100826

1039350

http://xenbits.xen.org/xsa/advisory-233.html

[debian-lts-announce] 20181018 [SECURITY] [DLA 1549-1] xen security update

DSA-4050

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts2-0+deb8u1.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

xen: various flaws (#1490884) Missing NUMA node parameter verification [XSA-231, CVE-2017-14316] Missing check for grant table [XSA-232, CVE-2017-14318] cxenstored: Race in domain cleanup [XSA-233, CVE-2017-14317] insufficient grant unmapping checks for x86 PV guests [XSA-234, CVE-2017-14319]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, information leaks, privilege escalation or the execution of arbitrary code.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=7590623eeb64d8a8f733c24eb80818f86eb870f0

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - gnttab: also validate PTE permissions upon     destroy/replace (Jan Beulich) [Orabug: 26733715]     (CVE-2017-14319)

  - tools/xenstore: don't unlink connection object twice     (Juergen Gross) [Orabug: 26739949] (CVE-2017-14317)

  - xen/mm: make sure node is less than MAX_NUMNODES (George     Dunlap) [Orabug: 26733665] (CVE-2017-14316)

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

CVE-2017-10912

Jann Horn discovered that incorrectly handling of page transfers might result in privilege escalation.

CVE-2017-10913 / CVE-2017-10914

Jann Horn discovered that race conditions in grant handling might result in information leaks or privilege escalation.

CVE-2017-10915

Andrew Cooper discovered that incorrect reference counting with shadow paging might result in privilege escalation.

CVE-2017-10918

Julien Grall discovered that incorrect error handling in physical-to-machine memory mappings may result in privilege escalation, denial of service or an information leak.

CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922

Jan Beulich discovered multiple places where reference counting on grant table operations was incorrect, resulting in potential privilege escalation

CVE-2017-12135

Jan Beulich found multiple problems in the handling of transitive grants which could result in denial of service and potentially privilege escalation.

CVE-2017-12137

Andrew Cooper discovered that incorrect validation of grants may result in privilege escalation.

CVE-2017-12855

Jan Beulich discovered that incorrect grant status handling, thus incorrectly informing the guest that the grant is no longer in use.

CVE-2017-14316

Matthew Daley discovered that the NUMA node parameter wasn't verified which which may result in privilege escalation.

CVE-2017-14317

Eric Chanudet discovered that a race conditions in cxenstored might result in information leaks or privilege escalation.

CVE-2017-14318

Matthew Daley discovered that incorrect validation of grants may result in a denial of service.

CVE-2017-14319

Andrew Cooper discovered that insufficient grant unmapping checks may result in denial of service and privilege escalation.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-9.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-14316: Missing bound check in function     `alloc_heap_pages` for an internal array allowed     attackers using crafted hypercalls to execute arbitrary     code within Xen (XSA-231, bsc#1056278)

  - CVE-2017-14317: A race in cxenstored may have cause a     double-free allowind for DoS of the xenstored daemon     (XSA-233, bsc#1056281).

  - CVE-2017-14319: An error while handling grant mappings     allowed malicious or buggy x86 PV guest to escalate its     privileges or crash the hypervisor (XSA-234,     bsc#1056282).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-12135: Unbounded recursion in grant table code     allowed a malicious guest to crash the host or     potentially escalate privileges/leak information     (XSA-226, bsc#1051787).

  - CVE-2017-12137: Incorrectly-aligned updates to     pagetables allowed for privilege escalation (XSA-227,     bsc#1051788).

  - CVE-2017-11334: The address_space_write_continue     function in exec.c allowed local guest OS privileged     users to cause a denial of service (out-of-bounds access     and guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048920).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049578).

  - CVE-2017-10806: Stack-based buffer overflow in     hw/usb/redirect.c allowed local guest OS users to cause     a denial of service via vectors related to logging debug     messages (bsc#1047675).

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046637).

  - CVE-2017-12855: Premature clearing of GTF_writing /     GTF_reading lead to potentially leaking sensitive     information (XSA-230, bsc#1052686).

  - CVE-2017-14316: Missing bound check in function     `alloc_heap_pages` for an internal array allowed     attackers using crafted hypercalls to execute arbitrary     code within Xen (XSA-231, bsc#1056278)

  - CVE-2017-14317: A race in cxenstored may have cause a     double-free allowind for DoS of the xenstored daemon     (XSA-233, bsc#1056281).

  - CVE-2017-14319: An error while handling grant mappings     allowed malicious or buggy x86 PV guest to escalate its     privileges or crash the hypervisor (XSA-234,     bsc#1056282).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues.

These security issues were fixed :

  - CVE-2017-14316: Missing bound check in function     `alloc_heap_pages` for an internal array allowed     attackers using crafted hypercalls to execute arbitrary     code within Xen (XSA-231, bsc#1056278)

  - CVE-2017-14318: The function __gnttab_cache_flush missed     a check for grant tables, allowing a malicious guest to     crash the host or for x86 PV guests to potentially     escalate privileges (XSA-232, bsc#1056280)

  - CVE-2017-14317: A race in cxenstored may have cause a     double-free allowind for DoS of the xenstored daemon     (XSA-233, bsc#1056281).

  - CVE-2017-14319: An error while handling grant mappings     allowed malicious or buggy x86 PV guest to escalate its     privileges or crash the hypervisor (XSA-234,     bsc#1056282).

These non-security issues were fixed :

  - bsc#1055695: Fixed restoring updates for HVM guests for     ballooned domUs

This update was imported from the SUSE:SLE-12-SP2:Update update project.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by multiple vulnerabilities :

  - A flaw exists in the alloc_heap_pages() function due to     improper handling when 'node >= MAX_NUMNODES'. A guest     attacker can use crafted hypercalls to execute arbitrary     code on the host system. (CVE-2017-14316)

  - A double-free flaw exists in the domain_cleanup()     function within 'xenstored_domain.c'. A local attacker     can use this flaw to crash the xenstored daemon which     potentially could cause a denial of service.
    (CVE-2017-14317)

  - A null pointer dereference flaw exists in the
    __gnttab_cache_flush() function. An attacker could     potentially leverage this flaw to crash the host system     from a guest system. (CVE-2017-14318)

  - A flaw exists within 'arch/x86/mm.c'. An attacker could     leverage this vulnerability to gain elevated privileges     on the host system from a guest system. (CVE-2017-14319)

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-14316: Missing bound check in function     `alloc_heap_pages` for an internal array allowed     attackers using crafted hypercalls to execute arbitrary     code within Xen (XSA-231, bsc#1056278)

  - CVE-2017-14318: The function __gnttab_cache_flush missed     a check for grant tables, allowing a malicious guest to     crash the host or for x86 PV guests to potentially     escalate privileges (XSA-232, bsc#1056280)

  - CVE-2017-14317: A race in cxenstored may have cause a     double-free allowind for DoS of the xenstored daemon     (XSA-233, bsc#1056281).

  - CVE-2017-14319: An error while handling grant mappings     allowed malicious or buggy x86 PV guest to escalate its     privileges or crash the hypervisor (XSA-234,     bsc#1056282).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues.

These security issues were fixed :

  - CVE-2017-14316: Missing bound check in function     `alloc_heap_pages` for an internal array allowed     attackers using crafted hypercalls to execute arbitrary     code within Xen (XSA-231, bsc#1056278)

  - CVE-2017-14318: The function __gnttab_cache_flush missed     a check for grant tables, allowing a malicious guest to     crash the host or for x86 PV guests to potentially     escalate privileges (XSA-232, bsc#1056280)

  - CVE-2017-14317: A race in cxenstored may have cause a     double-free allowind for DoS of the xenstored daemon     (XSA-233, bsc#1056281).

  - CVE-2017-14319: An error while handling grant mappings     allowed malicious or buggy x86 PV guest to escalate its     privileges or crash the hypervisor (XSA-234,     bsc#1056282).

These non-security issues were fixed :

  - bsc#1057358: Fixed boot into SUSE Linux Enterprise 12.3     with secure boot

  - bsc#1055695: Fixed restoring updates for HVM guests for     ballooned domUs

This update was imported from the SUSE:SLE-12-SP3:Update update project.

xen: various flaws (#1490884) Missing NUMA node parameter verification [XSA-231, CVE-2017-14316] Missing check for grant table [XSA-232, CVE-2017-14318] cxenstored: Race in domain cleanup [XSA-233, CVE-2017-14317] insufficient grant unmapping checks for x86 PV guests [XSA-234, CVE-2017-14319]

----

update to xen-4.8.2

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-14316: Missing bound check in function     `alloc_heap_pages` for an internal array allowed     attackers using crafted hypercalls to execute arbitrary     code within Xen (XSA-231, bsc#1056278)

  - CVE-2017-14318: The function __gnttab_cache_flush missed     a check for grant tables, allowing a malicious guest to     crash the host or for x86 PV guests to potentially     escalate privileges (XSA-232, bsc#1056280)

  - CVE-2017-14317: A race in cxenstored may have cause a     double-free allowind for DoS of the xenstored daemon     (XSA-233, bsc#1056281).

  - CVE-2017-14319: An error while handling grant mappings     allowed malicious or buggy x86 PV guest to escalate its     privileges or crash the hypervisor (XSA-234,     bsc#1056282).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
118215	Debian DLA-1549-1 : xen security update	Nessus	Debian Local Security Checks	high
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
105848	Fedora 27 : xen (2017-333ea49a63)	Nessus	Fedora Local Security Checks	high
104819	Debian DSA-4050-1 : xen - security update	Nessus	Debian Local Security Checks	high
104136	OracleVM 3.4 : xen (OVMSA-2017-0157)	Nessus	OracleVM Local Security Checks	high
103830	OracleVM 3.4 : xen (OVMSA-2017-0153)	Nessus	OracleVM Local Security Checks	critical
103791	Debian DLA-1132-1 : xen security update	Nessus	Debian Local Security Checks	critical
103636	SUSE SLES11 Security Update : xen (SUSE-SU-2017:2611-1)	Nessus	SuSE Local Security Checks	high
103619	Fedora 25 : xen (2017-f7fd3fe7eb)	Nessus	Fedora Local Security Checks	high
103412	SUSE SLES12 Security Update : xen (SUSE-SU-2017:2541-1)	Nessus	SuSE Local Security Checks	high
103396	openSUSE Security Update : xen (openSUSE-2017-1080)	Nessus	SuSE Local Security Checks	high
103328	Xen Hypervisor Multiple Vulnerabilities (XSA-231 - XSA-234)	Nessus	Misc.	high
103315	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:2519-1)	Nessus	SuSE Local Security Checks	high
103291	openSUSE Security Update : xen (openSUSE-2017-1071)	Nessus	SuSE Local Security Checks	high
103267	Fedora 26 : xen (2017-e399a9008c)	Nessus	Fedora Local Security Checks	high
103246	SUSE SLES12 Security Update : xen (SUSE-SU-2017:2466-1)	Nessus	SuSE Local Security Checks	high
103216	SUSE SLES11 Security Update : xen (SUSE-SU-2017:2450-1)	Nessus	SuSE Local Security Checks	high
103177	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:2420-1)	Nessus	SuSE Local Security Checks	high

CVE-2017-14317

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins