http://openwall.com/lists/oss-security/2018/05/08/3

104149

[debian-lts-announce] 20180525 [SECURITY] [DLA 1383-1] xen security update

[debian-lts-announce] 20181030 [SECURITY] [DLA 1559-1] xen security update

GLSA-201810-06

DSA-4201

https://xenbits.xen.org/xsa/advisory-262.html

x86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86 vHPET interrupt injection errors [XSA-261] (#1576089) qemu may drive Xen into unbounded loop [XSA-262]

----

update to xen-4.10.1

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0272 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0271 for details.

The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could cause a Denial of Service condition or disclose       sensitive information.
  Workaround :

    There is no known workaround at this time.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts3-0+deb8u1.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: These security issue were fixed :

  - CVE-2018-3646: Systems with microprocessors utilizing     speculative execution and address translations may have     allowed unauthorized disclosure of information residing     in the L1 data cache to an attacker with local user     access with guest OS privilege via a terminal page fault     and a side-channel analysis (bsc#1091107, bsc#1027519).

  - CVE-2018-12617: An integer overflow that could cause a     segmentation fault in qmp_guest_file_read() with     g_malloc() in qemu-guest-agent was fixed (bsc#1098744)

  - CVE-2018-3665: System software utilizing Lazy FP state     restore technique on systems using Intel Core-based     microprocessors may potentially allow a local process to     infer data from another process through a speculative     execution side channel. (bsc#1095242)

  - CVE-2018-3639: Systems with microprocessors utilizing     speculative execution and speculative execution of     memory reads before the addresses of all prior memory     writes are known may allow unauthorized disclosure of     information to an attacker with local user access via a     side-channel analysis, aka Speculative Store Bypass     (SSB), Variant 4. (bsc#1092631)

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis. (bsc#1074562)

  - CVE-2017-5753: Systems with microprocessors utilizing     speculative execution and branch prediction may allow     unauthorized disclosure of information to an attacker     with local user access via a side-channel analysis.
    (bsc#1074562)

  - CVE-2017-5754: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis of the data cache. (bsc#1074562)

  - CVE-2018-12891: Certain PV MMU operations may take a     long time to process. For that reason Xen explicitly     checks for the need to preempt the current vCPU at     certain points. A few rarely taken code paths did bypass     such checks. By suitably enforcing the conditions     through its own page table contents, a malicious guest     may cause such bypasses to be used for an unbounded     number of iterations. A malicious or buggy PV guest may     cause a Denial of Service (DoS) affecting the entire     host. Specifically, it may prevent use of a physical CPU     for an indeterminate period of time. (bsc#1097521)

  - CVE-2018-12893: One of the fixes in XSA-260 added some     safety checks to help prevent Xen livelocking with debug     exceptions. Unfortunately, due to an oversight, at least     one of these safety checks can be triggered by a guest.
    A malicious PV guest can crash Xen, leading to a Denial     of Service. Only x86 PV guests can exploit the     vulnerability. x86 HVM and PVH guests cannot exploit the     vulnerability. An attacker needs to be able to control     hardware debugging facilities to exploit the     vulnerability, but such permissions are typically     available to unprivileged users. (bsc#1097522)

  - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a     heap-based buffer overflow via incoming fragmented     datagrams. (bsc#1096224)

  - CVE-2018-10982: An issue was discovered in Xen allowed     x86 HVM guest OS users to cause a denial of service     (unexpectedly high interrupt number, array overrun, and     hypervisor crash) or possibly gain hypervisor privileges     by setting up an HPET timer to deliver interrupts in     IO-APIC mode, aka vHPET interrupt injection.
    (bsc#1090822)

  - CVE-2018-10981: An issue was discovered in Xen that     allowed x86 HVM guest OS users to cause a denial of     service (host OS infinite loop) in situations where a     QEMU device model attempts to make invalid transitions     between states of a request. (bsc#1090823) Following     bugs were fixed :

  - After updating to kernel 3.0.101-0.47.106.32-xen system     crashes in check_bugs() (bsc#1097206)

  - bsc#1079730 - in xen-kmp, unplug emulated devices after     migration This is required since xen-4.10 and/or     qemu-2.10 because the state of unplug is not propagated     from one dom0 to another. Without this unplug qemu's     block-backend will be unable to open qcow2 disks on the     receiving dom0

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.

This update for xen fixes the following issues :

Security issues fixed :

  - CVE-2018-3639: Spectre V4 &ndash; Speculative Store     Bypass aka 'Memory Disambiguation' (bsc#1092631)

    This feature can be controlled by the 'ssbd=on/off'     commandline flag for the XEN hypervisor.

  - CVE-2018-10982: x86 vHPET interrupt injection errors     (XSA-261 bsc#1090822)

  - CVE-2018-10981: qemu may drive Xen into unbounded loop     (XSA-262 bsc#1090823) 

Other bugfixes :

  - Upstream patches from Jan (bsc#1027519)

  - additional fixes related to Page Table Isolation (XPTI).
    (bsc#1074562 XSA-254)

  - qemu-system-i386 cannot handle more than 4 HW NICs     (bsc#1090296)

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for xen fixes the following issues: Security issues fixed :

  - CVE-2018-3639: Spectre V4     &Atilde;&cent;&Acirc;&#128;&Acirc;&#147; Speculative     Store Bypass aka 'Memory Disambiguation' (bsc#1092631)     This feature can be controlled by the 'ssbd=on/off'     commandline flag for the XEN hypervisor.

  - CVE-2018-10982: x86 vHPET interrupt injection errors     (XSA-261 bsc#1090822)

  - CVE-2018-10981: qemu may drive Xen into unbounded loop     (XSA-262 bsc#1090823) Other bugfixes :

  - Upstream patches from Jan (bsc#1027519)

  - additional fixes related to Page Table Isolation (XPTI).
    (bsc#1074562 XSA-254)

  - qemu-system-i386 cannot handle more than 4 HW NICs     (bsc#1090296)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

x86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86 vHPET interrupt injection errors [XSA-261, CVE-2018-10982] (#1576089) qemu may drive Xen into unbounded loop [XSA-262, CVE-2018-10981] (#1576680)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-14.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=5ee0a217664a1fde547afa506e92e4998ed26699

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - Red-tape: Update the repo with CVE XSA-262 (Boris     Ostrovsky) [Orabug: 27948889] (CVE-2018-10981)

  - Red-tape: Update the repo with CVE XSA-261 (Boris     Ostrovsky) [Orabug: 27948864] (CVE-2018-10982)

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=a20dadee84429112c3b5f245180f72d990063d20

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/HVM: guard against emulator driving ioreq state in     weird ways (Jan Beulich) [Orabug: 27948889]

  - x86/vpt: add support for IO-APIC routed interrupts (Xen     Project Security Team) [Orabug: 27948864]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=c6b30b4f49430b1314928a4d98a5e9e754895e4d

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - vnuma: unset smt even if vnuma is off (Elena Ufimtseva)     [Orabug: 27950640]

  - x86/paging: don't unconditionally BUG on finding     SHARED_M2P_ENTRY (Jan Beulich) [Orabug: 27965254]     (CVE-2017-17565)

  - x86/mm: don't wrongly set page ownership (Jan Beulich)     [Orabug: 27965236] (CVE-2017-17566)

  - misc/xenmicrocode: Upload /lib/firmware/<some blob> to     the hypervisor (Konrad Rzeszutek Wilk) [Orabug:
    27957822]

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=75ac5267506600d4587b80daae6bb694099e2c03

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - x86/traps: Fix handling of #DB exceptions in hypervisor     context (Andrew Cooper) [Orabug: 27963989]     (CVE-2018-8897)

  - x86/traps: Use an Interrupt Stack Table for #DB (Andrew     Cooper) [Orabug: 27963989] (CVE-2018-8897)

  - x86/pv: Move exception injection into     [,compat_]test_all_events (Andrew Cooper) [Orabug:
    27963989] (CVE-2018-8897)

  - x86/traps: Fix %dr6 handing in #DB handler (Andrew     Cooper) [Orabug: 27963989] (CVE-2018-8897)

  - x86/traps: Misc non-functional improvements to     set_debugreg (Andrew Cooper) [Orabug: 27963989]     (CVE-2018-8897)

  - x86/pv: Several bugs in set_debugreg (Ross Philipson)     [Orabug: 27963989] (CVE-2018-8897)

  - x86/pv: The do_get_debugreg CR4.DE condition is     inverted. (Ross Philipson) [Orabug: 27963989]     (CVE-2018-8897)

  - BUILDINFO: OVMF     commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8

  - BUILDINFO: xen     commit=d787e7a9d35cc2880b525f1d7a35f27969590f4c

  - BUILDINFO: QEMU upstream     commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff

  - BUILDINFO: QEMU traditional     commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba

  - BUILDINFO: IPXE     commit=9a93db3f0947484e30e753bbd61a10b17336e20e

  - BUILDINFO: SeaBIOS     commit=7d9cbe613694924921ed1a6f8947d711c5832eee

  - vnuma: don't turn on smt for odd number of vcpus (Elena     Ufimtseva)

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0218 for details.

x86: mishandling of debug exceptions [XSA-260, CVE-2018-8897] x86 vHPET interrupt injection errors [XSA-261] (#1576089) qemu may drive Xen into unbounded loop [XSA-262]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2018-8897     Andy Lutomirski and Nick Peterson discovered that     incorrect handling of debug exceptions could result in     privilege escalation.

  - CVE-2018-10471     An error was discovered in the mitigations against     Meltdown which could result in denial of service.

  - CVE-2018-10472     Anthony Perard discovered that incorrect parsing of     CDROM images can result in information disclosure.

  - CVE-2018-10981     Jan Beulich discovered that malformed device models     could result in denial of service.

  - CVE-2018-10982     Roger Pau Monne discovered that incorrect handling of     high precision event timers could result in denial of     service and potentially privilege escalation.

ID	Name	Product	Family	Severity
120686	Fedora 28 : xen (2018-a7ac26523d)	Nessus	Fedora Local Security Checks	high
118963	OracleVM 3.2 : xen (OVMSA-2018-0272) (Foreshadow) (Spectre)	Nessus	OracleVM Local Security Checks	high
118962	OracleVM 3.3 : xen (OVMSA-2018-0271) (Foreshadow) (Spectre)	Nessus	OracleVM Local Security Checks	high
118506	GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)	Nessus	Gentoo Local Security Checks	high
118503	Debian DLA-1559-1 : xen security update	Nessus	Debian Local Security Checks	high
112147	SUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
111992	OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)	Nessus	OracleVM Local Security Checks	critical
110309	openSUSE Security Update : xen (openSUSE-2018-547) (Spectre)	Nessus	SuSE Local Security Checks	high
110222	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:1456-1) (Spectre)	Nessus	SuSE Local Security Checks	high
110169	Fedora 26 : xen (2018-7cd077ddd3)	Nessus	Fedora Local Security Checks	high
110159	Debian DLA-1383-1 : xen security update	Nessus	Debian Local Security Checks	high
109989	OracleVM 3.4 : xen (OVMSA-2018-0221)	Nessus	OracleVM Local Security Checks	high
109987	OracleVM 3.4 : xen (OVMSA-2018-0218) (Meltdown) (Spectre)	Nessus	OracleVM Local Security Checks	high
109875	Fedora 27 : xen (2018-98684f429b)	Nessus	Fedora Local Security Checks	high
109816	Debian DSA-4201-1 : xen - security update	Nessus	Debian Local Security Checks	high

CVE-2018-10981

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins