Detections
Analytics

OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0223) (Spectre)

high Nessus Plugin ID 110072

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - KVM: SVM: Move spec control call after restore of GS (Thomas Gleixner) (CVE-2018-3639)

 - x86/bugs: Fix the parameters alignment and missing void (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Make cpu_show_common static (Jiri Kosina) (CVE-2018-3639)

 - x86/bugs: Fix __ssb_select_mitigation return type (Jiri Kosina) (CVE-2018-3639)

 - Documentation/spec_ctrl: Do some minor cleanups (Borislav Petkov) (CVE-2018-3639)

 - proc: Use underscores for SSBD in 'status' (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Rename _RDS to _SSBD (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/speculation: Make 'seccomp' the default mode for Speculative Store Bypass (Kees Cook) (CVE-2018-3639)

 - seccomp: Move speculation migitation control to arch code (Thomas Gleixner) (CVE-2018-3639)

 - seccomp: Add filter flag to opt-out of SSB mitigation (Kees Cook) (CVE-2018-3639)

 - seccomp: Use PR_SPEC_FORCE_DISABLE (Thomas Gleixner) (CVE-2018-3639)

 - prctl: Add force disable speculation (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - seccomp: Enable speculation flaw mitigations (Kees Cook) (CVE-2018-3639)

 - proc: Provide details on speculation flaw mitigations (Kees Cook) (CVE-2018-3639)

 - nospec: Allow getting/setting on non-current task (Kees Cook) (CVE-2018-3639)

 - x86/bugs/IBRS: Disable SSB (RDS) if IBRS is sslected for spectre_v2. (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/speculation: Add prctl for Speculative Store Bypass mitigation (Thomas Gleixner) (CVE-2018-3639)

 - x86: thread_info.h: move RDS from index 5 to 23 (Mihai Carabas) (CVE-2018-3639)

 - x86/process: Allow runtime control of Speculative Store Bypass (Thomas Gleixner) (CVE-2018-3639)

 - prctl: Add speculation control prctls (Thomas Gleixner) (CVE-2018-3639)

 - x86/speculation: Create spec-ctrl.h to avoid include hell (Thomas Gleixner) (CVE-2018-3639)

 - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Whitelist allowed SPEC_CTRL MSR values (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs/intel: Set proper CPU features and setup RDS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/cpufeatures: Add X86_FEATURE_RDS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Expose /sys/../spec_store_bypass (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/cpu/intel: Add Knights Mill to Intel family (Piotr Luc) (CVE-2018-3639)

 - x86/cpu: Rename Merrifield2 to Moorefield (Andy Shevchenko) (CVE-2018-3639)

 - x86/bugs, KVM: Support the combination of guest and host IBRS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs/IBRS: Warn if IBRS is enabled during boot.
 (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs/IBRS: Use variable instead of defines for enabling IBRS (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Concentrate bug reporting into a separate function (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs: Concentrate bug detection into a separate function (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/bugs/IBRS: Turn on IBRS in spectre_v2_select_mitigation (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - x86/msr: Add SPEC_CTRL_IBRS.. (Konrad Rzeszutek Wilk) (CVE-2018-3639)

 - scsi: libfc: Revisit kref handling (Hannes Reinecke)

 - scsi: libfc: reset exchange manager during LOGO handling (Hannes Reinecke)

 - scsi: libfc: send LOGO for PLOGI failure (Hannes Reinecke)

 - scsi: libfc: Issue PRLI after a PRLO has been received (Hannes Reinecke)

 - libfc: Update rport reference counting (Hannes Reinecke)

 - amd/kvm: do not intercept new MSRs for spectre v2 mitigation (Elena Ufimtseva)

 - RDS: null pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 27422832] (CVE-2018-5333)

 - ACPI: sbshc: remove raw pointer from printk message (Greg Kroah-Hartman) [Orabug: 27501257] (CVE-2018-5750)

 - futex: Prevent overflow by strengthen input validation (Li Jinyue) [Orabug: 27539548] (CVE-2018-6927)

 - net: ipv4: add support for ECMP hash policy choice (Venkat Venkatsubra) [Orabug: 27547114]

 - net: ipv4: Consider failed nexthops in multipath routes (David Ahern)

- ipv4: L3 hash-based multipath (Peter N&oslash rlund) [Orabug: 27547114]

 - dm: fix race between dm_get_from_kobject and
 __dm_destroy (Hou Tao) [Orabug: 27677556] (CVE-2017-18203)

 - NFS: only invalidate dentrys that are clearly invalid.
 (NeilBrown)

- net: Improve handling of failures on link and route dumps (David Ahern) [Orabug: 27959177]

 - mm/mempolicy: fix use after free when calling get_mempolicy (zhong jiang) [Orabug: 27963519] (CVE-2018-10675)

 - drm: udl: Properly check framebuffer mmap offsets (Greg Kroah-Hartman) [Orabug: 27963530] (CVE-2018-8781)

 - xfs: set format back to extents if xfs_bmap_extents_to_btree (Eric Sandeen) [Orabug:
 27963576] (CVE-2018-10323)

 - Revert 'mlx4: change the ICM table allocations to lowest needed size' (H&aring kon Bugge) [Orabug: 27980030]

 - Bluetooth: Prevent stack info leak from the EFS element.
 (Ben Seri) [Orabug: 28030514] (CVE-2017-1000410) (CVE-2017-1000410)

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2018-May/000858.html

Plugin Details

Severity: High

ID: 110072

File Name: oraclevm_OVMSA-2018-0223.nasl

Version: 1.5

Type: local

Published: 5/24/2018

Updated: 1/23/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/23/2018

Vulnerability Publication Date: 12/7/2017

Exploitable With

Metasploit (Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation)

Reference Information

CVE: CVE-2017-1000410, CVE-2017-18203, CVE-2018-10323, CVE-2018-10675, CVE-2018-3639, CVE-2018-5333, CVE-2018-5750, CVE-2018-6927, CVE-2018-8781