Xen Hypervisor Multiple Vulnerabilities (XSA-213 - XSA-215)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Xen hypervisor installation is missing a security update.

Description :

According to its self-reported version number, the Xen hypervisor
installed on the remote host is affected by multiple vulnerabilities :

- An information disclosure vulnerability exists in the
get_user() function due to permissions for accessing
MMIO ranges being checked only after accessing them. An
attacker on the guest can exploit this to disclose
potentially sensitive information in the host memory.
(VulnDB 156958)

- A privilege escalation vulnerability exists when an IRET
hypercall is placed within a multicall batch due to
improper handling of kernel-mode access to pagetables.
An attacker on the guest can exploit this to access
arbitrary system memory and gain elevated privileges on
the host. (VulnDB 157110)

- A privilege escalation vulnerability exists in the
steal_page() function within file xen/arch/x86/mm.c when
transferring pages from one guest to another PV guest
with a different bitness or an HVM guest. An attacker
with access to multiple guests can exploit this to
access arbitrary system memory and gain elevated
privileges on the host. (VulnDB 157111)

- A flaw exists within arch/x86/x86_64/entry.S when
handling failsafe callbacks due to improper validation
of certain input. An attacker on the guest can exploit
this to corrupt memory, potentially resulting in gaining
elevated privileges. (VulnDB 157112)

Note that Nessus has checked the changeset versions based on the
xen.git change log. Nessus did not check guest hardware configurations
or if patches were applied manually to the source code before a
recompile and reinstall.

See also :

https://xenbits.xen.org/xsa/advisory-213.html
https://xenbits.xen.org/xsa/advisory-214.html
https://xenbits.xen.org/xsa/advisory-215.html
https://xenbits.xen.org/gitweb/?p=xen.git;a=summary

Solution :

Apply the appropriate patch according to the vendor advisory.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.0
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 100124 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now