OracleVM 3.2 : xen (OVMSA-2013-0031)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- defer event channel bucket pointer store until after XSM
checks Otherwise a dangling pointer can be left, which
would cause subsequent memory corruption as soon as the
space got re-allocated for some other purpose. This is
CVE-2013-1920 / XSA-47.

John Haxby

- x86: fix various issues with handling guest IRQs

- properly revoke IRQ access in map_domain_pirq error path

- don't permit replacing an in use IRQ

- don't accept inputs in the GSI range for
MAP_PIRQ_TYPE_MSI

- track IRQ access permission in host IRQ terms, not guest
IRQ ones (and with that, also disallow Dom0 access to
IRQ0) This is CVE-2013-1919 / XSA-46.

- x86: clear EFLAGS.NT in SYSENTER entry path ... as it
causes problems if we happen to exit back via IRET: In
the course of trying to handle the fault, the hypervisor
creates a stack frame by hand, and uses PUSHFQ to set
the respective EFLAGS field, but expects to be able to
IRET through that stack frame to the second portion of
the fixup code (which causes a #GP due to the stored
EFLAGS having NT set). And even if this worked (e.g if
we cleared NT in that path), it would then (through the
fail safe callback) cause a #GP in the guest with the
SYSENTER handler's first instruction as the source,
which in turn would allow guest user mode code to crash
the guest kernel. Inject a #GP on the fake (NULL)
address of the SYSENTER instruction instead, just like
in the case where the guest kernel didn't register a
corresponding entry point. On 32-bit we also need to
make sure we clear SYSENTER_CS for all CPUs (neither
#RESET nor #INIT guarantee this). This is CVE-2013-1917
/ XSA-44. (CVE-2013-1917)

See also :

http://www.nessus.org/u?83affd55

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

Medium / CVSS Base Score : 4.7
(CVSS2#AV:L/AC:M/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 4.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79502 ()

Bugtraq ID: 58880
59291
59292

CVE ID: CVE-2013-1917
CVE-2013-1919
CVE-2013-1920

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now