DSA-3969

1038734

GLSA-201708-03

GLSA-201710-17

https://xenbits.xen.org/xsa/advisory-224.html

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

The remote host is affected by the vulnerability described in GLSA-201710-17 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could escalate privileges, cause a Denial of Service       condition, obtain sensitive information, or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

CVE-2017-10912

Jann Horn discovered that incorrectly handling of page transfers might result in privilege escalation.

CVE-2017-10913 / CVE-2017-10914

Jann Horn discovered that race conditions in grant handling might result in information leaks or privilege escalation.

CVE-2017-10915

Andrew Cooper discovered that incorrect reference counting with shadow paging might result in privilege escalation.

CVE-2017-10918

Julien Grall discovered that incorrect error handling in physical-to-machine memory mappings may result in privilege escalation, denial of service or an information leak.

CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922

Jan Beulich discovered multiple places where reference counting on grant table operations was incorrect, resulting in potential privilege escalation

CVE-2017-12135

Jan Beulich found multiple problems in the handling of transitive grants which could result in denial of service and potentially privilege escalation.

CVE-2017-12137

Andrew Cooper discovered that incorrect validation of grants may result in privilege escalation.

CVE-2017-12855

Jan Beulich discovered that incorrect grant status handling, thus incorrectly informing the guest that the grant is no longer in use.

CVE-2017-14316

Matthew Daley discovered that the NUMA node parameter wasn't verified which which may result in privilege escalation.

CVE-2017-14317

Eric Chanudet discovered that a race conditions in cxenstored might result in information leaks or privilege escalation.

CVE-2017-14318

Matthew Daley discovered that incorrect validation of grants may result in a denial of service.

CVE-2017-14319

Andrew Cooper discovered that insufficient grant unmapping checks may result in denial of service and privilege escalation.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-9.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2017-10912     Jann Horn discovered that incorrectly handling of page     transfers might result in privilege escalation.

  - CVE-2017-10913 / CVE-2017-10914     Jann Horn discovered that race conditions in grant     handling might result in information leaks or privilege     escalation.

  - CVE-2017-10915     Andrew Cooper discovered that incorrect reference     counting with shadow paging might result in privilege     escalation.

  - CVE-2017-10916     Andrew Cooper discovered an information leak in the     handling of the Memory Protection Extensions (MPX) and     Protection Key (PKU) CPU features. This only affects     Debian stretch.

  - CVE-2017-10917     Ankur Arora discovered a NULL pointer dereference in     event polling, resulting in denial of service.

  - CVE-2017-10918     Julien Grall discovered that incorrect error handling in     physical-to-machine memory mappings may result in     privilege escalation, denial of service or an     information leak.

  - CVE-2017-10919     Julien Grall discovered that incorrect handling of     virtual interrupt injection on ARM systems may result in     denial of service.

  - CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922     Jan Beulich discovered multiple places where reference     counting on grant table operations was incorrect,     resulting in potential privilege escalation.

  - CVE-2017-12135     Jan Beulich found multiple problems in the handling of     transitive grants which could result in denial of     service and potentially privilege escalation.

  - CVE-2017-12136     Ian Jackson discovered that race conditions in the     allocator for grant mappings may result in denial of     service or privilege escalation. This only affects     Debian stretch.

  - CVE-2017-12137     Andrew Cooper discovered that incorrect validation of     grants may result in privilege escalation.

  - CVE-2017-12855     Jan Beulich discovered that incorrect grant status     handling, thus incorrectly informing the guest that the     grant is no longer in use.

  - XSA-235 (no CVE yet)

    Wei Liu discovered that incorrect locking of     add-to-physmap operations on ARM may result in denial of     service.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-10911: blkif responses leaked backend stack     data, which allowed unprivileged guest to obtain     sensitive information from the host or other guests     (XSA-216, bsc#1042863)

  - CVE-2017-10912: Page transfer might have allowed PV     guest to elevate privilege (XSA-217, bsc#1042882)

  - CVE-2017-10913, CVE-2017-10914: Races in the grant table     unmap code allowed for informations leaks and     potentially privilege escalation (XSA-218, bsc#1042893)

  - CVE-2017-10915: Insufficient reference counts during     shadow emulation allowed a malicious pair of guest to     elevate their privileges to the privileges that XEN runs     under (XSA-219, bsc#1042915)

  - CVE-2017-10917: Missing NULL pointer check in event     channel poll allows guests to DoS the host (XSA-221,     bsc#1042924)

  - CVE-2017-10918: Stale P2M mappings due to insufficient     error checking allowed malicious guest to leak     information or elevate privileges (XSA-222, bsc#1042931)

  - CVE-2017-10922, CVE-2017-10921, CVE-2017-10920: Grant     table operations mishandled reference counts allowing     malicious guests to escape (XSA-224, bsc#1042938)

  - CVE-2017-10916: PKRU and BND* leakage between vCPU-s     might have leaked information to other guests (XSA-220,     bsc#1042923)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042160)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037243)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036470)

  - CVE-2017-8905: Xen a failsafe callback, which might have     allowed PV guest OS users to execute arbitrary code on     the host OS (XSA-215, bsc#1034845).

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043297)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043074)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues.

These security issues were fixed :

  - CVE-2017-10912: Page transfer might have allowed PV     guest to elevate privilege (XSA-217, bsc#1042882)

  - CVE-2017-10913 CVE-2017-10914: Races in the grant table     unmap code allowed for informations leaks and     potentially privilege escalation (XSA-218, bsc#1042893)

  - CVE-2017-10915: Insufficient reference counts during     shadow emulation allowed a malicious pair of guest to     elevate their privileges to the privileges that XEN runs     under (XSA-219, bsc#1042915)

  - CVE-2017-10917: Missing NULL pointer check in event     channel poll allows guests to DoS the host (XSA-221,     bsc#1042924)

  - CVE-2017-10918: Stale P2M mappings due to insufficient     error checking allowed malicious guest to leak     information or elevate privileges (XSA-222, bsc#1042931)

  - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant     table operations mishandled reference counts allowing     malicious guests to escape (XSA-224, bsc#1042938)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042160)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037243)

  - PKRU and BND* leakage between vCPU-s might have leaked     information to other guests (XSA-220, bsc#1042923)

These non-security issues were fixed :

  - bsc#1027519: Included various upstream patches 

  - bsc#1035642: Ensure that rpmbuild works

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043297)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043074)

  - CVE-2017-10911: blkif responses leaked backend stack     data, which allowed unprivileged guest to obtain     sensitive information from the host or other guests     (XSA-216, bsc#1042863)

  - CVE-2017-10912: Page transfer might have allowed PV     guest to elevate privilege (XSA-217, bsc#1042882)

  - CVE-2017-10913, CVE-2017-10914: Races in the grant table     unmap code allowed for informations leaks and     potentially privilege escalation (XSA-218, bsc#1042893)

  - CVE-2017-10915: Insufficient reference counts during     shadow emulation allowed a malicious pair of guest to     elevate their privileges to the privileges that XEN runs     under (XSA-219, bsc#1042915)

  - CVE-2017-10917: Missing NULL pointer check in event     channel poll allows guests to DoS the host (XSA-221,     bsc#1042924)

  - CVE-2017-10918: Stale P2M mappings due to insufficient     error checking allowed malicious guest to leak     information or elevate privileges (XSA-222, bsc#1042931)

  - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant     table operations mishandled reference counts allowing     malicious guests to escape (XSA-224, bsc#1042938)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042160)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037243)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036470)

  - CVE-2017-8905: Xen a failsafe callback, which might have     allowed PV guest OS users to execute arbitrary code on     the host OS (XSA-215, bsc#1034845).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists that causes grant table operations to fail     due to improper handling of reference counts. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - An information disclosure vulnerability exists due to     blkif responses leaking stack data. An unauthenticated,     remote attacker can exploit this to disclose potentially     sensitive information.

  - A NULL pointer dereference flaw exists in the event     channel poll that allows an unauthenticated, remote     attacker to cause a denial of service condition.

  - A flaw exists in shadow emulation due to insufficient     reference counts. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

  - A race condition exists in the grant table unmap code     that allows an unauthenticated, remote attacker to have     an unspecified impact.

  - An unspecified flaw exists in page transfers that allows     a local attacker on the PV guest to gain elevated     privileges.

  - A flaw exists that is triggered by stale P2M mappings     due to insufficient error checking. An unauthenticated,     remote attacker can exploit this to have an unspecified     impact.

ID	Name	Product	Family	Severity
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
103910	GLSA-201710-17 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
103830	OracleVM 3.4 : xen (OVMSA-2017-0153)	Nessus	OracleVM Local Security Checks	critical
103791	Debian DLA-1132-1 : xen security update	Nessus	Debian Local Security Checks	critical
103146	Debian DSA-3969-1 : xen - security update	Nessus	Debian Local Security Checks	critical
102835	OracleVM 3.4 : xen (OVMSA-2017-0142)	Nessus	OracleVM Local Security Checks	critical
101350	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1812-1)	Nessus	SuSE Local Security Checks	critical
101349	openSUSE Security Update : xen (openSUSE-2017-799)	Nessus	SuSE Local Security Checks	critical
101293	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1795-1)	Nessus	SuSE Local Security Checks	critical
101205	Citrix XenServer Multiple Vulnerabilities (CTX224740)	Nessus	Misc.	critical

CVE-2017-10922

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins