DSA-3969

[oss-security] 20170815 Xen Security Advisory 228 (CVE-2017-12136) - grant_table: Race conditions with maptrack free list handling

100346

1039175

http://xenbits.xen.org/xsa/advisory-228.html

https://bugzilla.redhat.com/show_bug.cgi?id=1477651

GLSA-201801-14

https://support.citrix.com/article/CTX225941

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

The remote host is affected by the vulnerability described in GLSA-201801-14 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could potentially execute arbitrary code with the       privileges of the Xen (QEMU) process on the host, gain privileges on the       host system, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-12135: Unbounded recursion in grant table code     allowed a malicious guest to crash the host or     potentially escalate privileges/leak information     (XSA-226, bsc#1051787).

  - CVE-2017-12137: Incorrectly-aligned updates to     pagetables allowed for privilege escalation (XSA-227,     bsc#1051788).

  - CVE-2017-12136: Race conditions with maptrack free list     handling allows a malicious guest administrator to crash     the host or escalate their privilege to that of the host     (XSA-228, bsc#1051789).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049578).

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046637).

  - CVE-2017-12855: Premature clearing of GTF_writing /     GTF_reading lead to potentially leaking sensitive     information (XSA-230 bsc#1052686.

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.

Qemu: usb: ohci: infinite loop due to incorrect return value [CVE-2017-9330] (#1457698) Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort [CVE-2017-10664] (#1466466) revised full fix for XSA-226 (regressed 32-bit Dom0 or backend domains)

----

full fix for XSA-226, replacing workaround drop conflict of xendomain and libvirtd as can cause problems (#1398590) add-to-physmap error paths fail to release lock on ARM [XSA-235] (#1484476) Qemu: audio:
host memory leakage via capture buffer [CVE-2017-8309] (#1446521) Qemu: input: host memory leakage via keyboard events [CVE-2017-8379] (#1446561)

----

Qemu: serial: host memory leakage 16550A UART emulation [CVE-2017-5579] (#1416162) Qemu: display: cirrus: OOB read access issue [CVE-2017-7718] (#1443444) xen: various flaws (#1481765) multiple problems with transitive grants [XSA-226, CVE-2017-12135] x86: PV privilege escalation via map_grant_ref [XSA-227, CVE-2017-12137] grant_table: Race conditions with maptrack free list handling [XSA-228, CVE-2017-12136] grant_table: possibly premature clearing of GTF_writing / GTF_reading [XSA-230, CVE-2017-12855]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues.

These security issues were fixed :

  - CVE-2017-12135: Unbounded recursion in grant table code     allowed a malicious guest to crash the host or     potentially escalate privileges/leak information     (XSA-226, bsc#1051787).

  - CVE-2017-12137: Incorrectly-aligned updates to     pagetables allowed for privilege escalation (XSA-227,     bsc#1051788).

  - CVE-2017-12136: Race conditions with maptrack free list     handling allows a malicious guest administrator to crash     the host or escalate their privilege to that of the host     (XSA-228, bsc#1051789).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049578).

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046637).

  - CVE-2017-12855: Premature clearing of GTF_writing /     GTF_reading lead to potentially leaking sensitive     information (XSA-230 bsc#1052686.

These non-security issues were fixed :

  - bsc#1055695: XEN: 11SP4 and 12SP3 HVM guests can not be     restored after the save using xl stack

  - bsc#1035231: Migration of HVM domU did not use     superpages on destination dom0

  - bsc#1002573: Optimized LVM functions in block-dmmd     block-dmmd

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for xen to version 4.7.3 fixes several issues.

These security issues were fixed :

  - CVE-2017-12135: Unbounded recursion in grant table code     allowed a malicious guest to crash the host or     potentially escalate privileges/leak information     (XSA-226, bsc#1051787).

  - CVE-2017-12137: Incorrectly-aligned updates to     pagetables allowed for privilege escalation (XSA-227,     bsc#1051788).

  - CVE-2017-12136: Race conditions with maptrack free list     handling allows a malicious guest administrator to crash     the host or escalate their privilege to that of the host     (XSA-228, bsc#1051789).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049578).

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046637).

  - CVE-2017-12855: Premature clearing of GTF_writing /     GTF_reading lead to potentially leaking sensitive     information (XSA-230 CVE-2017-12855).

These non-security issues were fixed :

  - bsc#1055695: XEN: 11SP4 and 12SP3 HVM guests can not be     restored after the save using xl stack 

  - bsc#1035231: Migration of HVM domU did not use     superpages on destination dom0

  - bsc#1002573: Optimized LVM functions in block-dmmd     block-dmmd

  - bsc#1037840: Xen-detect always showed HVM for PV guests

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2017-10912     Jann Horn discovered that incorrectly handling of page     transfers might result in privilege escalation.

  - CVE-2017-10913 / CVE-2017-10914     Jann Horn discovered that race conditions in grant     handling might result in information leaks or privilege     escalation.

  - CVE-2017-10915     Andrew Cooper discovered that incorrect reference     counting with shadow paging might result in privilege     escalation.

  - CVE-2017-10916     Andrew Cooper discovered an information leak in the     handling of the Memory Protection Extensions (MPX) and     Protection Key (PKU) CPU features. This only affects     Debian stretch.

  - CVE-2017-10917     Ankur Arora discovered a NULL pointer dereference in     event polling, resulting in denial of service.

  - CVE-2017-10918     Julien Grall discovered that incorrect error handling in     physical-to-machine memory mappings may result in     privilege escalation, denial of service or an     information leak.

  - CVE-2017-10919     Julien Grall discovered that incorrect handling of     virtual interrupt injection on ARM systems may result in     denial of service.

  - CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922     Jan Beulich discovered multiple places where reference     counting on grant table operations was incorrect,     resulting in potential privilege escalation.

  - CVE-2017-12135     Jan Beulich found multiple problems in the handling of     transitive grants which could result in denial of     service and potentially privilege escalation.

  - CVE-2017-12136     Ian Jackson discovered that race conditions in the     allocator for grant mappings may result in denial of     service or privilege escalation. This only affects     Debian stretch.

  - CVE-2017-12137     Andrew Cooper discovered that incorrect validation of     grants may result in privilege escalation.

  - CVE-2017-12855     Jan Beulich discovered that incorrect grant status     handling, thus incorrectly informing the guest that the     grant is no longer in use.

  - XSA-235 (no CVE yet)

    Wei Liu discovered that incorrect locking of     add-to-physmap operations on ARM may result in denial of     service.

This update for xen to version 4.7.3 fixes several issues. These security issues were fixed :

  - CVE-2017-12135: Unbounded recursion in grant table code     allowed a malicious guest to crash the host or     potentially escalate privileges/leak information     (XSA-226, bsc#1051787).

  - CVE-2017-12137: Incorrectly-aligned updates to     pagetables allowed for privilege escalation (XSA-227,     bsc#1051788).

  - CVE-2017-12136: Race conditions with maptrack free list     handling allows a malicious guest administrator to crash     the host or escalate their privilege to that of the host     (XSA-228, bsc#1051789).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049578).

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046637).

  - CVE-2017-12855: Premature clearing of GTF_writing /     GTF_reading lead to potentially leaking sensitive     information (XSA-230 CVE-2017-12855).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details.

Qemu: serial: host memory leakage 16550A UART emulation [CVE-2017-5579] (#1416162) Qemu: display: cirrus: OOB read access issue [CVE-2017-7718] (#1443444) xen: various flaws (#1481765) multiple problems with transitive grants [XSA-226, CVE-2017-12135] x86: PV privilege escalation via map_grant_ref [XSA-227, CVE-2017-12137] grant_table: Race conditions with maptrack free list handling [XSA-228, CVE-2017-12136] grant_table: possibly premature clearing of GTF_writing / GTF_reading [XSA-230, CVE-2017-12855]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by multiple vulnerabilities.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX225941 advisory.

ID	Name	Product	Family	Severity
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
106038	GLSA-201801-14 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
104649	SUSE SLES12 Security Update : xen (SUSE-SU-2017:2327-2)	Nessus	SuSE Local Security Checks	high
103830	OracleVM 3.4 : xen (OVMSA-2017-0153)	Nessus	OracleVM Local Security Checks	critical
103342	Fedora 25 : xen (2017-ed735463e3)	Nessus	Fedora Local Security Checks	high
103159	openSUSE Security Update : xen (openSUSE-2017-1023)	Nessus	SuSE Local Security Checks	high
103158	openSUSE Security Update : xen (openSUSE-2017-1022)	Nessus	SuSE Local Security Checks	high
103146	Debian DSA-3969-1 : xen - security update	Nessus	Debian Local Security Checks	critical
102953	SUSE SLED12 Security Update : xen (SUSE-SU-2017:2327-1)	Nessus	SuSE Local Security Checks	high
102952	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:2326-1)	Nessus	SuSE Local Security Checks	high
102835	OracleVM 3.4 : xen (OVMSA-2017-0142)	Nessus	OracleVM Local Security Checks	critical
102686	Fedora 26 : xen (2017-f336ba205d)	Nessus	Fedora Local Security Checks	high
102585	Xen Hypervisor Multiple Vulnerabilities (XSA-226 - XSA-230)	Nessus	Misc.	high
102526	Citrix XenServer Multiple Vulnerabilities (CTX225941)	Nessus	Misc.	high

CVE-2017-12136

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins