Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when
setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest
administrators or (in some situations) users may be able to write to supposedly read-only disk images.
Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are
affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected).
Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless
of the nature of the backing storage on the host) are not affected; they are always read only. Only
systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only
systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the
libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided
that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host
and guest together usually support PVHVM, the issue is exploitable only if the malicious guest
administrator has control of the guest kernel or guest kernel command line. (CVE-2018-12892)
- Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
Variant 4. (CVE-2018-3639)
- Systems with microprocessors utilizing speculative execution and address translations may allow
unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access
with guest OS privilege via a terminal page fault and a side-channel analysis. (CVE-2018-3646)
- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)
- An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process.
For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few
rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page
table contents, a malicious guest may cause such bypasses to be used for an unbounded number of
iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host.
Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions
from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of
attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are
affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86
HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability. (CVE-2018-12891)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 5/21/2018
Exploitable With
Core Impact
Reference Information
CVE: CVE-2018-12891, CVE-2018-12892, CVE-2018-12893, CVE-2018-15468, CVE-2018-15469, CVE-2018-15470, CVE-2018-3639, CVE-2018-3646, CVE-2018-3665
BID: 104232, 104460, 104570, 104571, 104572, 105080
IAVA: 2018-A-0169-S, 2018-A-0196-S, 2018-A-0237-S, 2018-A-0253-S
IAVB: 2018-B-0094-S, 2018-B-0111-S