OracleVM 3.2 : xen (OVMSA-2015-0063)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- xen/pt: unknown PCI config space fields should be
read-only ... by default. Add a per-device 'permissive'
mode similar to pciback's to allow restoring previous
behavior (and hence break security again, i.e. should be
used only for trusted guests). This is part of XSA-131.
(CVE-2015-4106)

- xen/pt: add a few PCI config space field descriptions
Since the next patch will turn all not explicitly
described fields read-only by default, those fields that
have guest writable bits need to be given explicit
descriptors. This is a preparatory patch for XSA-131.
(CVE-2015-4106)

- xen/pt: mark reserved bits in PCI config space fields
The adjustments are solely to make the subsequent
patches work right (and hence make the patch set
consistent), namely if permissive mode (introduced by
the last patch) gets used (as both reserved registers
and reserved fields must be similarly protected from
guest access in default mode, but the guest should be
allowed access to them in permissive mode). This is a
preparatory patch for XSA-131. (CVE-2015-4106)

- xen/pt: mark all PCIe capability bits read-only
xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover
all bits as read- only to avoid unintended write-back
(just a precaution, the field ought to be read-only in
hardware). This is a preparatory patch for XSA-131.
(CVE-2015-4106)

- xen/pt: split out calculation of throughable mask in PCI
config space handling This is just to avoid having to
adjust that calculation later in multiple places. Note
that including ->ro_mask in get_throughable_mask's
calculation is only an apparent (i.e. benign) behavioral
change: For r/o fields it doesn't matter > whether they
get passed through - either the same flag is also set in
emu_mask (then there's no change at all) or the field is
r/o in hardware (and hence a write won't change it
anyway). This is a preparatory patch for XSA-131.
(CVE-2015-4106)

- xen/pt: correctly handle PM status bit
xen_pt_pmcsr_reg_write needs an adjustment to deal with
the RW1C nature of the not passed through bit 15
(PCI_PM_CTRL_PME_STATUS). This is a preparatory patch
for XSA-131. (CVE-2015-4106)

- xen/pt: consolidate PM capability emu_mask There's no
point in xen_pt_pmcsr_reg_[read,write] each ORing
PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET
into a local emu_mask variable - we can have the same
effect by setting the field descriptor's emu_mask member
suitably right away. Note that xen_pt_pmcsr_reg_write is
being retained in order to allow later patches to be
less intrusive. This is a preparatory patch for XSA-131.
(CVE-2015-4106)

- xen/MSI: don't open-code pass-through of enable bit
modifications Without this the actual XSA-131 fix would
cause the enable bit to not get set anymore (due to the
write back getting suppressed there based on the OR of
emu_mask, ro_mask, and res_mask). Note that the fiddling
with the enable bit shouldn't really be done by qemu,
but making this work right (via libxc and the
hypervisor) will require more extensive changes, which
can be postponed until after the security issue got
addressed. This is a preparatory patch for XSA-131.
(CVE-2015-4106)

- xen/MSI-X: disable logging by default ... to avoid
allowing the guest to cause the control domain's disk to
fill. This is XSA-130. (CVE-2015-4105)

- xen: don't allow guest to control MSI mask register It's
being used by the hypervisor. For now simply mimic a
device not capable of masking, and fully emulate any
accesses a guest may issue nevertheless as simple
reads/writes without side effects. This is XSA-129.
(CVE-2015-4104)

- xen: properly gate host writes of modified PCI CFG
contents The old logic didn't work as intended when an
access spanned multiple fields (for example a 32-bit
access to the location of the MSI Message Data field
with the high 16 bits not being covered by any known
field). Remove it and derive which fields not to write
to from the accessed fields' emulation masks: When
they're all ones, there's no point in doing any host
write. This fixes a secondary issue at once: We
obviously shouldn't make any host write attempt when
already the host read failed. This is XSA-128.

Conflicts: tools/ioemu-remote/hw/pass-through.c
(CVE-2015-4103)

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2015-June/000313.html

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 5.8
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 83966 ()

Bugtraq ID: 74947
74948
74949
74950

CVE ID: CVE-2015-4103
CVE-2015-4104
CVE-2015-4105
CVE-2015-4106

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now