xen cmdline option 'suse_vtsc_tolerance' to avoid
        TSC emulation for HVM domUs (bsc#1026236).
    
    This update was imported from the SUSE:SLE-12-SP3:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1026236"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1069468"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116380"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119161"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1123157"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126141"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126192"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126196"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126197"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1126325"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1127400"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1129623"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-libs-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"xen-debugsource-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-devel-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-libs-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-libs-debuginfo-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-domU-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"xen-tools-domU-debuginfo-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"xen-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"xen-doc-html-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"xen-libs-32bit-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"xen-tools-4.9.4_02-37.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"xen-tools-debuginfo-4.9.4_02-37.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen-debugsource / xen-devel / xen-libs-32bit / xen-libs / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0825-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the
    last seen2020-06-01
    modified2020-06-02
    plugin id123633
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123633
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:0825-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:0825-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123633);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/27");
    
      script_cve_id("CVE-2017-13672", "CVE-2018-10839", "CVE-2018-17958", "CVE-2018-17962", "CVE-2018-17963", "CVE-2018-18438", "CVE-2018-18849", "CVE-2018-19665", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19966", "CVE-2018-19967", "CVE-2019-6778", "CVE-2019-9824");
    
      script_name(english:"SUSE SLES12 Security Update : xen (SUSE-SU-2019:0825-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
    CVE-2018-18849: Fixed an out of bounds memory access issue that was
    found in the LSI53C895A SCSI Host Bus Adapter emulation while writing
    a message in lsi_do_msgin. It could occur during migration if the
    'msg_len' field has an invalid value. A user/process could use this
    flaw to crash the Qemu process resulting in DoS (bsc#1114423).
    
    CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up
    the host, resulting in a Denial of Service (DoS). (XSA-282)
    (bsc#1114988)
    
    CVE-2018-19665: Fixed an integer overflow in Bluetooth routines allows
    memory corruption (bsc#1117756).
    
    CVE-2018-18438: Fixed an integer overflow in ccid_card_vscard_read
    function which allows memory corruption (bsc#1112188).
    
    CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in
    hw/net/pcnet.c because an incorrect integer data type is used
    (bsc#1111011).
    
    Fixed an issue which could allow a malicious unprivileged guest
    userspace process to escalate its privilege to that of other userspace
    processes in the same guest and potentially thereby to that of the
    guest operating system (bsc#1126201).
    
    CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing /
    improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).
    
    CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that
    accepts packet sizes greater than INT_MAX, which allows attackers to
    cause a denial of service or possibly have unspecified other impact.
    (bsc#1111014)
    
    Fixed an issue which could allow an untrusted PV domain with access to
    a physical device to DMA into its own pagetables leading to privilege
    escalation (bsc#1126195).
    
    Fixed an issue which could allow a malicious or buggy x86 PV guest
    kernels can mount a Denial of Service attack affecting the whole
    system (bsc#1126196)
    
    CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in
    hw/net/rtl8139.c because an incorrect integer data type is used
    (bsc#1111007).
    
    CVE-2018-10839: Fixed an integer overflow which could lead to a buffer
    overflow issue (bsc#1110924).
    
    CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in
    slirp (bsc#1123157).
    
    CVE-2018-19966: Fixed issue introduced by XSA-240 that could have
    caused conflicts with shadow paging (XSA-280)(bsc#1115047).
    
    CVE-2017-13672: Fixed an out of bounds read access during display
    update (bsc#1056336).
    
    Fixed multiple access violations introduced by XENMEM_exchange
    hypercall which could allow a single PV guest to leak arbitrary
    amounts of memory, leading to a denial of service (bsc#1126192).
    
    Fixed an issue which could allow malicious or buggy guests with passed
    through PCI devices to be able to escalate their privileges, crash the
    host, or access data belonging to other guests. Additionally memory
    leaks were also possible (bsc#1126140).
    
    Fixed a race condition issue which could allow malicious PV guests to
    escalate their privilege to that of the hypervisor (bsc#1126141).
    
    CVE-2019-9824: Fixed an information leak in SLiRP networking
    implementation which could allow a user/process to read uninitialised
    stack memory contents (bsc#1129623).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1110924"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111007"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111011"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1112188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1123157"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126141"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126192"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126196"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1129623"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13672/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10839/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17958/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17963/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18438/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18849/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19967/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-6778/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9824/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20190825-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b393b666"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2019-825=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2019-825=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-debugsource-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-doc-html-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-kmp-default-4.5.5_28_k3.12.74_60.64.107-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-kmp-default-debuginfo-4.5.5_28_k3.12.74_60.64.107-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-libs-32bit-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-libs-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-libs-debuginfo-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-tools-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-tools-debuginfo-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-tools-domU-4.5.5_28-22.58.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.5.5_28-22.58.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0827-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). CVE-2017-13672: Fixed an out of bounds read access during display update (bsc#1056336). Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140) Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). CVE-2018-18849: Fixed an out of bounds msg buffer access which could lead to denial of service (bsc#1114423). Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow in the rtl8139 component (bsc#1111007) CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756). CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047). CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow in the ne2000 component (bsc#1110924). CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045). Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). CVE-2018-17963: Fixed an integer overflow in relation to large packet sizes, leading to a denial of service (DoS). (bsc#1111014). Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow in the pcnet component (bsc#1111011) CVE-2018-18438: Fixed an integer overflow in ccid_card_vscard_read function which could lead to memory corruption (bsc#1112188). Other issues fixed: Upstream bug fixes (bsc#1027519) Fixed an issue where XEN SLE12-SP1 domU hangs on SLE12-SP3 HV1108940 (bsc#1108940). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123634
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123634
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:0827-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:0827-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123634);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/27");
    
      script_cve_id("CVE-2017-13672", "CVE-2018-10839", "CVE-2018-17958", "CVE-2018-17962", "CVE-2018-17963", "CVE-2018-18438", "CVE-2018-18849", "CVE-2018-19665", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-19967", "CVE-2019-6778", "CVE-2019-9824");
    
      script_name(english:"SUSE SLES12 Security Update : xen (SUSE-SU-2019:0827-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
    CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in
    slirp (bsc#1123157).
    
    CVE-2017-13672: Fixed an out of bounds read access during display
    update (bsc#1056336).
    
    Fixed an issue which could allow malicious or buggy guests with passed
    through PCI devices to be able to escalate their privileges, crash the
    host, or access data belonging to other guests. Additionally memory
    leaks were also possible (bsc#1126140)
    
    Fixed a race condition issue which could allow malicious PV guests to
    escalate their privilege to that of the hypervisor (bsc#1126141).
    
    CVE-2018-18849: Fixed an out of bounds msg buffer access which could
    lead to denial of service (bsc#1114423).
    
    Fixed an issue which could allow a malicious unprivileged guest
    userspace process to escalate its privilege to that of other userspace
    processes in the same guest and potentially thereby to that of the
    guest operating system (bsc#1126201).
    
    CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow
    in the rtl8139 component (bsc#1111007)
    
    CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up
    the host, resulting in a Denial of Service (DoS). (XSA-282)
    (bsc#1114988)
    
    CVE-2018-19665: Fixed an integer overflow resulting in memory
    corruption in various Bluetooth functions, allowing this to crash qemu
    process resulting in Denial of Service (DoS). (bsc#1117756).
    
    CVE-2019-9824: Fixed an information leak in SLiRP networking
    implementation which could allow a user/process to read uninitialised
    stack memory contents (bsc#1129623).
    
    CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient
    TLB flushing with AMD IOMMUs, which potentially allowed a guest to
    escalate its privileges, may cause a Denial of Service (DoS) affecting
    the entire host, or may be able to access data it is not supposed to
    access. (XSA-275) (bsc#1115040)
    
    CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240,
    which conflicted with shadow paging and allowed a guest to cause Xen
    to crash, resulting in a Denial of Service (DoS) (XSA-280)
    (bsc#1115047).
    
    CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow
    in the ne2000 component (bsc#1110924).
    
    CVE-2018-19965: Fixed an issue related to the INVPCID instruction in
    case non-canonical addresses are accessed, which may allow a guest to
    cause Xen to crash, resulting in a Denial of Service (DoS) affecting
    the entire host. (XSA-279) (bsc#1115045).
    
    Fixed an issue which could allow malicious 64bit PV guests to cause a
    host crash (bsc#1127400).
    
    Fixed an issue which could allow malicious PV guests may cause a host
    crash or gain access to data pertaining to other guests.Additionally,
    vulnerable configurations are likely to be unstable even in the
    absence of an attack (bsc#1126198).
    
    Fixed multiple access violations introduced by XENMEM_exchange
    hypercall which could allow a single PV guest to leak arbitrary
    amounts of memory, leading to a denial of service (bsc#1126192).
    
    CVE-2018-17963: Fixed an integer overflow in relation to large packet
    sizes, leading to a denial of service (DoS). (bsc#1111014).
    
    Fixed an issue which could allow a malicious or buggy x86 PV guest
    kernels can mount a Denial of Service attack affecting the whole
    system (bsc#1126196).
    
    Fixed an issue which could allow an untrusted PV domain with access to
    a physical device to DMA into its own pagetables leading to privilege
    escalation (bsc#1126195).
    
    CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow
    in the pcnet component (bsc#1111011)
    
    CVE-2018-18438: Fixed an integer overflow in ccid_card_vscard_read
    function which could lead to memory corruption (bsc#1112188).
    
    Other issues fixed: Upstream bug fixes (bsc#1027519)
    
    Fixed an issue where XEN SLE12-SP1 domU hangs on SLE12-SP3 HV1108940
    (bsc#1108940).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1110924"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111007"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111011"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1112188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1123157"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126141"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126192"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126196"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1127400"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1129623"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13672/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10839/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17958/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17963/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18438/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18849/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19965/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19967/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-6778/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9824/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20190827-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?cffa6960"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2019-827=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-debugsource-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-doc-html-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-kmp-default-4.4.4_40_k3.12.61_52.146-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-kmp-default-debuginfo-4.4.4_40_k3.12.61_52.146-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-32bit-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-32bit-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-libs-debuginfo-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-debuginfo-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-4.4.4_40-22.77.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"xen-tools-domU-debuginfo-4.4.4_40-22.77.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1949.NASL
    descriptionMultiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id129734
    published2019-10-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129734
    titleDebian DLA-1949-1 : xen security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1949-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129734);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/19");
    
      script_cve_id("CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19966");
    
      script_name(english:"Debian DLA-1949-1 : xen security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been discovered in the Xen hypervisor,
    which could result in denial of service, informations leaks or
    privilege escalation. For Debian 8 'Jessie', these problems have been
    fixed in version 4.4.4lts5-0+deb8u1.
    
    We recommend that you upgrade your xen packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/10/msg00008.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/xen"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-4.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxen-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxenstore3.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.4-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.4-arm64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.4-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-arm64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-system-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-4.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-utils-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xenstore-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libxen-4.4", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libxen-dev", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libxenstore3.0", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-hypervisor-4.4-amd64", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-hypervisor-4.4-arm64", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-hypervisor-4.4-armhf", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-system-amd64", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-system-arm64", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-system-armhf", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-utils-4.4", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-utils-common", reference:"4.4.4lts5-0+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xenstore-utils", reference:"4.4.4lts5-0+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-13921-1.NASL
    descriptionThis update for xen fixes the following issues : Security vulnerabilities fixed : CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047) CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756). CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A SCSI host bus adapter emulation, which allowed a user and/or process to crash the qemu process resulting in a Denial of Service (DoS). (bsc#1114423) Fixed an integer overflow in ccid_card_vscard_read(), which allowed for memory corruption. (bsc#1112188) CVE-2017-13672: Fixed an out of bounds read access during display update (bsc#1056336) CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow in the rtl8139 component (bsc#1111007) CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow in the pcnet component (bsc#1111011) CVE-2018-17963: Fixed an integer overflow in relation to large packet sizes, leading to a denial of service (DoS). (bsc#1111014) CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow in the ne2000 component (bsc#1110924) Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940) Upstream bug fixes (bsc#1027519) Fixed crashing VMs when migrating between dom0 hosts (bsc#1031382) Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-08
    plugin id121004
    published2019-01-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121004
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2019:13921-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:13921-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121004);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");
    
      script_cve_id("CVE-2017-13672", "CVE-2018-10839", "CVE-2018-17958", "CVE-2018-17962", "CVE-2018-17963", "CVE-2018-18438", "CVE-2018-18849", "CVE-2018-19665", "CVE-2018-19961", "CVE-2018-19962", "CVE-2018-19965", "CVE-2018-19966", "CVE-2018-19967");
    
      script_name(english:"SUSE SLES11 Security Update : xen (SUSE-SU-2019:13921-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security vulnerabilities fixed :
    
    CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient
    TLB flushing with AMD IOMMUs, which potentially allowed a guest to
    escalate its privileges, may cause a Denial of Service (DoS) affecting
    the entire host, or may be able to access data it is not supposed to
    access. (XSA-275) (bsc#1115040)
    
    CVE-2018-19965: Fixed an issue related to the INVPCID instruction in
    case non-canonical addresses are accessed, which may allow a guest to
    cause Xen to crash, resulting in a Denial of Service (DoS) affecting
    the entire host. (XSA-279) (bsc#1115045)
    
    CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240,
    which conflicted with shadow paging and allowed a guest to cause Xen
    to crash, resulting in a Denial of Service (DoS) (XSA-280)
    (bsc#1115047)
    
    CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up
    the host, resulting in a Denial of Service (DoS). (XSA-282)
    (bsc#1114988)
    
    CVE-2018-19665: Fixed an integer overflow resulting in memory
    corruption in various Bluetooth functions, allowing this to crash qemu
    process resulting in Denial of Service (DoS). (bsc#1117756).
    
    CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A
    SCSI host bus adapter emulation, which allowed a user and/or process
    to crash the qemu process resulting in a Denial of Service (DoS).
    (bsc#1114423)
    
    Fixed an integer overflow in ccid_card_vscard_read(), which allowed
    for memory corruption. (bsc#1112188)
    
    CVE-2017-13672: Fixed an out of bounds read access during display
    update (bsc#1056336)
    
    CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow
    in the rtl8139 component (bsc#1111007)
    
    CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow
    in the pcnet component (bsc#1111011)
    
    CVE-2018-17963: Fixed an integer overflow in relation to large packet
    sizes, leading to a denial of service (DoS). (bsc#1111014)
    
    CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow
    in the ne2000 component (bsc#1110924)
    
    Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3
    HV (bsc#1108940)
    
    Upstream bug fixes (bsc#1027519)
    
    Fixed crashing VMs when migrating between dom0 hosts (bsc#1031382)
    
    Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031382"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105528"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1110924"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111007"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111011"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1111014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1112188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114423"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1114988"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115040"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117756"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13672/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10839/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17958/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-17963/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18438/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-18849/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19961/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19962/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19965/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19966/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19967/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-201913921-1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5a7a12fa"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-xen-13921=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-xen-13921=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-xen-13921=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "i386|i486|i586|i686|x86_64") audit(AUDIT_ARCH_NOT, "i386 / i486 / i586 / i686 / x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-kmp-default-4.4.4_38_3.0.101_108.84-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-libs-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-tools-domU-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-doc-html-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-libs-32bit-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-tools-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-kmp-pae-4.4.4_38_3.0.101_108.84-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-kmp-default-4.4.4_38_3.0.101_108.84-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-libs-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-tools-domU-4.4.4_38-61.40.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-kmp-pae-4.4.4_38_3.0.101_108.84-61.40.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }