[oss-security] 20180627 Xen Security Advisory 265 (CVE-2018-12893) - x86: #DB exception safety check can be triggered by a guest

104572

1041202

http://xenbits.xen.org/xsa/advisory-265.html

https://bugzilla.redhat.com/show_bug.cgi?id=1590979

[debian-lts-announce] 20181112 [SECURITY] [DLA 1577-1] xen security update

GLSA-201810-06

https://support.citrix.com/article/CTX235748

DSA-4236

preemption checks bypassed in x86 PV MM handling [XSA-264, CVE-2018-12891] (#1595959) x86: #DB exception safety check can be triggered by a guest [XSA-265, CVE-2018-12893] (#1595958) libxl fails to honour readonly flag on HVM emulated SCSI disks [XSA-266, CVE-2018-12892] (#1595957)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: Security issues fixed :

  - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267)     (bsc#1095242).

  - CVE-2018-12891: Fix possible Denial of Service (DoS) via     certain PV MMU operations that affect the entire host     (XSA-264) (bsc#1097521).

  - CVE-2018-12892: Fix libxl to honour the readonly flag on     HVM emulated SCSI disks (XSA-266) (bsc#1097523).

  - CVE-2018-12893: Fix crash/Denial of Service (DoS) via     safety check (XSA-265) (bsc#1097522). Bug fixes :

  - bsc#1027519: Add upstream patches from January.

  - bsc#1098403: Fix regression introduced by changes for     bsc#1079730. A PV domU without qcow2 and/or vfb has no     qemu attached. Ignore QMP errors for PV domUs to handle     PV domUs with and without an attached qemu-xen.

  - bsc#1087289: Fix xen scheduler crash.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.4.4lts4-0+deb8u1.

We recommend that you upgrade your xen packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could cause a Denial of Service condition or disclose       sensitive information.
  Workaround :

    There is no known workaround at this time.

This update for xen fixes the following issues :

Security issues fixed :

CVE-2018-12891: Fix preemption checks bypass in x86 PV MM handling (XSA-264) (bsc#1097521).

CVE-2018-12892: Fix libxl failure to honour readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523).

CVE-2018-12893: Fix #DB exception safety check that could be triggered by a guest (XSA-265) (bsc#1097522).

CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224).

CVE-2018-3665: Fix lazy FP Save/Restore (XSA-267) (bsc#1095242).

Bug fixes: bsc#1027519: Update to Xen 4.7.6 bug fix only release.

bsc#1087289: Xen BUG at sched_credit.c:1663.

bsc#1094725: `virsh blockresize` does not work with Xen qdisks.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: These security issue were fixed :

  - CVE-2018-3646: Systems with microprocessors utilizing     speculative execution and address translations may have     allowed unauthorized disclosure of information residing     in the L1 data cache to an attacker with local user     access with guest OS privilege via a terminal page fault     and a side-channel analysis (bsc#1091107, bsc#1027519).

  - CVE-2018-12617: An integer overflow that could cause a     segmentation fault in qmp_guest_file_read() with     g_malloc() in qemu-guest-agent was fixed (bsc#1098744)

  - CVE-2018-3665: System software utilizing Lazy FP state     restore technique on systems using Intel Core-based     microprocessors may potentially allow a local process to     infer data from another process through a speculative     execution side channel. (bsc#1095242)

  - CVE-2018-3639: Systems with microprocessors utilizing     speculative execution and speculative execution of     memory reads before the addresses of all prior memory     writes are known may allow unauthorized disclosure of     information to an attacker with local user access via a     side-channel analysis, aka Speculative Store Bypass     (SSB), Variant 4. (bsc#1092631)

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis. (bsc#1074562)

  - CVE-2017-5753: Systems with microprocessors utilizing     speculative execution and branch prediction may allow     unauthorized disclosure of information to an attacker     with local user access via a side-channel analysis.
    (bsc#1074562)

  - CVE-2017-5754: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis of the data cache. (bsc#1074562)

  - CVE-2018-12891: Certain PV MMU operations may take a     long time to process. For that reason Xen explicitly     checks for the need to preempt the current vCPU at     certain points. A few rarely taken code paths did bypass     such checks. By suitably enforcing the conditions     through its own page table contents, a malicious guest     may cause such bypasses to be used for an unbounded     number of iterations. A malicious or buggy PV guest may     cause a Denial of Service (DoS) affecting the entire     host. Specifically, it may prevent use of a physical CPU     for an indeterminate period of time. (bsc#1097521)

  - CVE-2018-12893: One of the fixes in XSA-260 added some     safety checks to help prevent Xen livelocking with debug     exceptions. Unfortunately, due to an oversight, at least     one of these safety checks can be triggered by a guest.
    A malicious PV guest can crash Xen, leading to a Denial     of Service. Only x86 PV guests can exploit the     vulnerability. x86 HVM and PVH guests cannot exploit the     vulnerability. An attacker needs to be able to control     hardware debugging facilities to exploit the     vulnerability, but such permissions are typically     available to unprivileged users. (bsc#1097522)

  - CVE-2018-11806: m_cat in slirp/mbuf.c in Qemu has a     heap-based buffer overflow via incoming fragmented     datagrams. (bsc#1096224)

  - CVE-2018-10982: An issue was discovered in Xen allowed     x86 HVM guest OS users to cause a denial of service     (unexpectedly high interrupt number, array overrun, and     hypervisor crash) or possibly gain hypervisor privileges     by setting up an HPET timer to deliver interrupts in     IO-APIC mode, aka vHPET interrupt injection.
    (bsc#1090822)

  - CVE-2018-10981: An issue was discovered in Xen that     allowed x86 HVM guest OS users to cause a denial of     service (host OS infinite loop) in situations where a     QEMU device model attempts to make invalid transitions     between states of a request. (bsc#1090823) Following     bugs were fixed :

  - After updating to kernel 3.0.101-0.47.106.32-xen system     crashes in check_bugs() (bsc#1097206)

  - bsc#1079730 - in xen-kmp, unplug emulated devices after     migration This is required since xen-4.10 and/or     qemu-2.10 because the state of unplug is not propagated     from one dom0 to another. Without this unplug qemu's     block-backend will be unable to open qcow2 disks on the     receiving dom0

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

Security issues fixed :

  - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267)     (bsc#1095242).

  - CVE-2018-12891: Fix possible Denial of Service (DoS) via     certain PV MMU operations that affect the entire host     (XSA-264) (bsc#1097521).

  - CVE-2018-12892: Fix libxl to honour the readonly flag on     HVM emulated SCSI disks (XSA-266) (bsc#1097523).

  - CVE-2018-12893: Fix crash/Denial of Service (DoS) via     safety check (XSA-265) (bsc#1097522).

  - CVE-2018-11806: Fix heap buffer overflow while     reassembling fragmented datagrams (bsc#1096224).

Bug fixes :

  - bsc#1027519: Add upstream patches from January.

  - bsc#1087289: Fix xen scheduler crash.

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for xen fixes the following issues: Security issues fixed :

  - CVE-2018-12891: Fix preemption checks bypass in x86 PV     MM handling (XSA-264) (bsc#1097521).

  - CVE-2018-12892: Fix libxl failure to honour readonly     flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523).

  - CVE-2018-12893: Fix #DB exception safety check that     could be triggered by a guest (XSA-265) (bsc#1097522).

  - CVE-2018-11806: Fix heap buffer overflow while     reassembling fragmented datagrams (bsc#1096224).

  - CVE-2018-3665: Fix lazy FP Save/Restore (XSA-267)     (bsc#1095242). Bug fixes :

  - bsc#1027519: Update to Xen 4.7.6 bug fix only release.

  - bsc#1087289: Xen BUG at sched_credit.c:1663.

  - bsc#1094725: `virsh blockresize` does not work with Xen     qdisks.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

Security issues fixed :

  - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267)     (bsc#1095242).

  - CVE-2018-12891: Fix possible Denial of Service (DoS) via     certain PV MMU operations that affect the entire host     (XSA-264) (bsc#1097521).

  - CVE-2018-12892: Fix libxl to honour the readonly flag on     HVM emulated SCSI disks (XSA-266) (bsc#1097523).

  - CVE-2018-12893: Fix crash/Denial of Service (DoS) via     safety check (XSA-265) (bsc#1097522).

Bug fixes :

  - bsc#1027519: Add upstream patches from January.

  - bsc#1098403: Fix regression introduced by changes for     bsc#1079730. A PV domU without qcow2 and/or vfb has no     qemu attached. Ignore QMP errors for PV domUs to handle     PV domUs with and without an attached qemu-xen.

  - bsc#1087289: Fix xen scheduler crash.

This update was imported from the SUSE:SLE-15:Update update project.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a local denial of service vulnerability.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities.

This update for xen fixes the following issues: Security issues fixed :

  - CVE-2018-12617: Fix integer overflow that causes     segmentation fault in qmp_guest_file_read() with     g_malloc() (bsc#1098744).

  - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267)     (bsc#1095242).

  - CVE-2018-11806: Fix heap buffer overflow while     reassembling fragmented datagrams (bsc#1096224).

  - CVE-2018-12891: Fix possible Denial of Service (DoS) via     certain PV MMU operations that affect the entire host     (XSA-264) (bsc#1097521).

  - CVE-2018-12893: Fix crash/Denial of Service (DoS) via     safety check (XSA-265) (bsc#1097522). Bug fixes :

  - bsc#1079730: Fix failed 'write' lock.

  - bsc#1027519: Add upstream patches from January.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: Security issues fixed :

  - CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267)     (bsc#1095242).

  - CVE-2018-12891: Fix possible Denial of Service (DoS) via     certain PV MMU operations that affect the entire host     (XSA-264) (bsc#1097521).

  - CVE-2018-12892: Fix libxl to honour the readonly flag on     HVM emulated SCSI disks (XSA-266) (bsc#1097523).

  - CVE-2018-12893: Fix crash/Denial of Service (DoS) via     safety check (XSA-265) (bsc#1097522).

  - CVE-2018-11806: Fix heap buffer overflow while     reassembling fragmented datagrams (bsc#1096224). Bug     fixes :

  - bsc#1027519: Add upstream patches from January.

  - bsc#1087289: Fix xen scheduler crash.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

preemption checks bypassed in x86 PV MM handling [XSA-264, CVE-2018-12891] x86: #DB exception safety check can be triggered by a guest [XSA-265, CVE-2018-12893] libxl fails to honour readonly flag on HVM emulated SCSI disks [XSA-266, CVE-2018-12892]

----

Speculative register leakage from lazy FPU context switching [XSA-267, CVE-2018-3665] fix for change in iasl output

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2018-12891     It was discovered that insufficient validation of PV MMU     operations may result in denial of service.

  - CVE-2018-12892     It was discovered that libxl fails to honour the     'readonly' flag on HVM-emulated SCSI disks.

  - CVE-2018-12893     It was discovered that incorrect implementation of debug     exception checks could result in denial of service.

ID	Name	Product	Family	Severity
120682	Fedora 28 : xen (2018-a7862a75f5)	Nessus	Fedora Local Security Checks	medium
120050	SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2018:1981-1)	Nessus	SuSE Local Security Checks	medium
118892	Debian DLA-1577-1 : xen security update	Nessus	Debian Local Security Checks	high
118506	GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)	Nessus	Gentoo Local Security Checks	high
118277	SUSE SLES12 Security Update : xen (SUSE-SU-2018:2081-2)	Nessus	SuSE Local Security Checks	high
112147	SUSE SLES11 Security Update : xen (SUSE-SU-2018:2528-1) (Foreshadow) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	high
111565	openSUSE Security Update : xen (openSUSE-2018-803)	Nessus	SuSE Local Security Checks	high
111433	SUSE SLES12 Security Update : xen (SUSE-SU-2018:2081-1)	Nessus	SuSE Local Security Checks	high
111418	openSUSE Security Update : xen (openSUSE-2018-766)	Nessus	SuSE Local Security Checks	medium
111380	Xen Project x86 Debug Exception Handling Local DoS (XSA-265)	Nessus	Misc.	low
111378	Citrix XenServer Multiple Vulnerabilities (CTX235748)	Nessus	Misc.	medium
111371	SUSE SLES12 Security Update : xen (SUSE-SU-2018:2069-1)	Nessus	SuSE Local Security Checks	high
111348	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:2059-1)	Nessus	SuSE Local Security Checks	high
111346	SUSE SLES12 Security Update : xen (SUSE-SU-2018:2056-1)	Nessus	SuSE Local Security Checks	high
111261	SUSE SLES11 Security Update : xen (SUSE-SU-2018:2037-1)	Nessus	SuSE Local Security Checks	high
111236	Fedora 27 : xen (2018-1a467757ce)	Nessus	Fedora Local Security Checks	medium
110787	Debian DSA-4236-1 : xen - security update	Nessus	Debian Local Security Checks	medium

CVE-2018-12893

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins