FreeBSD : xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior (80e846ff-27eb-11e5-a4a5-002590263bf5)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The Xen Project reports :

With the introduction of version 2 grant table operations, a version
check became necessary for most grant table related hypercalls. The
GNTTABOP_swap_grant_ref call was lacking such a check. As a result,
the subsequent code behaved as if version 2 was in use, when a guest
issued this hypercall without a prior GNTTABOP_setup_table or
GNTTABOP_set_version.

The effect is a possible NULL pointer dereferences. However, this
cannot be exploited to elevate privileges of the attacking domain, as
the maximum memory address that can be wrongly accessed this way is
bounded to far below the start of hypervisor memory.

Malicious or buggy guest domain kernels can mount a denial of service
attack which, if successful, can affect the whole system.

See also :

http://xenbits.xen.org/xsa/advisory-134.html
http://www.nessus.org/u?975fb8c6

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 84706 ()

Bugtraq ID:

CVE ID: CVE-2015-4163

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now