104002

[debian-lts-announce] 20181030 [SECURITY] [DLA 1559-1] xen security update

GLSA-201810-06

DSA-4201

https://xenbits.xen.org/xsa/advisory-258.html

Information leak via crafted user-supplied CDROM [XSA-258] (#1571867) x86: PV guest may crash Xen with XPTI [XSA-259] (#1571878)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could cause a Denial of Service condition or disclose       sensitive information.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts3-0+deb8u1.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues.

These security issues were fixed :

CVE-2018-8897: Prevent mishandling of debug exceptions on x86 (XSA-260, bsc#1090820)

Handle HPET timers in IO-APIC mode correctly to prevent malicious or buggy HVM guests from causing a hypervisor crash or potentially privilege escalation/information leaks (XSA-261, bsc#1090822)

Prevent unbounded loop, induced by qemu allowing an attacker to permanently keep a physical CPU core busy (XSA-262, bsc#1090823)

CVE-2018-10472: x86 HVM guest OS users (in certain configurations) were able to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot (bsc#1089152).

CVE-2018-10471: x86 PV guest OS users were able to cause a denial of service (out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect fix for CVE-2017-5754 (bsc#1089635).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2018-8897     Andy Lutomirski and Nick Peterson discovered that     incorrect handling of debug exceptions could result in     privilege escalation.

  - CVE-2018-10471     An error was discovered in the mitigations against     Meltdown which could result in denial of service.

  - CVE-2018-10472     Anthony Perard discovered that incorrect parsing of     CDROM images can result in information disclosure.

  - CVE-2018-10981     Jan Beulich discovered that malformed device models     could result in denial of service.

  - CVE-2018-10982     Roger Pau Monne discovered that incorrect handling of     high precision event timers could result in denial of     service and potentially privilege escalation.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen to version 4.9.2 fixes several issues.

This feature was added :

  - Added script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU. They are     triggered via 'xl vcpu-set domU N'

These security issues were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7540: x86 PV guest OS users were able to cause     a denial of service (host OS CPU hang) via     non-preemptable L3/L4 pagetable freeing (bsc#1080635).

  - CVE-2018-7541: Guest OS users were able to cause a     denial of service (hypervisor crash) or gain privileges     by triggering a grant-table transition from v2 to v1     (bsc#1080662).

  - CVE-2018-7542: x86 PVH guest OS users were able to cause     a denial of service (NULL pointer dereference and     hypervisor crash) by leveraging the mishandling of     configurations that lack a Local APIC (bsc#1080634).

These non-security issues were fixed :

  - bsc#1087252: Update built-in defaults for xenstored in     stubdom, keep default to run xenstored as daemon in dom0

  - bsc#1087251: Preserve xen-syms from xen-dbg.gz to allow     processing vmcores with crash(1) 

  - bsc#1072834: Prevent unchecked MSR access error This     update was imported from the SUSE:SLE-12-SP3:Update     update project.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7550: The load_multiboot function allowed local     guest OS users to execute arbitrary code on the host via     a mh_load_end_addr value greater than mh_bss_end_addr,     which triggers an out-of-bounds read or write memory     access (bsc#1083292).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen to version 4.9.2 fixes several issues. This feature was added :

  - Added script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU. They are     triggered via 'xl vcpu-set domU N' These security issues     were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7540: x86 PV guest OS users were able to cause     a denial of service (host OS CPU hang) via     non-preemptable L3/L4 pagetable freeing (bsc#1080635).

  - CVE-2018-7541: Guest OS users were able to cause a     denial of service (hypervisor crash) or gain privileges     by triggering a grant-table transition from v2 to v1     (bsc#1080662).

  - CVE-2018-7542: x86 PVH guest OS users were able to cause     a denial of service (NULL pointer dereference and     hypervisor crash) by leveraging the mishandling of     configurations that lack a Local APIC (bsc#1080634).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7550: The load_multiboot function allowed local     guest OS users to execute arbitrary code on the host via     a mh_load_end_addr value greater than mh_bss_end_addr,     which triggers an out-of-bounds read or write memory     access (bsc#1083292).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a local file disclosure vulnerability.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

ID	Name	Product	Family	Severity
120843	Fedora 28 : xen (2018-dbebca30d0)	Nessus	Fedora Local Security Checks	low
118506	GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)	Nessus	Gentoo Local Security Checks	high
118503	Debian DLA-1559-1 : xen security update	Nessus	Debian Local Security Checks	high
118304	SUSE SLES12 Security Update : xen (SUSE-SU-2018:3230-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109816	Debian DSA-4201-1 : xen - security update	Nessus	Debian Local Security Checks	high
109756	SUSE SLES12 Security Update : xen (SUSE-SU-2018:1216-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109751	openSUSE Security Update : xen (openSUSE-2018-454) (Meltdown)	Nessus	SuSE Local Security Checks	high
109746	Fedora 26 : xen (2018-eb69078020)	Nessus	Fedora Local Security Checks	medium
109722	SUSE SLES11 Security Update : xen (SUSE-SU-2018:1203-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109721	SUSE SLES12 Security Update : xen (SUSE-SU-2018:1202-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109677	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:1184-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109676	SUSE SLES11 Security Update : xen (SUSE-SU-2018:1181-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109672	SUSE SLES12 Security Update : xen (SUSE-SU-2018:1177-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
109573	Xen CDROM Image Handling Local File Disclosure Vulnerability (XSA-258)	Nessus	Misc.	low
109519	Fedora 27 : xen (2018-604574c943)	Nessus	Fedora Local Security Checks	medium

CVE-2018-10472

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins