Alpine: xen: security update to 4.6.6-r5

high Tenable Cloud Security Plugin ID 407870

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's
Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in
unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for
example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel
crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and
single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A;
section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS
instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF)
system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS
instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating
system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels
may not expect this order of events and may therefore experience unexpected behavior when it occurs.
(CVE-2018-8897)

- An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service
(out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect
fix for CVE-2017-5754. (CVE-2018-10471)

- An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations)
to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target
file as the backing file of a snapshot. (CVE-2018-10472)

- An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service
(host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions
between states of a request. (CVE-2018-10981)

- An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service
(unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor
privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt
injection. (CVE-2018-10982)

Plugin Details

Severity: High

ID: 407870

Version: Revision 1.36

Type: Local

Family: Alpine Linux Local Security Checks

Published: 10/31/2023

Updated: 4/20/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2018-8897

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2018-10982

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/18/2018

Exploitable With

Metasploit (Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability)

Reference Information

CVE: CVE-2018-10471, CVE-2018-10472, CVE-2018-10981, CVE-2018-10982, CVE-2018-8897

BID: 104071, 104149, 104150, 104003, 104002

IAVA: 2018-A-0144-S

IAVB: 2018-B-0057-S, 2018-B-0061-S

Detections

Analytics