SUSE-SU-2015:1042

SUSE-SU-2015:1045

SUSE-SU-2015:1157

http://support.citrix.com/article/CTX201145

DSA-3286

75141

1032568

http://xenbits.xen.org/xsa/advisory-134.html

GLSA-201604-03

https://support.citrix.com/article/CTX206006

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly cause a Denial of Service condition or       obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

The Xen Project reports :

With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued this hypercall without a prior GNTTABOP_setup_table or GNTTABOP_set_version.

The effect is a possible NULL pointer dereferences. However, this cannot be exploited to elevate privileges of the attacking domain, as the maximum memory address that can be wrongly accessed this way is bounded to far below the start of hypervisor memory.

Malicious or buggy guest domain kernels can mount a denial of service attack which, if successful, can affect the whole system.

Xen was updated to fix six security issues :

CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625)

CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.
(XSA-129, bsc#931626)

CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627)

CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628)

CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770)

CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Xen was updated to fix eight vulnerabilities.

The following vulnerabilities were fixed :

  - CVE-2015-2751: Certain domctl operations may be abused     to lock up the host (XSA-127 boo#922709)

  - CVE-2015-4103: Potential unintended writes to host MSI     message data field via qemu (XSA-128) (boo#931625)

  - CVE-2015-4104: PCI MSI mask bits inadvertently exposed     to guests (XSA-129) (boo#931626)

  - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through     error messages (XSA-130) (boo#931627)

  - CVE-2015-4106: Unmediated PCI register access in qemu     (XSA-131) (boo#931628)

  - CVE-2015-4163: GNTTABOP_swap_grant_ref operation     misbehavior (XSA-134) (boo#932790)

  - CVE-2015-3209: heap overflow in qemu pcnet controller     allowing guest to host escape (XSA-135) (boo#932770)

  - CVE-2015-4164: DoS through iret hypercall handler     (XSA-136) (boo#932996)

Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs.

The following vulnerabilities were fixed :

  - CVE-2015-4103: Potential unintended writes to host MSI     message data field via qemu (XSA-128) (boo#931625)

  - CVE-2015-4104: PCI MSI mask bits inadvertently exposed     to guests (XSA-129) (boo#931626)

  - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through     error messages (XSA-130) (boo#931627)

  - CVE-2015-4106: Unmediated PCI register access in qemu     (XSA-131) (boo#931628)

  - CVE-2015-4164: DoS through iret hypercall handler     (XSA-136) (boo#932996)

  - CVE-2015-4163: GNTTABOP_swap_grant_ref operation     misbehavior (XSA-134) (boo#932790)

  - CVE-2015-3209: heap overflow in qemu pcnet controller     allowing guest to host escape (XSA-135) (boo#932770)

  - CVE-2015-3456: Fixed a buffer overflow in the floppy     drive emulation, which could be used to denial of     service attacks or potential code execution against the     host. ()

  - CVE-2015-3340: Xen did not initialize certain fields,     which allowed certain remote service domains to obtain     sensitive information from memory via a (1)     XEN_DOMCTL_gettscinfo or (2)     XEN_SYSCTL_getdomaininfolist request. ()

  - CVE-2015-2752: Long latency MMIO mapping operations are     not preemptible (XSA-125 boo#922705)

  - CVE-2015-2756: Unmediated PCI command register access in     qemu (XSA-126 boo#922706)

  - CVE-2015-2751: Certain domctl operations may be abused     to lock up the host (XSA-127 boo#922709)

  - CVE-2015-2151: Hypervisor memory corruption due to x86     emulator flaw (boo#919464 XSA-123)

  - CVE-2015-2045: Information leak through version     information hypercall (boo#918998 XSA-122)

  - CVE-2015-2044: Information leak via internal x86 system     device emulation (boo#918995 (XSA-121)

  - CVE-2015-2152: HVM qemu unexpectedly enabling emulated     VGA graphics backends (boo#919663 XSA-119)

  - CVE-2014-3615: information leakage when guest sets high     resolution (boo#895528)

The following non-security bugs were fixed :

  - xentop: Fix memory leak on read failure 

  - boo#923758: xen dmesg contains bogus output in early     boot

  - boo#921842: Xentop doesn't display disk statistics for     VMs using qdisks

  - boo#919098: L3: XEN blktap device intermittently fails     to connect 

  - boo#882089: Windows 2012 R2 fails to boot up with     greater than 60 vcpus

  - boo#903680: Problems with detecting free loop devices on     Xen guest startup

  - boo#861318: xentop reports 'Found interface vif101.0 but     domain 101 does not exist.'

  - boo#901488: Intel ixgbe driver assigns rx/tx queues per     core resulting in irq problems on servers with a large     amount of CPU cores

  - boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work

  - boo#912011: high ping latency after upgrade to latest     SLES11SP3 on xen Dom0

  - boo#906689: let systemd schedule xencommons after     network-online.target and remote-fs.target so that     xendomains has access to remote shares

The following functionality was enabled or enhanced :

  - Enable spice support in qemu for x86_64

  - Add Qxl vga support

  - Enhancement to virsh/libvirtd 'send-key' command     (FATE#317240)

  - Add domain_migrate_constraints_set API to Xend's http     interface (FATE#317239)

Xen was updated to fix seven security vulnerabilities :

CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bnc#931625)

CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests.
(XSA-129, bnc#931626)

CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bnc#931627)

CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bnc#931628)

CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior.
(XSA-134, bnc#932790)

CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bnc#932770)

CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bnc#932996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues have been found in the Xen virtualisation solution :

  - CVE-2015-3209     Matt Tait discovered a flaw in the way QEMU's AMD PCnet     Ethernet emulation handles multi-TMD packets with a     length above 4096 bytes. A privileged guest user in a     guest with an AMD PCNet ethernet card enabled can     potentially use this flaw to execute arbitrary code on     the host with the privileges of the hosting QEMU     process.

  - CVE-2015-4103     Jan Beulich discovered that the QEMU Xen code does not     properly restrict write access to the host MSI message     data field, allowing a malicious guest to cause a denial     of service.

  - CVE-2015-4104     Jan Beulich discovered that the QEMU Xen code does not     properly restrict access to PCI MSI mask bits, allowing     a malicious guest to cause a denial of service.

  - CVE-2015-4105     Jan Beulich reported that the QEMU Xen code enables     logging for PCI MSI-X pass-through error messages,     allowing a malicious guest to cause a denial of service.

  - CVE-2015-4106     Jan Beulich discovered that the QEMU Xen code does not     properly restrict write access to the PCI config space     for certain PCI pass-through devices, allowing a     malicious guest to cause a denial of service, obtain     sensitive information or potentially execute arbitrary     code.

  - CVE-2015-4163     Jan Beulich discovered that a missing version check in     the GNTTABOP_swap_grant_ref hypercall handler may result     in denial of service. This only applies to Debian     stable/jessie.

  - CVE-2015-4164     Andrew Cooper discovered a vulnerability in the iret     hypercall handler, which may result in denial of     service.

Xen was updated to fix seven security issues and one non-security bug.

The following vulnerabilities were fixed :

  - CVE-2015-4103: Potential unintended writes to host MSI     message data field via qemu (XSA-128) (bnc#931625)

  - CVE-2015-4104: PCI MSI mask bits inadvertently exposed     to guests (XSA-129) (bnc#931626)

  - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through     error messages (XSA-130) (bnc#931627)

  - CVE-2015-4106: Unmediated PCI register access in qemu     (XSA-131) (bnc#931628)

  - CVE-2015-4163: GNTTABOP_swap_grant_ref operation     misbehavior (XSA-134) (bnc#932790)

  - CVE-2015-3209: heap overflow in qemu pcnet controller     allowing guest to host escape (XSA-135) (bnc#932770)

  - CVE-2015-4164: DoS through iret hypercall handler     (XSA-136) (bnc#932996)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/traps: loop in the correct direction in compat_iret     This is XSA-136. (CVE-2015-4164)

  - pcnet: force the buffer access to be in bounds during tx     4096 is the maximum length per TMD and it is also     currently the size of the relay buffer pcnet driver uses     for sending the packet data to QEMU for further     processing. With packet spanning multiple TMDs it can     happen that the overall packet size will be bigger than     sizeof(buffer), which results in memory corruption. Fix     this by only allowing to queue maximum sizeof(buffer)     bytes. This is CVE-2015-3209. (CVE-2015-3209)

  - pcnet: fix Negative array index read From: Gonglei     s->xmit_pos maybe assigned to a negative value (-1), but     in this branch variable s->xmit_pos as an index to array     s->buffer. Let's add a check for s->xmit_pos.
    upstream-commit-id:
    7b50d00911ddd6d56a766ac5671e47304c20a21b (CVE-2015-3209)

  - pcnet: force the buffer access to be in bounds during tx     4096 is the maximum length per TMD and it is also     currently the size of the relay buffer pcnet driver uses     for sending the packet data to QEMU for further     processing. With packet spanning multiple TMDs it can     happen that the overall packet size will be bigger than     sizeof(buffer), which results in memory corruption. Fix     this by only allowing to queue maximum sizeof(buffer)     bytes. This is CVE-2015-3209. (CVE-2015-3209)

  - pcnet: fix Negative array index read From: Gonglei     s->xmit_pos maybe assigned to a negative value (-1), but     in this branch variable s->xmit_pos as an index to array     s->buffer. Let's add a check for s->xmit_pos.
    upstream-commit-id:
    7b50d00911ddd6d56a766ac5671e47304c20a21b (CVE-2015-3209)

  - gnttab: add missing version check to     GNTTABOP_swap_grant_ref handling ... avoiding NULL     derefs when the version to use wasn't set yet (via     GNTTABOP_setup_table or GNTTABOP_set_version). This is     XSA-134. (CVE-2015-4163)

ID	Name	Product	Family	Severity
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
90380	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	high
84706	FreeBSD : xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior (80e846ff-27eb-11e5-a4a5-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium
84469	SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1157-1)	Nessus	SuSE Local Security Checks	high
84334	openSUSE Security Update : xen (openSUSE-2015-435)	Nessus	SuSE Local Security Checks	high
84333	openSUSE Security Update : xen (openSUSE-2015-434) (Venom)	Nessus	SuSE Local Security Checks	high
84190	SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:1045-1)	Nessus	SuSE Local Security Checks	high
84169	Debian DSA-3286-1 : xen - security update	Nessus	Debian Local Security Checks	high
84146	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1042-1)	Nessus	SuSE Local Security Checks	high
84139	OracleVM 3.3 : xen (OVMSA-2015-0067)	Nessus	OracleVM Local Security Checks	high

CVE-2015-4163

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins