OracleVM 3.0 : xen (OVMSA-2012-0050)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- compat/gnttab: Prevent infinite loop in compat code c/s
20281:95ea2052b41b, which introduces Grant Table version
2 hypercalls introduces a vulnerability whereby the
compat hypercall handler can fall into an infinite loop.
If the watchdog is enabled, Xen will die after the
timeout. This is a security problem, XSA-24 /
CVE-2012-4539. (CVE-2012-4539)

- xen/mm/shadow: check toplevel pagetables are present
before unhooking them. If the guest has not fully
populated its top-level PAE entries when it calls
HVMOP_pagetable_dying, the shadow code could try to
unhook entries from MFN 0. Add a check to avoid that
case. This issue was introduced by c/s
21239:b9d2db109cf5. This is a security problem, XSA-23 /
CVE-2012-4538. (CVE-2012-4538)

- x86/physmap: Prevent incorrect updates of m2p mappings
In certain conditions, such as low memory, set_p2m_entry
can fail. Currently, the p2m and m2p tables will get out
of sync because we still update the m2p table after the
p2m update has failed. If that happens, subsequent
guest-invoked memory operations can cause BUGs and
ASSERTs to kill Xen. This is fixed by only updating the
m2p table iff the p2m was successfully updated. This is
a security problem, XSA-22 / CVE-2012-4537.
(CVE-2012-4537)

- VCPU/timers: Prevent overflow in calculations, leading
to DoS vulnerability The timer action for a vcpu
periodic timer is to calculate the next expiry time, and
to reinsert itself into the timer queue. If the deadline
ends up in the past, Xen never leaves __do_softirq. The
affected PCPU will stay in an infinite loop until Xen is
killed by the watchdog (if enabled). This is a security
problem, XSA-20 / CVE-2012-4535. (CVE-2012-4535)

- always release vm running lock on VM shutdown Before
this patch, when xend restarted, the VM running lock
will not be released on shutdown, so the VM could never
start again. Talked with Junjie, we recommend always
releasing the lock on VM shutdown. So even when xend
restarted, there should be no stale lock leaving there.

- Xen Security Advisory CVE-2012-4411 / XSA-19 version 2
guest administrator can access qemu monitor console
Disable qemu monitor by default. The qemu monitor is an
overly powerful feature which must be protected from
untrusted (guest) administrators. (CVE-2012-4411)

See also :

http://www.nessus.org/u?d3ec3608

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79488 ()

Bugtraq ID: 55442
56498

CVE ID: CVE-2012-4411
CVE-2012-4535
CVE-2012-4537
CVE-2012-4538
CVE-2012-4539

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now