OracleVM 3.1 : xen (OVMSA-2013-0037)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- VT-d: don't permit SVT_NO_VERIFY entries for known
device types Only in cases where we don't know what to
do we should leave the IRTE blank (suppressing all
validation), but we should always log a warning in those
cases (as being insecure). This is CVE-2013-1952 /
XSA-49.

- x86: make page table handling error paths preemptible
... as they may take significant amounts of time. This
requires cloning the tweaked continuation logic from
do_mmuext_op to do_mmu_update. Note that in
mod_l[34]_entry a negative 'preemptible' value gets
passed to put_page_from_l[34]e now, telling the callee
to store the respective page in
current->arch.old_guest_table (for a hypercall
continuation to pick up), rather than carrying out the
put right away. This is going to be made a little more
explicit by a subsequent cleanup patch. This is part of
CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make page table unpinning preemptible ... as it may
take significant amounts of time. Since we can't
re-invoke the operation in a second attempt, the
continuation logic must be slightly tweaked so that we
make sure do_mmuext_op gets run one more time even when
the preempted unpin operation was the last one in a
batch. This is part of CVE-2013-1918 / XSA-45.
(CVE-2013-1918)

- x86: make arch_set_info_guest preemptible .. as the root
page table validation (and the dropping of an eventual
old one) can require meaningful amounts of time. This is
part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make vcpu_reset preemptible ... as dropping the old
page tables may take significant amounts of time. This
is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make MMUEXT_NEW_USER_BASEPTR preemptible ... as it
may take significant amounts of time. This is part of
CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make new_guest_cr3 preemptible ... as it may take
significant amounts of time. This is part of
CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make vcpu_destroy_pagetables preemptible ... as it
may take significant amounts of time. The function,
being moved to mm.c as the better home for it anyway,
and to avoid having to make a new helper function there
non-static, is given a 'preemptible' parameter
temporarily (until, in a subsequent patch, its other
caller is also being made capable of dealing with
preemption). This is part of CVE-2013-1918 / XSA-45.
(CVE-2013-1918)

- Fix rcu domain locking for transitive grants When
acquiring a transitive grant for copy then the owning
domain needs to be locked down as well as the granting
domain. This was being done, but the unlocking was not.
The acquire code now stores the struct domain * of the
owning domain (rather than the domid) in the active
entry in the granting domain. The release code then does
the unlock on the owning domain. Note that I believe I
also fixed a bug where, for non-transitive grants the
active entry contained a reference to the acquiring
domain rather than the granting domain. From my reading
of the code this would stop the release code for
transitive grants from terminating its recursion
correctly.

Also, for non-transitive grants we now avoid incorrectly
recursing in __release_grant_for_copy. This is
CVE-2013-1964 / XSA-50. (CVE-2013-1964)

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2013-May/000150.html

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.0
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79506 ()

Bugtraq ID: 59293
59615
59617

CVE ID: CVE-2013-1918
CVE-2013-1952
CVE-2013-1964

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now