RHSA-2011:1212

55082

GLSA-201309-24

[oss-security] 20110902 Xen Security Advisory 4 (CVE-2011-2901) - Xen 3.3 vaddr validation

https://bugzilla.redhat.com/show_bug.cgi?id=728042

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries :

  - COS kernel
  - cURL
  - python
  - rpm

The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Guest domains could possibly gain privileges, execute arbitrary code, or       cause a Denial of Service on the host domain (Dom0). Additionally, guest       domains could gain information about other virtual machines running on       the same host or read arbitrary files on the host.
  Workaround :

    The CVEs listed below do not currently have fixes, but only apply to Xen       setups which have &ldquo;tmem&rdquo; specified on the hypervisor command line.
      TMEM is not currently supported for use in production systems, and       administrators using tmem should disable it.
      Relevant CVEs:
      * CVE-2012-2497
      * CVE-2012-6030
      * CVE-2012-6031
      * CVE-2012-6032
      * CVE-2012-6033
      * CVE-2012-6034
      * CVE-2012-6035
      * CVE-2012-6036

From Red Hat Security Advisory 2011:1212 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A NULL pointer dereference flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2011-2482, Important)

* A flaw in the Linux kernel's client-side NFS Lock Manager (NLM) implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important)

* Buffer overflow flaws in the Linux kernel's netlink-based wireless configuration interface implementation could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)

* A flaw was found in the way the Linux kernel's Xen hypervisor implementation emulated the SAHF instruction. When using a fully-virtualized guest on a host that does not use hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2519, Moderate)

* An off-by-one flaw was found in the __addr_ok() macro in the Linux kernel's Xen hypervisor implementation when running on 64-bit systems.
A privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2901, Moderate)

* /proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low)

Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.

This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

Updated kernel packages that fix several security issues and various bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

These packages contain the Linux kernel.

This update fixes the following security issues :

* A flaw in the Stream Control Transmission Protocol (SCTP) implementation could allow a remote attacker to cause a denial of service by sending a specially crafted SCTP packet to a target system.
(CVE-2011-2482, Important)

If you do not run applications that use SCTP, you can prevent the sctp module from being loaded by adding the following to the end of the '/etc/modprobe.d/blacklist.conf' file :

blacklist sctp

This way, the sctp module cannot be loaded accidentally, which may occur if an application that requires SCTP is started. A reboot is not necessary for this change to take effect.

* A flaw in the client-side NFS Lock Manager (NLM) implementation could allow a local, unprivileged user to cause a denial of service.
(CVE-2011-2491, Important)

* Flaws in the netlink-based wireless configuration interface could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)

* A flaw was found in the way the Linux kernel's Xen hypervisor implementation emulated the SAHF instruction. When using a fully-virtualized guest on a host that does not use hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2519, Moderate)

* A flaw in the __addr_ok() macro in the Linux kernel's Xen hypervisor implementation when running on 64-bit systems could allow a privileged guest user to crash the hypervisor. (CVE-2011-2901, Moderate)

* /proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low)

Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.

This update also fixes the following bugs :

* On Broadcom PCI cards that use the tg3 driver, the operational state of a network device, represented by the value in '/sys/class/net/ethX/operstate', was not initialized by default.
Consequently, the state was reported as 'unknown' when the tg3 network device was actually in the 'up' state. This update modifies the tg3 driver to properly set the operstate value. (BZ#744699)

* A KVM (Kernel-based Virtual Machine) guest can get preempted by the host, when a higher priority process needs to run. When a guest is not running for several timer interrupts in a row, ticks could be lost, resulting in the jiffies timer advancing slower than expected and timeouts taking longer than expected. To correct for the issue of lost ticks, do_timer_tsc_timekeeping() checks a reference clock source (kvm-clock when running as a KVM guest) to see if timer interrupts have been missed. If so, jiffies is incremented by the number of missed timer interrupts, ensuring that programs are woken up on time.
(BZ#747874)

* When a block device object was allocated, the bd_super field was not being explicitly initialized to NULL. Previously, users of the block device object could set bd_super to NULL when the object was released by calling the kill_block_super() function. Certain third-party file systems do not always use this function, and bd_super could therefore become uninitialized when the object was allocated again. This could cause a kernel panic in the blkdev_releasepage() function, when the uninitialized bd_super field was dereferenced. Now, bd_super is properly initialized in the bdget() function, and the kernel panic no longer occurs. (BZ#751137)

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - A NULL pointer dereference flaw was found in the Linux     kernel's Stream Control Transmission Protocol (SCTP)     implementation. A remote attacker could send a specially     crafted SCTP packet to a target system, resulting in a     denial of service. (CVE-2011-2482, Important)

  - A flaw in the Linux kernel's client-side NFS Lock     Manager (NLM) implementation could allow a local,     unprivileged user to cause a denial of service.
    (CVE-2011-2491, Important)

  - Buffer overflow flaws in the Linux kernel's     netlink-based wireless configuration interface     implementation could allow a local user, who has the     CAP_NET_ADMIN capability, to cause a denial of service     or escalate their privileges on systems that have an     active wireless interface. (CVE-2011-2517, Important)

  - A flaw was found in the way the Linux kernel's Xen     hypervisor implementation emulated the SAHF instruction.
    When using a fully-virtualized guest on a host that does     not use hardware assisted paging (HAP), such as those     running CPUs that do not have support for (or those that     have it disabled) Intel Extended Page Tables (EPT) or     AMD Virtualization (AMD-V) Rapid Virtualization Indexing     (RVI), a privileged guest user could trigger this flaw     to cause the hypervisor to crash. (CVE-2011-2519,     Moderate)

  - An off-by-one flaw was found in the __addr_ok() macro in     the Linux kernel's Xen hypervisor implementation when     running on 64-bit systems. A privileged guest user could     trigger this flaw to cause the hypervisor to crash.
    (CVE-2011-2901, Moderate)

  - /proc/[PID]/io is world-readable by default. Previously,     these files could be read without any further     restrictions. A local, unprivileged user could read     these files, belonging to other, possibly privileged     processes to gather confidential information, such as     the length of a password used in a process.
    (CVE-2011-2495, Low)

This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

a. ESX third-party update for Service Console kernel      The ESX Service Console Operating System (COS) kernel is updated to    kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the    COS kernel.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079,    CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166,    CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494,    CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649,    CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182,    CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745,    CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,    CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,    CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,    CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
  b. ESX third-party update for Service Console cURL RPM      The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9    resolving a security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the name CVE-2011-2192 to this issue.
  c. ESX third-party update for Service Console nspr and nss RPMs      The ESX Service Console (COS) nspr and nss RPMs are updated to    nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving    a security issues.
     A Certificate Authority (CA) issued fraudulent SSL certificates and    Netscape Portable Runtime (NSPR) and Network Security Services (NSS)    contain the built-in tokens of this fraudulent Certificate    Authority. This update renders all SSL certificates signed by the    fraudulent CA as untrusted for all uses.
  d. ESX third-party update for Service Console rpm RPMs      The ESX Service Console Operating System (COS) rpm packages are    updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2,    rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2    which fixes multiple security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-2059 and CVE-2011-3378 to these    issues.
  e. ESX third-party update for Service Console samba RPMs      The ESX Service Console Operating System (COS) samba packages are    updated to samba-client-3.0.33-3.29.el5_7.4,    samba-common-3.0.33-3.29.el5_7.4 and    libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security    issues in the Samba client.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678,    CVE-2011-2522 and CVE-2011-2694 to these issues.
     Note that ESX does not include the Samba Web Administration Tool    (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and    CVE-2011-2694.
  f. ESX third-party update for Service Console python package      The ESX Service Console (COS) python package is updated to    2.4.3-44 which fixes multiple security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and    CVE-2011-1521 to these issues.
  g. ESXi update to third-party component python      The python third-party library is updated to python 2.5.6 which    fixes multiple security issues.
     The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634,    CVE-2010-2089, and CVE-2011-1521 to these issues.

This update fixes a denial of service (Host Crash) in the XEN hypervisor. (CVE-2011-2901)

This update fixes various bugs in XEN :

The following security issues have been fixed :

  - A denial of service (Host Crash) in the XEN hypervisor.
    (CVE-2011-2901)

  - A bug was found in the way Xen handles CPUID instruction     emulation during VM exits. An unprivileged guest user     can potentially use this flaw to crash the guest.
    (CVE-2011-1936)

  - A 64-bit guest can get one of its vcpus into non-kernel     mode without first providing a valid non-kernel     pagetable. The observed failure mode was usually a hard     lockup of the host (host denial of service).
    (CVE-2011-1166)

It fixes also the following bugs :

  - SLES 10 SP3 XEN: Device /dev/xvdp is already connected     error when starting multiple vm's. (bnc#654798)

  - HVM taking too long to dump vmcore. (bnc#684297)

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A NULL pointer dereference flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2011-2482, Important)

* A flaw in the Linux kernel's client-side NFS Lock Manager (NLM) implementation could allow a local, unprivileged user to cause a denial of service. (CVE-2011-2491, Important)

* Buffer overflow flaws in the Linux kernel's netlink-based wireless configuration interface implementation could allow a local user, who has the CAP_NET_ADMIN capability, to cause a denial of service or escalate their privileges on systems that have an active wireless interface. (CVE-2011-2517, Important)

* A flaw was found in the way the Linux kernel's Xen hypervisor implementation emulated the SAHF instruction. When using a fully-virtualized guest on a host that does not use hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2519, Moderate)

* An off-by-one flaw was found in the __addr_ok() macro in the Linux kernel's Xen hypervisor implementation when running on 64-bit systems.
A privileged guest user could trigger this flaw to cause the hypervisor to crash. (CVE-2011-2901, Moderate)

* /proc/[PID]/io is world-readable by default. Previously, these files could be read without any further restrictions. A local, unprivileged user could read these files, belonging to other, possibly privileged processes to gather confidential information, such as the length of a password used in a process. (CVE-2011-2495, Low)

Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, and Vasiliy Kulikov of Openwall for reporting CVE-2011-2495.

This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2011-1212.

ID	Name	Product	Family	Severity
89105	VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)	Nessus	Misc.	high
70184	GLSA-201309-24 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
68334	Oracle Linux 5 : kernel (ELSA-2011-1212)	Nessus	Oracle Linux Local Security Checks	high
64015	RHEL 5 : kernel (RHSA-2011:1813)	Nessus	Red Hat Local Security Checks	high
61132	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
57749	VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console	Nessus	VMware ESX Local Security Checks	high
57267	SuSE 10 Security Update : Xen (ZYPP Patch Number 7699)	Nessus	SuSE Local Security Checks	medium
56618	SuSE 10 Security Update : Xen (ZYPP Patch Number 7703)	Nessus	SuSE Local Security Checks	medium
56271	CentOS 5 : kernel (CESA-2011:1212)	Nessus	CentOS Local Security Checks	high
56110	RHEL 5 : kernel (RHSA-2011:1212)	Nessus	Red Hat Local Security Checks	high
801509	CentOS RHSA-2011-1212 Security Check	Log Correlation Engine	Generic	high

CVE-2011-2901

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins