OracleVM 3.2 : xen (OVMSA-2013-0042)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.

Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Other than the HVM emulation path, the PV case so far
failed to check that YMM state requires SSE state to be
enabled, allowing for a #GP to occur upon passing the
inputs to XSETBV inside the hypervisor. This is
CVE-2013-2078 / XSA-54. (CVE-2013-2078)

- x86/xsave: recover from faults on XRSTOR Just like
FXRSTOR, XRSTOR can raise #GP if bad content is being
passed to it in the memory block (i.e. aspects not under
the control of the hypervisor, other than e.g. proper
alignment of the block). Also correct the comment
explaining why FXRSTOR needs exception recovery code to
not wrongly state that this can only be a result of the
control tools passing a bad image. This is CVE-2013-2077
/ XSA-53. (CVE-2013-2077)

- x86/xsave: fix information leak on AMD CPUs Just like
for FXSAVE/FXRSTOR, XSAVE/XRSTOR also don't save/restore
the last instruction and operand pointers as well as the
last opcode if there's no pending unmasked exception
(see CVE-2006-1056 and commit 9747:4d667a139318). While
the FXSR solution sits in the save path, I prefer to
have this in the restore path because there the handling
is simpler (namely in the context of the pending changes
to properly save the selector values for 32-bit guest
code). Also this is using FFREE instead of EMMS, as it
doesn't seem unlikely that in the future we may see CPUs
with x87 and SSE/AVX but no MMX support. The goal here
anyway is just to avoid an FPU stack overflow. I would
have preferred to use FFREEP instead of FFREE (freeing
two stack slots at once), but AMD doesn't document that
instruction. This is CVE-2013-2076 / XSA-52.

See also :

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

Medium / CVSS Base Score : 5.2
CVSS Temporal Score : 4.5
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 79510 ()

Bugtraq ID: 17600

CVE ID: CVE-2006-1056

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now