FreeBSD : xen-kernel -- x86 software guest page walk PS bit handling flaw (e43b210a-4212-11e6-942d-bc5ff45d0f28)

high Nessus Plugin ID 91936

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The Xen Project reports :

The Page Size (PS) page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 (depending on hardware capabilities). The software page table walker in the hypervisor, however, so far ignored that bit in L4 and (on respective hardware) L3 entries, resulting in pages to be treated as page tables which the guest OS may not have designated as such. If the page in question is writable by an unprivileged user, then that user will be able to map arbitrary guest memory.

On vulnerable OSes, guest user mode code may be able to establish mappings of arbitrary memory inside the guest, allowing it to elevate its privileges inside the guest.

Solution

Update the affected package.

See Also

http://xenbits.xen.org/xsa/advisory-176.html

http://www.nessus.org/u?7aec634e

Plugin Details

Severity: High

ID: 91936

File Name: freebsd_pkg_e43b210a421211e6942dbc5ff45d0f28.nasl

Version: 2.4

Type: local

Published: 7/5/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:xen-kernel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/4/2016

Vulnerability Publication Date: 5/17/2016

Reference Information

CVE: CVE-2016-4480