DSA-3847

95021

1037517

http://xenbits.xen.org/xsa/advisory-202.html

GLSA-201612-56

https://support.citrix.com/article/CTX219378

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.

Jan Beulich and Jann Horn discovered multiple vulnerabilities in the Xen hypervisor, which may lead to privilege escalation, guest-to-host breakout, denial of service or information leaks.

In additional to the CVE identifiers listed above, this update also addresses the vulnerabilities announced as XSA-213, XSA-214 and XSA-215.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1024183)

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024834)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2014-8106: A heap-based buffer overflow in the     Cirrus VGA emulator allowed local guest users to execute     arbitrary code via vectors related to blit regions     (bsc#907805)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014507)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-10013: Xen allowed local 64-bit x86 HVM guest     OS users to gain privileges by leveraging mishandling of     SYSCALL singlestep during emulation (bsc#1016340).

  - CVE-2016-9932: CMPXCHG8B emulation on x86 systems     allowed local HVM guest OS users to obtain sensitive     information from host stack memory via a     'supposedly-ignored' operand size prefix (bsc#1012651).

  - CVE-2016-9101: A memory leak in hw/net/eepro100.c     allowed local guest OS administrators to cause a denial     of service (memory consumption and QEMU process crash)     by repeatedly unplugging an i8255x (PRO100) NIC device     (bsc#1013668)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013657)

  - A malicious guest could have, by frequently rebooting     over extended periods of time, run the host system out     of memory, resulting in a Denial of Service (DoS)     (bsc#1022871)

  - CVE-2016-10024: Xen allowed local x86 PV guest OS kernel     administrators to cause a denial of service (host hang     or crash) by modifying the instruction stream     asynchronously while performing certain kernel     operations (bsc#1014298)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by a denial of service vulnerability due to a flaw in the x86 instruction emulator whenever a guest asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF.
An attacker who has guest kernel administrator privileges can exploit this issue to cause the host to hang or crash.

Please note the following items :

  - Only x86 PV guests can exploit the vulnerability.

  - Neither ARM guests nor x86 HVM guests can exploit the     vulnerability.

Note that Nessus has not tested for this vulnerability but has instead relied only on the changeset versions based on the xen.git change log.
Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in x86 instruction CMPXCHG8B due to legacy     operand size overrides not being properly ignored when     handling prefixes. A guest attacker can exploit this to     disclose potentially sensitive information on the host     system. Note that the ability to read a small amount of     hypervisor memory is restricted to privileged-mode code     in all guests except on Citrix XenServer 6.2 SP1 and     6.0.2CC, where the attack may also be performed from     non-privileged-mode code in HVM guest VMs.
    (CVE-2016-9932)

  - A denial of service vulnerability exists when a guest     asynchronously modifies its instruction stream to effect     the clearing of EFLAGS.IF. A guest attacker can exploit     this to cause the host to hang or crash.
    (CVE-2016-10024)

  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw that is triggered when the     hvmemul_vmfunc() function pointer uses inappropriate     NULL checks before indirect function calls. A guest     attacker can exploit this to cause the hypervisor to     crash. Note that the ability of privileged-mode code in     HVM guest VMs to crash the host is restricted to AMD     systems running Citrix XenServer 7.0. (CVE-2016-10025)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - From: Jan Beulich Subject: x86: force EFLAGS.IF on when     exiting to PV guests Guest kernels modifying     instructions in the process of being emulated for     another of their vCPU-s may effect EFLAGS.IF to be     cleared upon next exiting to guest context, by     converting the being emulated instruction to CLI (at the     right point in time). Prevent any such bad effects by     always forcing EFLAGS.IF on. And to cover hypothetical     other similar issues, also force EFLAGS.[IOPL,NT,VM] to     zero. This is XSA-202.

    Conflict: xen/arch/x86/x86_64/compat/entry.S     (CVE-2016-10024)

  - From 4d246723a85a03406e4969a260291e11b8e05960 Mon Sep 17     00:00:00 2001 x86: use MOV instead of PUSH/POP when     saving/restoring register state (CVE-2016-10024)

  - From: Andrew Cooper Date: Sun, 18 Dec 2016 15:42:59     +0000 Subject: [PATCH] x86/emul: Correct the handling of     eflags with SYSCALL A singlestep #DB is determined by     the resulting eflags value from the execution of     SYSCALL, not the original eflags value. By using the     original eflags value, we negate the guest kernels     attempt to protect itself from a privilege escalation by     masking TF. Introduce a tf boolean and have the SYSCALL     emulation recalculate it after the instruction is     complete. This is XSA-204

    Conflict: xen/arch/x86/x86_emulate/x86_emulate.c     (CVE-2016-10013)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: xen     commit=9f3030e391274b89deb80c86a6343dac473916b3

  - BUILDINFO: QEMU upstream     commit=f663d3dd4e968756d33e29cb2c2c956cabbdd4ca

  - BUILDINFO: QEMU traditional     commit=bc33fbc6f9a004dc11dcc18f1c5c755a60b65b73

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86: force EFLAGS.IF on when exiting to PV guests (Jan     Beulich) [Orabug: 25235009] (CVE-2016-10024)

  - Rombios: large disk support for LBA48 to L-CHS     translation (Bhavesh Davda) [Orabug: 25304859]

  - x86/emul: Correct the handling of eflags with SYSCALL     (Andrew Cooper) [Orabug: 25294731] (CVE-2016-10013)

Multiple vulnerabilities have been discovered in the Xen hypervisor.
The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2016-10013 (xsa-204)

Xen mishandles SYSCALL singlestep during emulation which can lead to privilege escalation. The vulnerability is only exposed to 64-bit x86 HVM guests.

CVE-2016-10024 (xsa-202)

PV guests may be able to mask interrupts causing a Denial of Service.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-5.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This updates xen to version 4.4.4_06 to fix the following issues :

  - An unprivileged user in a guest could gain guest could     escalate privilege to that of the guest kernel, if it     had could invoke the instruction emulator. Only 64-bit     x86 HVM guest were affected. Linux guest have not been     vulnerable. (boo#1016340, CVE-2016-10013)

  - An unprivileged user in a 64 bit x86 guest could gain     information from the host, crash the host or gain     privilege of the host (boo#1009107, CVE-2016-9383)

  - An unprivileged guest process could (unintentionally or     maliciously) obtain or ocorrupt sensitive information of     other programs in the same guest. Only x86 HVM guests     have been affected. The attacker needs to be able to     trigger the Xen instruction emulator. (boo#1000106,     CVE-2016-7777)

  - A guest on x86 systems could read small parts of     hypervisor stack data (boo#1012651, CVE-2016-9932)

  - A malicious guest kernel could hang or crash the host     system (boo#1014298, CVE-2016-10024)

  - A malicious guest administrator could escalate their     privilege to that of the host. Only affects x86 HVM     guests using qemu older version 1.6.0 or using the     qemu-xen-traditional. (boo#1011652, CVE-2016-9637)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator on x86 HVM guests,     especially on Intel CPUs (boo#1009100, CVE-2016-9386)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator (on AMD CPUs) or crash     the system (on Intel CPUs) on 32-bit x86 HVM guests.
    Only guest operating systems that allowed a new task to     start in VM86 mode were affected. (boo#1009103,     CVE-2016-9382)

  - A malicious guest administrator could crash the host on     x86 PV guests only (boo#1009104, CVE-2016-9385)

  - A malicious guest administrator could get privilege of     the host emulator process on x86 HVM guests.
    (boo#1009109, CVE-2016-9381)

  - A vulnerability in pygrub allowed a malicious guest     administrator to obtain the contents of sensitive host     files, or even delete those files (boo#1009111,     CVE-2016-9379, CVE-2016-9380)

  - A privileged guest user could cause an infinite loop in     the RTL8139 ethernet emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007157,     CVE-2016-8910)

  - A privileged guest user could cause an infinite loop in     the intel-hda sound emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007160,     CVE-2016-8909)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero vulnerability of the JAZZ RC4030 chipset emulation     (boo#1005004 CVE-2016-8667)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero issue of the 16550A UART emulation (boo#1005005,     CVE-2016-8669)

  - A privileged guest user could cause an infinite loop in     the USB xHCI emulation, causing a DoS situation on the     host (boo#1004016, CVE-2016-8576)

  - A privileged guest user could cause an infinite loop in     the ColdFire Fash Ethernet Controller emulation, causing     a DoS situation on the host (boo#1003030, CVE-2016-7908)

  - A privileged guest user could cause an infinite loop in     the AMD PC-Net II emulation, causing a DoS situation on     the host (boo#1003032, CVE-2016-7909)

  - Cause a reload of clvm in the block-dmmd script to avoid     a blocking lvchange call (boo#1002496)

  - Also unplug SCSI disks in qemu-xen-traditional for     upstream unplug protocol. Before a single SCSI storage     devices added to HVM guests could appear multiple times     in the guest. (boo#953518)

  - Fix a kernel panic / black screen when trying to boot a     XEN kernel on some UEFI firmwares (boo#1000195)

This updates xen to version 4.5.5 to fix the following issues :

  - An unprivileged user in a guest could gain guest could     escalate privilege to that of the guest kernel, if it     had could invoke the instruction emulator. Only 64-bit     x86 HVM guest were affected. Linux guest have not been     vulnerable. (boo#1016340, CVE-2016-10013)

  - An unprivileged user in a 64 bit x86 guest could gain     information from the host, crash the host or gain     privilege of the host (boo#1009107, CVE-2016-9383)

  - An unprivileged guest process could (unintentionally or     maliciously) obtain or ocorrupt sensitive information of     other programs in the same guest. Only x86 HVM guests     have been affected. The attacker needs to be able to     trigger the Xen instruction emulator. (boo#1000106,     CVE-2016-7777)

  - A guest on x86 systems could read small parts of     hypervisor stack data (boo#1012651, CVE-2016-9932)

  - A malicious guest kernel could hang or crash the host     system (boo#1014298, CVE-2016-10024)

  - The epro100 emulated network device caused a memory leak     in the host when unplugged in the guest. A privileged     user in the guest could use this to cause a DoS on the     host or potentially crash the guest process on the host     (boo#1013668, CVE-2016-9101)

  - The ColdFire Fast Ethernet Controller was vulnerable to     an infinite loop that could be trigged by a privileged     user in the guest, leading to DoS (boo#1013657,     CVE-2016-9776)

  - A malicious guest administrator could escalate their     privilege to that of the host. Only affects x86 HVM     guests using qemu older version 1.6.0 or using the     qemu-xen-traditional. (boo#1011652, CVE-2016-9637)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator on x86 HVM guests,     especially on Intel CPUs (boo#1009100, CVE-2016-9386)

  - An unprivileged guest user could escalate privilege to     that of the guest administrator (on AMD CPUs) or crash     the system (on Intel CPUs) on 32-bit x86 HVM guests.
    Only guest operating systems that allowed a new task to     start in VM86 mode were affected. (boo#1009103,     CVE-2016-9382)

  - A malicious guest administrator could crash the host on     x86 PV guests only (boo#1009104, CVE-2016-9385)

  - An unprivileged guest user was able to crash the guest.
    (boo#1009108, CVE-2016-9377, CVE-2016-9378)

  - A malicious guest administrator could get privilege of     the host emulator process on x86 HVM guests.
    (boo#1009109, CVE-2016-9381)

  - A vulnerability in pygrub allowed a malicious guest     administrator to obtain the contents of sensitive host     files, or even delete those files (boo#1009111,     CVE-2016-9379, CVE-2016-9380)

  - A privileged guest user could cause an infinite loop in     the RTL8139 ethernet emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007157,     CVE-2016-8910)

  - A privileged guest user could cause an infinite loop in     the intel-hda sound emulation to consume CPU cycles on     the host, causing a DoS situation (boo#1007160,     CVE-2016-8909)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero vulnerability of the JAZZ RC4030 chipset emulation     (boo#1005004 CVE-2016-8667)

  - A privileged guest user could cause a crash of the     emulator process on the host by exploiting a divide by     zero issue of the 16550A UART emulation (boo#1005005,     CVE-2016-8669)

  - A privileged guest user could cause a memory leak in the     USB EHCI emulation, causing a DoS situation on the host     (boo#1003870, CVE-2016-7995)

  - A privileged guest user could cause an infinite loop in     the USB xHCI emulation, causing a DoS situation on the     host (boo#1004016, CVE-2016-8576)

  - A privileged guest user could cause an infinite loop in     the ColdFire Fash Ethernet Controller emulation, causing     a DoS situation on the host (boo#1003030, CVE-2016-7908)

  - A privileged guest user could cause an infinite loop in     the AMD PC-Net II emulation, causing a DoS situation on     the host (boo#1003032, CVE-2016-7909)

  - Cause a reload of clvm in the block-dmmd script to avoid     a blocking lvchange call (boo#1002496)

This update for xen fixes the following issues :

  - A Mishandling of SYSCALL singlestep during emulation     which could have lead to privilege escalation. (XSA-204,     bsc#1016340, CVE-2016-10013)

  - CMPXCHG8B emulation failed to ignore operand size     override which could have lead to information     disclosure. (XSA-200, bsc#1012651, CVE-2016-9932)

  - PV guests may have been able to mask interrupts causing     a Denial of Service. (XSA-202, bsc#1014298,     CVE-2016-10024)

  - A missing NULL pointer check in VMFUNC emulation could     lead to a hypervisor crash leading to a Denial of     Servce. (XSA-203, bsc#1014300, CVE-2016-10025)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

The remote host is affected by the vulnerability described in GLSA-201612-56 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly execute arbitrary code with the       privileges of the process, could gain privileges on the host system,       cause a Denial of Service condition, or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

  - A Mishandling of SYSCALL singlestep during emulation     which could have lead to privilege escalation. (XSA-204,     bsc#1016340, CVE-2016-10013)

  - CMPXCHG8B emulation failed to ignore operand size     override which could have lead to information     disclosure. (XSA-200, bsc#1012651, CVE-2016-9932)

  - PV guests may have been able to mask interrupts causing     a Denial of Service. (XSA-202, bsc#1014298,     CVE-2016-10024)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

  - A Mishandling of SYSCALL singlestep during emulation     which could have lead to privilege escalation. (XSA-204,     bsc#1016340, CVE-2016-10013)

  - CMPXCHG8B emulation failed to ignore operand size     override which could have lead to information     disclosure. (XSA-200, bsc#1012651, CVE-2016-9932)

  - PV guests may have been able to mask interrupts causing     a Denial of Service. (XSA-202, bsc#1014298,     CVE-2016-10024)

  - A missing NULL pointer check in VMFUNC emulation could     lead to a hypervisor crash leading to a Denial of     Servce. (XSA-203, bsc#1014300, CVE-2016-10025)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Xen Project reports :

Certain PV guest kernel operations (page table writes in particular) need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to return to guest context.

A malicious guest kernel administrator can cause a host hang or crash, resulting in a Denial of Service.

ID	Name	Product	Family	Severity
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
103830	OracleVM 3.4 : xen (OVMSA-2017-0153)	Nessus	OracleVM Local Security Checks	critical
100071	Debian DSA-3847-1 : xen - security update	Nessus	Debian Local Security Checks	high
97828	SUSE SLES11 Security Update : xen (SUSE-SU-2017:0718-1)	Nessus	SuSE Local Security Checks	high
96958	Xen Asynchronous Modification EFLAGS.IF Clearing DoS (XSA-202)	Nessus	Misc.	medium
96778	Citrix XenServer Multiple Vulnerabilities (CTX219378)	Nessus	Misc.	low
96522	OracleVM 3.2 : xen (OVMSA-2017-0009)	Nessus	OracleVM Local Security Checks	medium
96520	OracleVM 3.4 : xen (OVMSA-2017-0007)	Nessus	OracleVM Local Security Checks	medium
96491	Debian DLA-783-1 : xen security update	Nessus	Debian Local Security Checks	medium
96253	openSUSE Security Update : xen (openSUSE-2017-5)	Nessus	SuSE Local Security Checks	high
96252	openSUSE Security Update : xen (openSUSE-2017-4)	Nessus	SuSE Local Security Checks	high
96250	openSUSE Security Update : xen (openSUSE-2017-2)	Nessus	SuSE Local Security Checks	medium
96231	GLSA-201612-56 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
96216	Fedora 24 : xen (2016-bc02bff7f5)	Nessus	Fedora Local Security Checks	medium
96158	Fedora 25 : xen (2016-92e3ea2d1b)	Nessus	Fedora Local Security Checks	medium
96087	SUSE SLES12 Security Update : xen (SUSE-SU-2016:3241-1)	Nessus	SuSE Local Security Checks	medium
96081	SUSE SLES11 Security Update : xen (SUSE-SU-2016:3221-1)	Nessus	SuSE Local Security Checks	medium
96076	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3208-1)	Nessus	SuSE Local Security Checks	medium
96075	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3207-1)	Nessus	SuSE Local Security Checks	medium
96058	FreeBSD : xen-kernel -- x86 PV guests may be able to mask interrupts (3ae078ca-c7eb-11e6-ae1b-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

CVE-2016-10024

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins