http://openwall.com/lists/oss-security/2017/04/04/3

DSA-3847

97375

1038223

http://xenbits.xen.org/xsa/advisory-212.html

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt

https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html

41870

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details.

Jan Beulich and Jann Horn discovered multiple vulnerabilities in the Xen hypervisor, which may lead to privilege escalation, guest-to-host breakout, denial of service or information leaks.

In additional to the CVE identifiers listed above, this update also addresses the vulnerabilities announced as XSA-213, XSA-214 and XSA-215.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0096 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0095 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: xen     commit=8ee9cbea8e71c968e602d5b4974601d283d61d28

  - BUILDINFO: QEMU upstream     commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86: correct create_bounce_frame (Boris Ostrovsky)     [Orabug: 25927745]

  - x86: discard type information when stealing pages (Boris     Ostrovsky) 

  - multicall: deal with early exit conditions (Boris     Ostrovsky) [Orabug: 25927612]

  - BUILDINFO: xen     commit=66e33522666436a4b6c13fbaa77b4942876bb5f7

  - BUILDINFO: QEMU upstream     commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - kexec: Add spinlock for the whole hypercall. (Konrad     Rzeszutek Wilk) 

  - kexec: clear kexec_image slot when unloading kexec image     (Bhavesh Davda) [Orabug: 25861731]

  - BUILDINFO: xen     commit=337c8edcc582f8bfb1bcfcb5a475c5fc18ff2def

  - BUILDINFO: QEMU upstream     commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - memory: properly check guest memory ranges in     XENMEM_exchange handling (Jan Beulich) [Orabug:
    25760559] (CVE-2017-7228)

  - xenstored: Log when the write transaction rate limit     bites (Ian Jackson) [Orabug: 25745225]

  - xenstored: apply a write transaction rate limit (Ian     Jackson) 

  - BUILDINFO: xen     commit=17b0cd2109c42553e9c8c34d3a2b8252abead104

  - BUILDINFO: QEMU upstream     commit=fcd17fdf18b95a9e408acc84f6d2b37cf3fc0335

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xm: Fix the error message displayed by 'xm create ...'     (Venu Busireddy) [Orabug: 25721696]

  - xm: expand pci hidden devices tools (Venu Busireddy)     [Orabug: 25721624]

  - BUILDINFO: xen     commit=81f33e7316b476c319f42eb56ac58fc450804ded

  - BUILDINFO: QEMU upstream     commit=2e4e0a805aeb448242b43399e0853b851bccde4e

  - BUILDINFO: QEMU traditional     commit=d9ba4c53b14ebf9a0613b5638f90d95489622f0c

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xend: fix vif device ID allocation (Zhigang Wang)     [Orabug: 25692157] 

  - BUILDINFO: xen     commit=68930e8bbd9311ebd12fdb251362a2e1f9987fba

  - BUILDINFO: QEMU upstream     commit=f663d3dd4e968756d33e29cb2c2c956cabbdd4ca

  - BUILDINFO: QEMU traditional     commit=d9ba4c53b14ebf9a0613b5638f90d95489622f0c

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - xend: fix waitForSuspend (Zhigang Wang) [Orabug:
    25638583] [Orabug: 25653480]

  - IOMMU: always call teardown callback (Oleksandr     Tyshchenko) [Orabug: 25485193]

  - BUILDINFO: xen     commit=9f3030e391274b89deb80c86a6343dac473916b3

  - BUILDINFO: QEMU upstream     commit=f663d3dd4e968756d33e29cb2c2c956cabbdd4ca

  - BUILDINFO: QEMU traditional     commit=d9ba4c53b14ebf9a0613b5638f90d95489622f0c

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - one-off build

CVE-2017-7228 (XSA-212)

An insufficient check on XENMEM_exchange may allow PV guests to access all of system memory.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-6.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: These security issues were fixed :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - XSA-206: Unprivileged guests issuing writes to xenstore     were able to stall progress of the control domain or     driver domain, possibly leading to a Denial of Service     (DoS) of the entire host (bsc#1030144).

  - CVE-2016-9603: A privileged user within the guest VM can     cause a heap overflow in the device model process,     potentially escalating their privileges to that of the     device model process (bsc#1028655).

  - CVE-2017-6414: Memory leak in the vcard_apdu_new     function in card_7816.c in libcacard allowed local guest     OS users to cause a denial of service (host memory     consumption) via vectors related to allocating a new     APDU object (bsc#1027570).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

  - CVE-2017-2633: The VNC display driver support was     vulnerable to an out-of-bounds memory access issue. A     user/process inside guest could use this flaw to cause     DoS (bsc#1026636).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: These security issues were fixed :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - XSA-206: Unprivileged guests issuing writes to xenstore     were able to stall progress of the control domain or     driver domain, possibly leading to a Denial of Service     (DoS) of the entire host (bsc#1030144).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

  - CVE-2017-6414: Memory leak in the vcard_apdu_new     function in card_7816.c in libcacard allowed local guest     OS users to cause a denial of service (host memory     consumption) via vectors related to allocating a new     APDU object (bsc#1027570).

  - CVE-2017-2633: The VNC display driver support was     vulnerable to an out-of-bounds memory access issue. A     user/process inside guest could use this flaw to cause     DoS (bsc#1026636).

  - CVE-2016-9603: A privileged user within the guest VM can     cause a heap overflow in the device model process,     potentially escalating their privileges to that of the     device model process (bsc#1028655).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen to version 4.7.2 fixes the following issues :

These security issues were fixed :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - XSA-206: Unprivileged guests issuing writes to xenstore     were able to stall progress of the control domain or     driver domain, possibly leading to a Denial of Service     (DoS) of the entire host (bsc#1030144).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

These non-security issues were fixed :

  - bsc#1015348: libvirtd didn't not start during boot

  - bsc#1014136: kdump couldn't dump a kernel on SLES12-SP2     with Xen hypervisor.

  - bsc#1026236: Fixed paravirtualized performance

  - bsc#1022555: Timeout in 'execution of     /etc/xen/scripts/block add'

  - bsc#1029827: Forward port xenstored

  - bsc#1029128: Make xen to really produce xen.efi with     gcc48

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for xen fixes the following security issues :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - CVE-2017-6414: Memory leak in the vcard_apdu_new     function in card_7816.c in libcacard allowed local guest     OS users to cause a denial of service (host memory     consumption) via vectors related to allocating a new     APDU object (bsc#1027570).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: 9pfs: host memory leakage via v9fs_create [CVE-2017-7377] (#1437873)

----

add additional patch for [XSA-206] (#1436690)

----

xenstore denial of service via repeated update [XSA-206] (#1436690)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by an out-of-array memory access error in the memory_exchange() function in file common/memory.c due to improper checking of XENMEM_exchange input. An attacker on a 64-bit PV guest VM who has administrative privileges can exploit this issue to access arbitrary system memory locations, which can then be potentially used for further compromising the host.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists when invoking the instruction emulator     that is triggered during the handling of SYSCALL by     single-stepping applications. A local attacker can     exploit this to execute code with elevated privileges     on the guest. (CVE-2016-10013)

  - An out-of-array memory access error exists in the     memory_exchange() function within file common/memory.c     due to improper checking of XENMEM_exchange input. An     attacker on a 64-bit PV guest VM who has administrative     privileges can exploit this issue to access arbitrary     system memory locations, which can then be potentially     used for further compromising the host. (CVE-2017-7228)

  - A memory leak issue exits due to improper cleanup being     performed during guest destruction. An attacker on the     guest can exploit this, by repeatedly rebooting, to     exhaust memory on the host system, resulting in a denial     of service condition.

This update for xen to version 4.7.2 fixes the following issues: These security issues were fixed :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - XSA-206: Unprivileged guests issuing writes to xenstore     were able to stall progress of the control domain or     driver domain, possibly leading to a Denial of Service     (DoS) of the entire host (bsc#1030144).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: 9pfs: host memory leakage via v9fs_create [CVE-2017-7377] (#1437873) x86: broken check in memory_exchange() permits PV guest breakout [XSA-212, CVE-2017-7228] (#1438804)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Xen Project reports :

The XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.

A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks.

ID	Name	Product	Family	Severity
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
103830	OracleVM 3.4 : xen (OVMSA-2017-0153)	Nessus	OracleVM Local Security Checks	critical
102835	OracleVM 3.4 : xen (OVMSA-2017-0142)	Nessus	OracleVM Local Security Checks	critical
100071	Debian DSA-3847-1 : xen - security update	Nessus	Debian Local Security Checks	high
99977	OracleVM 3.2 : xen (OVMSA-2017-0096)	Nessus	OracleVM Local Security Checks	high
99976	OracleVM 3.3 : xen (OVMSA-2017-0095)	Nessus	OracleVM Local Security Checks	high
99975	OracleVM 3.4 : xen (OVMSA-2017-0094)	Nessus	OracleVM Local Security Checks	high
99601	Debian DLA-907-1 : xen security update	Nessus	Debian Local Security Checks	high
99580	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1081-1)	Nessus	SuSE Local Security Checks	high
99579	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1080-1)	Nessus	SuSE Local Security Checks	high
99559	openSUSE Security Update : xen (openSUSE-2017-492)	Nessus	SuSE Local Security Checks	high
99507	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1058-1)	Nessus	SuSE Local Security Checks	high
99405	Fedora 24 : xen (2017-03dc811be6)	Nessus	Fedora Local Security Checks	high
99399	Xen Hypervisor XENMEM_exchange Memory Disclosure (XSA-212)	Nessus	Misc.	high
99377	Citrix XenServer multiple vulnerabilities (CTX222565)	Nessus	Misc.	high
99302	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0983-1)	Nessus	SuSE Local Security Checks	high
99256	Fedora 25 : xen (2017-054729ab08)	Nessus	Fedora Local Security Checks	high
99240	FreeBSD : xen-kernel -- broken check in memory_exchange() permits PV guest breakout (90becf7c-1acf-11e7-970f-002590263bf5)	Nessus	FreeBSD Local Security Checks	high

CVE-2017-7228

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins