OracleVM 3.2 : xen (OVMSA-2016-0008)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- VT-d: fix TLB flushing in dma_pte_clear_one From: Jan
Beulich The TLB flush code was wrong since
xen-4.1.3-25.el5.127.20 (commit:
vtd-Refactor-iotlb-flush-code.patch), both ovm-3.2.9 and
ovm-3.2.10 were affected. The third parameter of
__intel_iommu_iotlb_flush is to indicate whether the to
be flushed entry was a present one. A few lines before,
we bailed if !dma_pte_present(*pte), so there's no need
to check the flag here again - we can simply always pass
TRUE here. This is CVE-2013-6375 / XSA-78. Suggested-by:
Cheng Yueqiang

(cherry picked from commit
85c72f9fe764ed96f5c149efcdd69ab7c18bfe3d)
(CVE-2013-6375)

- x86/VMX: prevent INVVPID failure due to non-canonical
guest address While INVLPG (and on SVM INVLPGA) don't
fault on non-canonical addresses, INVVPID fails (in the
'individual address' case) when passed such an address.
Since such intercepted INVLPG are effectively no-ops
anyway, don't fix this in vmx_invlpg_intercept, but
instead have paging_invlpg never return true in such a
case. This is XSA-168. (CVE-2016-1571)

- x86/mm: PV superpage handling lacks sanity checks
MMUEXT_[,UN]MARK_SUPER fail to check the input MFN for
validity before dereferencing pointers into the
superpage frame table. get_superpage has a similar
issue. This is XSA-167. (CVE-2016-1570)

- xend/image: Don't throw VMException when using backend
domains for disks. If we are using backend domains the
disk image may not be accessible within the host
(domain0). As such it is OK to continue on. The
'addStoreEntries' in DevController.py already does the
check to make sure that when the 'backend' configuration
is used - that said domain exists. As such the only
change we need to do is to exclude the disk image
location if the domain is not dom0.

- memory: fix XENMEM_exchange error handling assign_pages
can fail due to the domain getting killed in parallel,
which should not result in a hypervisor crash. Also
delete a redundant put_gfn - all relevant paths leading
to the 'fail' label already do this (and there are also
paths where it was plain wrong). All of the put_gfn-s
got introduced by 51032ca058 ('Modify naming of queries
into the p2m'), including the otherwise unneeded
initializer for k (with even a kind of misleading
comment - the compiler warning could actually have
served as a hint that the use is wrong). This is
XSA-159.

Based on xen.org's xsa159.patch Conflicts: OVM 3.2 does
not have the change (51032ca058) that is backed out in
xen/common/memory.c or the put_gfn in
xen/common/memory.c

(CVE-2015-8339, CVE-2015-8340)

See also :

http://www.nessus.org/u?8414f351

Solution :

Update the affected xen / xen-devel / xen-tools packages.

Risk factor :

High / CVSS Base Score : 7.9
(CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.8
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 88171 ()

Bugtraq ID: 63830

CVE ID: CVE-2013-6375
CVE-2015-8339
CVE-2015-8340
CVE-2016-1570
CVE-2016-1571

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now