Xen Multiple Vulnerabilities (XSA-191 - XSA-198)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Xen hypervisor installation is missing a security update.

Description :

According to its self-reported version number, the Xen hypervisor
installed on the remote host is missing a security update. It is,
therefore, affected by multiple vulnerabilities :

- A flaw exists in the inject_swint() function in
x86_emulate.c due to improper handling of the format of
IDT lookups when emulating instructions which generate
software interrupts. A guest attacker can exploit this
to crash the host, resulting in a denial of service
condition. (CVE-2016-9377)

- A flaw exists in the svm_inject_trap() function in svm.c
due to a failure to properly perform IDT privilege
checks when emulating instructions which generate
software interrupts. A guest attacker can exploit this
to crash the host, resulting in a denial of service
condition. (CVE-2016-9378)

- A flaw exists in the sniff_netware() function in file
tools/pygrub/src/pygrub due to improper handling of
string quotes and S-expressions in the bootloader when
the S-expressions output format is requested. A guest
attacker can exploit this to cause the bootloader
configuration file to produce incorrect output,
resulting in the disclosure or deletion of files from
the host. (CVE-2016-9379)

- A flaw exists in the sniff_netware() function in file
tools/pygrub/src/pygrub due to improper handling of NULL
bytes in the bootloader when the null-delimited output
format is requested. A guest attacker can exploit this
to cause configuration files to output ambiguous or
confusing results, resulting in the disclosure or
deletion of files from the host. (CVE-2016-9380)

- A double-fetch flaw exists that is triggered when the
compiler omits QEMU optimizations. A guest attacker can
exploit this to gain elevated privileges on the host.
(CVE-2016-9381)

- A flaw exists in the hvm_task_switch() function in hvm.c
due to improper handling of x86 task switching to VM86
mode. A guest attacker can exploit this to cause a
denial of service condition or gain elevated privileges
within the guest environment. (CVE-2016-9382)

- A flaw exists in the x86_emulate() function in
x86_emulate.c that allows a guest attacker to cause
changes to memory and thereby gain elevated privileges
on the host. (CVE-2016-9383)

- A flaw exists that is triggered as unused bytes in
image metadata are not properly cleared during symbol
table loading. This may allow a guest attacker to
disclose potentially sensitive information from the
host. (CVE-2016-9384)

- A flaw exists due to improper clearing of unused bytes
in image metadata during symbol table loading. A guest
attacker can exploit this to disclose sensitive
information from the host. (CVE-2016-9384)

- A flaw exists in the x86 segment base write emulation
due to a lack of canonical address checks. A guest
attacker can exploit this issue to crash the host,
resulting in a denial of service condition.
(CVE-2016-9385)

- A flaw exists in the x86 emulator due to improper
validation of the usability of segments when performing
memory accesses. A guest attacker can exploit this to
gain elevated privileges within the guest environment.
(CVE-2016-9386)

Note that Nessus has checked the changeset versions based on the
xen.git change log. Nessus did not check guest hardware configurations
or if patches were applied manually to the source code before a
recompile and reinstall.

See also :

https://xenbits.xen.org/xsa/advisory-191.html
https://xenbits.xen.org/xsa/advisory-192.html
https://xenbits.xen.org/xsa/advisory-193.html
https://xenbits.xen.org/xsa/advisory-194.html
https://xenbits.xen.org/xsa/advisory-195.html
https://xenbits.xen.org/xsa/advisory-196.html
https://xenbits.xen.org/xsa/advisory-197.html
https://xenbits.xen.org/xsa/advisory-198.html
https://xenbits.xen.org/gitweb/?p=xen.git;a=summary

Solution :

Apply the appropriate patch according to the vendor advisories.

Risk factor :

High / CVSS Base Score : 7.7
(CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 5.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now