An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC.

The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       referenced CVE identifiers for details.
  Impact :

    A local attacker could cause a Denial of Service condition or disclose       sensitive information.
  Workaround :

    There is no known workaround at this time.

This update for xen to version 4.9.2 fixes several issues.

This feature was added :

  - Added script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU. They are     triggered via 'xl vcpu-set domU N'

These security issues were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7540: x86 PV guest OS users were able to cause     a denial of service (host OS CPU hang) via     non-preemptable L3/L4 pagetable freeing (bsc#1080635).

  - CVE-2018-7541: Guest OS users were able to cause a     denial of service (hypervisor crash) or gain privileges     by triggering a grant-table transition from v2 to v1     (bsc#1080662).

  - CVE-2018-7542: x86 PVH guest OS users were able to cause     a denial of service (NULL pointer dereference and     hypervisor crash) by leveraging the mishandling of     configurations that lack a Local APIC (bsc#1080634).

These non-security issues were fixed :

  - bsc#1087252: Update built-in defaults for xenstored in     stubdom, keep default to run xenstored as daemon in dom0

  - bsc#1087251: Preserve xen-syms from xen-dbg.gz to allow     processing vmcores with crash(1) 

  - bsc#1072834: Prevent unchecked MSR access error This     update was imported from the SUSE:SLE-12-SP3:Update     update project.

This update for xen to version 4.9.2 fixes several issues. This feature was added :

  - Added script, udev rule and systemd service to watch for     vcpu online/offline events in a HVM domU. They are     triggered via 'xl vcpu-set domU N' These security issues     were fixed :

  - CVE-2018-8897: Prevent mishandling of debug exceptions     on x86 (XSA-260, bsc#1090820)

  - Handle HPET timers in IO-APIC mode correctly to prevent     malicious or buggy HVM guests from causing a hypervisor     crash or potentially privilege escalation/information     leaks (XSA-261, bsc#1090822)

  - Prevent unbounded loop, induced by qemu allowing an     attacker to permanently keep a physical CPU core busy     (XSA-262, bsc#1090823)

  - CVE-2018-10472: x86 HVM guest OS users (in certain     configurations) were able to read arbitrary dom0 files     via QMP live insertion of a CDROM, in conjunction with     specifying the target file as the backing file of a     snapshot (bsc#1089152).

  - CVE-2018-10471: x86 PV guest OS users were able to cause     a denial of service (out-of-bounds zero write and     hypervisor crash) via unexpected INT 80 processing,     because of an incorrect fix for CVE-2017-5754     (bsc#1089635).

  - CVE-2018-7540: x86 PV guest OS users were able to cause     a denial of service (host OS CPU hang) via     non-preemptable L3/L4 pagetable freeing (bsc#1080635).

  - CVE-2018-7541: Guest OS users were able to cause a     denial of service (hypervisor crash) or gain privileges     by triggering a grant-table transition from v2 to v1     (bsc#1080662).

  - CVE-2018-7542: x86 PVH guest OS users were able to cause     a denial of service (NULL pointer dereference and     hypervisor crash) by leveraging the mishandling of     configurations that lack a Local APIC (bsc#1080634).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

update Xen page-table isolation (XPTI) mitigation and add Branch Target Injection (BTI) mitigation for XSA-254 DoS via non-preemptable L3/L4 pagetable freeing [XSA-252] (#1549568) grant table v2 -> v1 transition may crash Xen [XSA-255] (#1549570) x86 PVH guest without LAPIC may DoS the host [XSA-256] (#1549572)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

add Xen page-table isolation (XPTI) mitigation and Branch Target Injection (BTI) mitigation for XSA-254 DoS via non-preemptable L3/L4 pagetable freeing [XSA-252] (#1549568) grant table v2 -> v1 transition may crash Xen [XSA-255] (#1549570) x86 PVH guest without LAPIC may DoS the host [XSA-256] (#1549572)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the Xen hypervisor :

  - CVE-2018-7540     Jann Horn discovered that missing checks in page table     freeing may result in denial of service.

  - CVE-2018-7541     Jan Beulich discovered that incorrect error handling in     grant table checks may result in guest-to-host denial of     service and potentially privilege escalation.

  - CVE-2018-7542     Ian Jackson discovered that insufficient handling of x86     PVH guests without local APICs may result in     guest-to-host denial of service.

According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a denial of service vulnerability.

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

ID	Name	Product	Family	Severity
118506	GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre)	Nessus	Gentoo Local Security Checks	critical
109751	openSUSE Security Update : xen (openSUSE-2018-454) (Meltdown)	Nessus	SuSE Local Security Checks	high
109677	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:1184-1) (Meltdown)	Nessus	SuSE Local Security Checks	high
108492	Fedora 26 : xen (2018-0746dac335)	Nessus	Fedora Local Security Checks	high
107176	Fedora 27 : xen (2018-c553a586c8)	Nessus	Fedora Local Security Checks	high
107123	Debian DSA-4131-1 : xen - security update	Nessus	Debian Local Security Checks	high
107099	Xen arch_domain_create() Function Local APIC Assumption NULL Pointer Dereference Guest-to-host DoS (XSA-256)	Nessus	Misc.	medium

Detections

Analytics

CVE-2018-7542

medium

Tenable Plugins

critical

high

high

high

high

high

medium