FreeBSD : xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible (d40c66cb-27e4-11e5-a4a5-002590263bf5)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The Xen Project reports :

The XEN_DOMCTL_memory_mapping hypercall allows long running operations
without implementing preemption.

This hypercall is used by the device model as part of the emulation
associated with configuration of PCI devices passed through to HVM
guests and is therefore indirectly exposed to those guests.

This can cause a physical CPU to become busy for a significant period,
leading to a host denial of service in some cases.

If a host denial of service is not triggered then it may instead be
possible to deny service to the domain running the device model, e.g.
domain 0.

This hypercall is also exposed more generally to all toolstacks.
However the uses of it in libxl based toolstacks are not believed to
open up any avenue of attack from an untrusted guest. Other toolstacks
may be vulnerable however.

The vulnerability is exposed via HVM guests which have a PCI device
assigned to them. A malicious HVM guest in such a configuration can
mount a denial of service attack affecting the whole system via its
associated device model (qemu-dm).

A guest is able to trigger this hypercall via operations which it is
legitimately expected to perform, therefore running the device model
as a stub domain does not offer protection against the host denial of
service issue. However it does offer some protection against secondary
issues such as denial of service against dom0.

See also :

http://xenbits.xen.org/xsa/advisory-125.html
http://www.nessus.org/u?db92878d

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.9
(CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 84715 ()

Bugtraq ID:

CVE ID: CVE-2015-2752

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now