OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0007) (Spectre)

Medium Nessus Plugin ID 105761

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- x86/ibrs: Remove 'ibrs_dump' and remove the pr_debug (Konrad Rzeszutek Wilk) [Orabug: 27350825]

- kABI: Revert kABI: Make the boot_cpu_data look normal (Konrad Rzeszutek Wilk) (CVE-2017-5715)

- userns: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- udf: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- net: mpls: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- fs: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- ipv6: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- ipv4: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- Thermal/int340x: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- cw1200: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- p54: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- bpf: prevent speculative execution in eBPF interpreter (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug:
27340459] (CVE-2017-5753)

- x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27340459] (CVE-2017-5753)

- kABI: Make the boot_cpu_data look normal. (Konrad Rzeszutek Wilk) [Orabug: 27339995] (CVE-2017-5715)

- kernel.spec: Require the new microcode_ctl. (Konrad Rzeszutek Wilk) [Orabug: 27339995] (CVE-2017-5715) (CVE-2017-5715)

- x86/microcode/AMD: Add support for fam17h microcode loading (Tom Lendacky) [Orabug: 27339995] (CVE-2017-5715)

- x86/spec_ctrl: Disable if running as Xen PV guest.
(Konrad Rzeszutek Wilk) [Orabug: 27339995] (CVE-2017-5715)

- Set IBPB when running a different VCPU (Dave Hansen) [Orabug: 27339995] (CVE-2017-5715)

- Clear the host registers after setbe (Jun Nakajima) [Orabug: 27339995] (CVE-2017-5715)

- Use the ibpb_inuse variable. (Jun Nakajima) [Orabug:
27339995] (CVE-2017-5715)

- KVM: x86: add SPEC_CTRL to MSR and CPUID lists (Andrea Arcangeli) [Orabug: 27339995] (CVE-2017-5715)

- kvm: vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Paolo Bonzini) [Orabug: 27339995] (CVE-2017-5715)

- Use the 'ibrs_inuse' variable. (Jun Nakajima) [Orabug:
27339995] (CVE-2017-5715)

- kvm: svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Andrea Arcangeli) [Orabug: 27339995] (CVE-2017-5715)

- x86/svm: Set IBPB when running a different VCPU (Paolo Bonzini) [Orabug: 27339995] (CVE-2017-5715)

- x86/kvm: Pad RSB on VM transition (Tim Chen) [Orabug:
27339995] (CVE-2017-5715)

- x86/cpu/AMD: Add speculative control support for AMD (Tom Lendacky) [Orabug: 27339995] (CVE-2017-5715)

- x86/microcode: Recheck IBRS and IBPB feature on microcode reload (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86: Move IBRS/IBPB feature detection to scattered.c (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Konrad Rzeszutek Wilk) [Orabug:
27339995] (CVE-2017-5715)

- x86/kvm: clear registers on VM exit (Tom Lendacky) [Orabug: 27339995] (CVE-2017-5715)

- x86/kvm: Set IBPB when switching VM (Tim Chen) [Orabug:
27339995] (CVE-2017-5715)

- *INCOMPLETE* x86/syscall: Clear unused extra registers on syscall entrance (Konrad Rzeszutek Wilk) [Orabug:
27339995] (CVE-2017-5715)

- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Konrad Rzeszutek Wilk) [Orabug: 27339995] (CVE-2017-5715)

- x86/mm: Only set IBPB when the new thread cannot ptrace current thread (Konrad Rzeszutek Wilk) [Orabug:
27339995] (CVE-2017-5715)

- x86/mm: Set IBPB upon context switch (Tim Chen) [Orabug:
27339995] (CVE-2017-5715)

- x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86/spec_ctrl: save IBRS MSR value in paranoid_entry (Andrea Arcangeli) [Orabug: 27339995] (CVE-2017-5715)

- *Scaffolding* x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug:
27339995] (CVE-2017-5715)

- x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86: Add macro that does not save rax, rcx, rdx on stack to disable IBRS (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86/enter: MACROS to set/clear IBRS and set IBP (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86/feature: Report presence of IBPB and IBRS control (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

- x86: Add STIBP feature enumeration (Konrad Rzeszutek Wilk) [Orabug: 27339995] (CVE-2017-5715)

- x86/cpufeature: Add X86_FEATURE_IA32_ARCH_CAPS and X86_FEATURE_IBRS_ATT (Konrad Rzeszutek Wilk) [Orabug:
27339995] (CVE-2017-5715)

- x86/feature: Enable the x86 feature to control (Tim Chen) [Orabug: 27339995] (CVE-2017-5715)

Solution

Update the affected kernel-uek / kernel-uek-firmware packages.

See Also

http://www.nessus.org/u?e046af99

Plugin Details

Severity: Medium

ID: 105761

File Name: oraclevm_OVMSA-2018-0007.nasl

Version: 3.8

Type: local

Published: 2018/01/12

Modified: 2018/07/24

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:kernel-uek, p-cpe:/a:oracle:vm:kernel-uek-firmware, cpe:/o:oracle:vm_server:3.4

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/01/11

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2017-5715, CVE-2017-5753

IAVA: 2018-A-0020, 2018-A-0062