Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when
setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest
administrators or (in some situations) users may be able to write to supposedly read-only disk images.
Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are
affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected).
Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless
of the nature of the backing storage on the host) are not affected; they are always read only. Only
systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only
systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the
libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided
that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host
and guest together usually support PVHVM, the issue is exploitable only if the malicious guest
administrator has control of the guest kernel or guest kernel command line. (CVE-2018-12892)
- Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
Variant 4. (CVE-2018-3639)
- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 5/21/2018
Exploitable With
Core Impact
Reference Information
CVE: CVE-2018-12891, CVE-2018-12892, CVE-2018-12893, CVE-2018-3639, CVE-2018-3665
BID: 104232, 104460, 104570, 104571, 104572
IAVA: 2018-A-0169-S, 2018-A-0196-S, 2018-A-0237-S
IAVB: 2018-B-0094-S