An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation.

The remote host is affected by the vulnerability described in GLSA-201801-14 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could potentially execute arbitrary code with the       privileges of the Xen (QEMU) process on the host, gain privileges on the       host system, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

xen: various flaws (#1501391) multiple MSI mapping issues on x86 [XSA-237] DMOP map/unmap missing argument checks [XSA-238] hypervisor stack leak in x86 I/O intercept code [XSA-239] Unlimited recursion in linear pagetable de-typing [XSA-240] Stale TLB entry due to page type release race [XSA-241] page type reference leak on x86 [XSA-242] x86:
Incorrect handling of self-linear shadow mappings with translated guests [XSA-243] x86: Incorrect handling of IST settings during CPU hotplug [XSA-244]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues :

These security issues were fixed :

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1059777)

  - CVE-2017-15593: Missing cleanup in the page type system     allowed a malicious or buggy PV guest to cause DoS     (XSA-242 bsc#1061084)

  - CVE-2017-15592: A problem in the shadow pagetable code     allowed a malicious or buggy HVM guest to cause DoS or     cause hypervisor memory corruption potentially allowing     the guest to escalate its privilege (XSA-243     bsc#1061086)

  - CVE-2017-15594: Problematic handling of the selector     fields in the Interrupt Descriptor Table (IDT) allowed a     malicious or buggy x86 PV guest to escalate its     privileges or cause DoS (XSA-244 bsc#1061087)

  - CVE-2017-15591: Missing checks in the handling of DMOPs     allowed malicious or buggy stub domain kernels or tool     stacks otherwise living outside of Domain0 to cause a     DoS (XSA-238 bsc#1061077)

  - CVE-2017-15589: Intercepted I/O write operations with     less than a full machine word's worth of data were not     properly handled, which allowed a malicious unprivileged     x86 HVM guest to obtain sensitive information from the     host or other guests (XSA-239 bsc#1061080)

  - CVE-2017-15595: In certain configurations of linear page     tables a stack overflow might have occured that allowed     a malicious or buggy PV guest to cause DoS and     potentially privilege escalation and information leaks     (XSA-240 bsc#1061081)

  - CVE-2017-15588: Under certain conditions x86 PV guests     could have caused the hypervisor to miss a necessary TLB     flush for a page. This allowed a malicious x86 PV guest     to access all of system memory, allowing for privilege     escalation, DoS, and information leaks (XSA-241     bsc#1061082)

  - CVE-2017-15590: Multiple issues existed with the setup     of PCI MSI interrupts that allowed a malicious or buggy     guest to cause DoS and potentially privilege escalation     and information leaks (XSA-237 bsc#1061076)

This non-security issue was fixed :

  - bsc#1057358: Fixed boot when secure boot is enabled

This update was imported from the SUSE:SLE-12-SP2:Update update project.

xen: various flaws (#1501391) multiple MSI mapping issues on x86 [XSA-237] DMOP map/unmap missing argument checks [XSA-238] hypervisor stack leak in x86 I/O intercept code [XSA-239] Unlimited recursion in linear pagetable de-typing [XSA-240] Stale TLB entry due to page type release race [XSA-241] page type reference leak on x86 [XSA-242] x86:
Incorrect handling of self-linear shadow mappings with translated guests [XSA-243] x86: Incorrect handling of IST settings during CPU hotplug [XSA-244]

----

ARM: Some memory not scrubbed at boot [XSA-245] Qemu: vga: reachable assert failure during during display update [CVE-2017-13673] (#1486591) Qemu: vga: OOB read access during display update [CVE-2017-13672] (#1486562)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues: These security issues were fixed :

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1059777)

  - CVE-2017-15593: Missing cleanup in the page type system     allowed a malicious or buggy PV guest to cause DoS     (XSA-242 bsc#1061084)

  - CVE-2017-15592: A problem in the shadow pagetable code     allowed a malicious or buggy HVM guest to cause DoS or     cause hypervisor memory corruption potentially allowing     the guest to escalate its privilege (XSA-243     bsc#1061086)

  - CVE-2017-15594: Problematic handling of the selector     fields in the Interrupt Descriptor Table (IDT) allowed a     malicious or buggy x86 PV guest to escalate its     privileges or cause DoS (XSA-244 bsc#1061087)

  - CVE-2017-15591: Missing checks in the handling of DMOPs     allowed malicious or buggy stub domain kernels or tool     stacks otherwise living outside of Domain0 to cause a     DoS (XSA-238 bsc#1061077)

  - CVE-2017-15589: Intercepted I/O write operations with     less than a full machine word's worth of data were not     properly handled, which allowed a malicious unprivileged     x86 HVM guest to obtain sensitive information from the     host or other guests (XSA-239 bsc#1061080)

  - CVE-2017-15595: In certain configurations of linear page     tables a stack overflow might have occured that allowed     a malicious or buggy PV guest to cause DoS and     potentially privilege escalation and information leaks     (XSA-240 bsc#1061081)

  - CVE-2017-15588: Under certain conditions x86 PV guests     could have caused the hypervisor to miss a necessary TLB     flush for a page. This allowed a malicious x86 PV guest     to access all of system memory, allowing for privilege     escalation, DoS, and information leaks (XSA-241     bsc#1061082)

  - CVE-2017-15590: Multiple issues existed with the setup     of PCI MSI interrupts that allowed a malicious or buggy     guest to cause DoS and potentially privilege escalation     and information leaks (XSA-237 bsc#1061076)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues: These security issues were fixed :

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1059777)

  - CVE-2017-15593: Missing cleanup in the page type system     allowed a malicious or buggy PV guest to cause DoS     (XSA-242 bsc#1061084)

  - CVE-2017-15592: A problem in the shadow pagetable code     allowed a malicious or buggy HVM guest to cause DoS or     cause hypervisor memory corruption potentially allowing     the guest to escalate its privilege (XSA-243     bsc#1061086)

  - CVE-2017-15594: Problematic handling of the selector     fields in the Interrupt Descriptor Table (IDT) allowed a     malicious or buggy x86 PV guest to escalate its     privileges or cause DoS (XSA-244 bsc#1061087)

  - CVE-2017-15591: Missing checks in the handling of DMOPs     allowed malicious or buggy stub domain kernels or tool     stacks otherwise living outside of Domain0 to cause a     DoS (XSA-238 bsc#1061077)

  - CVE-2017-15589: Intercepted I/O write operations with     less than a full machine word's worth of data were not     properly handled, which allowed a malicious unprivileged     x86 HVM guest to obtain sensitive information from the     host or other guests (XSA-239 bsc#1061080)

  - CVE-2017-15595: In certain configurations of linear page     tables a stack overflow might have occured that allowed     a malicious or buggy PV guest to cause DoS and     potentially privilege escalation and information leaks     (XSA-240 bsc#1061081)

  - CVE-2017-15588: Under certain conditions x86 PV guests     could have caused the hypervisor to miss a necessary TLB     flush for a page. This allowed a malicious x86 PV guest     to access all of system memory, allowing for privilege     escalation, DoS, and information leaks (XSA-241     bsc#1061082)

  - CVE-2017-15590: Multiple issues existed with the setup     of PCI MSI interrupts that allowed a malicious or buggy     guest to cause DoS and potentially privilege escalation     and information leaks (XSA-237 bsc#1061076)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues :

These security issues were fixed :

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1059777)

  - CVE-2017-15593: Missing cleanup in the page type system     allowed a malicious or buggy PV guest to cause DoS     (XSA-242 bsc#1061084)

  - CVE-2017-15592: A problem in the shadow pagetable code     allowed a malicious or buggy HVM guest to cause DoS or     cause hypervisor memory corruption potentially allowing     the guest to escalate its privilege (XSA-243     bsc#1061086)

  - CVE-2017-15594: Problematic handling of the selector     fields in the Interrupt Descriptor Table (IDT) allowed a     malicious or buggy x86 PV guest to escalate its     privileges or cause DoS (XSA-244 bsc#1061087)

  - CVE-2017-15591: Missing checks in the handling of DMOPs     allowed malicious or buggy stub domain kernels or tool     stacks otherwise living outside of Domain0 to cause a     DoS (XSA-238 bsc#1061077)

  - CVE-2017-15589: Intercepted I/O write operations with     less than a full machine word's worth of data were not     properly handled, which allowed a malicious unprivileged     x86 HVM guest to obtain sensitive information from the     host or other guests (XSA-239 bsc#1061080)

  - CVE-2017-15595: In certain configurations of linear page     tables a stack overflow might have occured that allowed     a malicious or buggy PV guest to cause DoS and     potentially privilege escalation and information leaks     (XSA-240 bsc#1061081)

  - CVE-2017-15588: Under certain conditions x86 PV guests     could have caused the hypervisor to miss a necessary TLB     flush for a page. This allowed a malicious x86 PV guest     to access all of system memory, allowing for privilege     escalation, DoS, and information leaks (XSA-241     bsc#1061082)

  - CVE-2017-15590: Multiple issues existed with the setup     of PCI MSI interrupts that allowed a malicious or buggy     guest to cause DoS and potentially privilege escalation     and information leaks (XSA-237 bsc#1061076)

  - bsc#1055321: When dealing with the grant map space of     add-to-physmap operations, ARM specific code failed to     release a lock. This allowed a malicious guest     administrator to cause DoS (XSA-235)

This update was imported from the SUSE:SLE-12-SP3:Update update project.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw that is triggered when, as a new CPU is brought online, it copies certain selector fields from CPU0's Interrupt Descriptor Table (IDT) while CPU0 is in HVM context. This may result in incorrect values being copied, allowing an attacker on the guest to cause a denial of service or gain elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw in mm/shadow/multi.c that is triggered during the handling of self-linear shadow mappings with translated guests. This may allow an attacker on the guest to cause a denial of service or gain  elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw in arch/x86/mm.c that is triggered as page type  references are not properly handled when performing certain cleanup operations. This allows an attacker on the guest to consume excessive memory, resulting in a denial of service for the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a race condition that is triggered when handling TLB flush requests. This allows an attacker on the guest to access all system memory,  allowing them to cause a denial of service, disclose sensitive information, or gain elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a stack overflow vulnerability that is triggered when recursion is not properly handled when de-typing linear pagetables. By stacking multiple layers of page tables, an attacker within a guest can cause a stack overflow, resulting in the Xen process to crash.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an unspecified flaw in the hvmemul_do_io() function in arch/x86/hvm/emulate.c that is triggered as an internal structure may contain data from an uninitialized hypervisor stack slot. This may allow an attacker on the guest to gain access to potentially sensitive information from the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by unspecified flaws in arch/x86/hvm/ioreq.c that is triggered when handling DMOPs. This may allow an attacker within a  guest to consume excessive resources.

Note this can only be exploited by domains controlling HVM guests.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by multiple vulnerabilities related to the setup of PCI MSI interrupts, which may allow an attacker on the guest to cause a denial of service on the host, potentially disclose sensitive information from the host, or potentially gain elevated privileges on the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

ID	Name	Product	Family	Severity
106038	GLSA-201801-14 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
105971	Fedora 27 : xen (2017-c432db2971)	Nessus	Fedora Local Security Checks	high
104349	openSUSE Security Update : xen (openSUSE-2017-1239)	Nessus	SuSE Local Security Checks	high
104347	Fedora 25 : xen (2017-d4709b0d8b)	Nessus	Fedora Local Security Checks	high
104310	Fedora 26 : xen (2017-5bcddc1984)	Nessus	Fedora Local Security Checks	high
104255	SUSE SLES12 Security Update : xen (SUSE-SU-2017:2873-1)	Nessus	SuSE Local Security Checks	high
104252	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:2864-1)	Nessus	SuSE Local Security Checks	high
104085	openSUSE Security Update : xen (openSUSE-2017-1181)	Nessus	SuSE Local Security Checks	high
103979	Xen Hypervisor New CPU Interrupt Descriptor Table (IDT) Copy Handling Guest-to-Host Privilege Escalation (XSA-244)	Nessus	Misc.	high
103978	Xen Hypervisor Translated Guest Self-linear Shadow Mapping Handling Guest-to-Host Privilege Escalation (XSA-243)	Nessus	Misc.	high
103977	Xen Hypervisor Page Type Reference Handling Memory Exhaustion Guest-to-Host DoS (XSA-242)	Nessus	Misc.	high
103976	Xen Hypervisor TLB Flush Request Handling Race Condition System Memory Access Guest-to-Host Privilege Escalation (XSA-241)	Nessus	Misc.	high
103975	Xen Hypervisor Pagetable De-typing Recursion Handling Guest-to-Host DoS (XSA-240)	Nessus	Misc.	high
103974	Xen Hypervisor I/O Intercept Code Hypervisor Stack Guest-to-Host Information Disclosure (XSA-239)	Nessus	Misc.	high
103973	Xen Hypervisor Multiple Functions DMOP Handling Guest-to-Host DoS (XSA-238)	Nessus	Misc.	high
103972	Xen Hypervisor PCI MSI Interrupt Setup Multiple Guest-to-Host Privilege Escalation (XSA-237)	Nessus	Misc.	high

Detections

Analytics

CVE-2017-15591

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high