The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-07211 advisory.

  - The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2     and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS     before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows     Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running     on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a     canonical address, which allows local users to gain privileges via a crafted application. NOTE: because     this issue is due to incorrect use of the Intel specification, it should have been split into separate     identifiers; however, there was some value in preserving the original mapping of the multi-codebase     coordinated-disclosure effort to a single identifier. (CVE-2012-0217)

  - Xen 4.0, and 4.1, when running a 64-bit PV guest on older AMD CPUs, does not properly protect against a     certain AMD processor bug, which allows local guest OS users to cause a denial of service (host hang) via     sequential execution of instructions across a non-canonical boundary, a different vulnerability than     CVE-2012-0217. (CVE-2012-2934)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it is a duplicate of oraclelinux_ELSA-2012-0721-1.nasl (plugin ID 68539).

The remote OracleVM system is missing necessary patches to address critical security updates :

  - CVE-2012-0217 CVE-2012-0218: guest DoS on     syscall/sysenter exception generation [orabug 13993157]

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86-64: detect processors subject to AMD erratum #121     and refuse to boot(CVE-2006-0744)

  - guest denial of service on syscall/sysenter exception     generation (CVE-2012-0217),(CVE-2012-0218)

  - Remove unnecessary balloon retries on vm create. This is     a backport from fix for bug 14143327.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86-64: detect processors subject to AMD erratum #121     and refuse to boot(CVE-2006-0744)

  - guest denial of service on syscall/sysenter exception     generation (CVE-2012-0217)

  - Remove unnecessary balloon retries on vm create. This is     a backport from fix for bug 14143327.

  - This backport from 3.1.1: Author: amisherf Put back the     patch that prevent older guest that uses kudzu from     hanging on a reboot. Fixed the patch to prevent     excessive watcher writes which causes xend, xenstored to     run at a 100% cpu usage. Now the watch is written only     if console in Initialising, InitWait, Initialised states     which happen once at boot time. [bug 13523487]

  - Backport from upstream changeset 20968 xend: notify     xenpv device model that console info is ready Sometimes     PV domain with vfb doesn't boot up. /sbin/kudzu is     stuck. After investigation, I've found that the evtchn     for console is not bound at all. Normal sequence of     evtchn initialization in qemu-dm for xenpv is: 1) watch     xenstore backpath     (/local/domain/0/backend/console/<domid>/0) 2) read     console info (/local/domain/<domid>/console/[type,     ring-ref, port..= ]) 3) bind the evtchn to the port. But     in some case, xend writes to the backpath before the     console info is prepared, and never write to the     backpath again. So the qemu-dm fails at 2) and never     reach to 3). When this happens, manually xenstore-write     command on Domain-0 resumes the guest.

  - Set max cstate to 1. This is a backport requirement for     bug 13703504. We have several bugs that cstate made     system unstable, both for ovm2 and ovm3: For OVM3.x: Bug     13703504 - unexplained network disconnect causes ocfs to     fence the server For OVM2.x

This Solaris system is missing necessary patches to address critical security updates :

  - Vulnerability in the Solaris component of Oracle Sun     Products Suite (subcomponent: Kernel). Supported     versions that are affected are 10 and 11. Easily     exploitable vulnerability requiring logon to Operating     System. Successful attack of this vulnerability can     result in unauthorized Operating System takeover     including arbitrary code execution. Note: CVE-2012-0217     only affects Solaris instances running on platforms     other than SPARC. (CVE-2012-0217)

  - Vulnerability in the Solaris component of Oracle Sun     Products Suite (subcomponent: Power Management). The     supported version that is affected is 11. Easily     exploitable vulnerability requiring logon to Operating     System. Successful attack of this vulnerability can     result in unauthorized Operating System takeover     including arbitrary code execution. (CVE-2012-3204)

  - Vulnerability in the Solaris component of Oracle Sun     Products Suite (subcomponent: Logical Domain(LDOM)).
    Supported versions that are affected are 10 and 11.
    Easily exploitable vulnerability requiring logon to     Operating System. Successful attack of this     vulnerability can result in unauthorized Operating     System hang or frequently repeatable crash (complete     DOS) as well as update, insert or delete access to some     Solaris accessible data. Note: CVE-2012-3209 and     CVE-2012-3215 only affects Solaris on the SPARC     platform. (CVE-2012-3209)

  - Vulnerability in the Solaris component of Oracle Sun     Products Suite (subcomponent: Vino server). The     supported version that is affected is 11. Easily     exploitable vulnerability requiring logon to Operating     System. Successful attack of this vulnerability can     result in unauthorized update, insert or delete access     to some Solaris accessible data. (CVE-2012-3205)

This update of XEN fixed multiple security flaws that could be exploited by local attackers to cause a Denial of Service or potentially escalate privileges. Additionally, several other upstream changes were backported.

The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    Guest domains could possibly gain privileges, execute arbitrary code, or       cause a Denial of Service on the host domain (Dom0). Additionally, guest       domains could gain information about other virtual machines running on       the same host or read arbitrary files on the host.
  Workaround :

    The CVEs listed below do not currently have fixes, but only apply to Xen       setups which have &ldquo;tmem&rdquo; specified on the hypervisor command line.
      TMEM is not currently supported for use in production systems, and       administrators using tmem should disable it.
      Relevant CVEs:
      * CVE-2012-2497
      * CVE-2012-6030
      * CVE-2012-6031
      * CVE-2012-6032
      * CVE-2012-6033
      * CVE-2012-6034
      * CVE-2012-6035
      * CVE-2012-6036

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-0721 advisory.

    - [xen] x86_64: check address on trap handlers or guest callbacks (Paolo Bonzini) [813430 813431]     {CVE-2012-0217}
    - [xen] x86_64: Do not execute sysret with a non-canonical return address (Paolo Bonzini) [813430 813431]     {CVE-2012-0217}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2012:0721 :

Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

* It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate)

Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.

Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Three security issues were found in XEN.

Two security issues are fixed by this update :

  - Due to incorrect fault handling in the XEN hypervisor it     was possible for a XEN guest domain administrator to     execute code in the XEN host environment.
    (CVE-2012-0217)

  - Also a guest user could crash the guest XEN kernel due     to a protection fault bounce. The third fix is changing     the Xen behaviour on certain hardware:. (CVE-2012-0218)

  - The issue is a denial of service issue on older pre-SVM     AMD CPUs (AMD Erratum 121). AMD Erratum #121 is     described in 'Revision Guide for AMD Athlon 64 and AMD     Opteron Processors':
    http://support.amd.com/us/Processor_TechDocs/25759.pdf.
    (CVE-2012-2934)

    The following 130nm and 90nm (DDR1-only) AMD processors     are subject to this erratum :

  - First-generation AMD-Opteron(tm) single and dual core     processors in either 939 or 940 packages :

  - AMD Opteron(tm) 100-Series Processors

  - AMD Opteron(tm) 200-Series Processors

  - AMD Opteron(tm) 800-Series Processors

  - AMD Athlon(tm) processors in either 754, 939 or 940     packages

  - AMD Sempron(tm) processor in either 754 or 939 packages

  - AMD Turion(tm) Mobile Technology in 754 package This     issue does not effect Intel processors.

    The impact of this flaw is that a malicious PV guest     user can halt the host system.

    As this is a hardware flaw, it is not fixable except by     upgrading your hardware to a newer revision, or not     allowing untrusted 64bit guestsystems.

    The patch changes the behaviour of the host system     booting, which makes it unable to create guest machines     until a specific boot option is set.

    There is a new XEN boot option 'allow_unsafe' for GRUB     which allows the host to start guests again.

    This is added to /boot/grub/menu.lst in the line looking     like this :

    kernel /boot/xen.gz .... allow_unsafe

    Note: .... in this example represents the existing boot     options for the host.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0720 advisory.

  - kernel: x86-64: avoid sysret to non-canonical address (CVE-2012-0217)

  - kernel: ipv6: panic using raw sockets (CVE-2012-1583)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - It was found that the Xen hypervisor implementation as     shipped with Scientific Linux 5 did not properly     restrict the syscall return addresses in the sysret     return path to canonical addresses. An unprivileged user     in a 64-bit para-virtualized guest, that is running on a     64-bit host that has an Intel CPU, could use this flaw     to crash the host or, potentially, escalate their     privileges, allowing them to execute arbitrary code at     the hypervisor level. (CVE-2012-0217, Important)

  - It was found that guests could trigger a bug in earlier     AMD CPUs, leading to a CPU hard lockup, when running on     the Xen hypervisor implementation. An unprivileged user     in a 64-bit para-virtualized guest could use this flaw     to crash the host. Warning: After installing this     update, hosts that are using an affected AMD CPU (refer     to upstream bug #824966 for a list) will fail to boot.
    In order to boot such hosts, the new kernel parameter,     allow_unsafe, can be used ('allow_unsafe=on'). This     option should only be used with hosts that are running     trusted guests, as setting it to 'on' reintroduces the     flaw (allowing guests to crash the host).
    (CVE-2012-2934, Moderate)

Note: For Scientific Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Rafal Wojtczuk from Bromium discovered that FreeBSD wasn't handling correctly uncanonical return addresses on Intel amd64 CPUs, allowing privilege escalation to kernel for local users.

Several vulnerabilities were discovered in Xen, a hypervisor.

  - CVE-2012-0217     Xen does not properly handle uncanonical return     addresses on Intel amd64 CPUs, allowing amd64 PV guests     to elevate to hypervisor privileges. AMD processors, HVM     and i386 guests are not affected.

  - CVE-2012-0218     Xen does not properly handle SYSCALL and SYSENTER     instructions in PV guests, allowing unprivileged users     inside a guest system to crash the guest system.

  - CVE-2012-2934     Xen does not detect old AMD CPUs affected by AMD Erratum     #121.

For CVE-2012-2934, Xen refuses to start domUs on affected systems unless the 'allow_unsafe' option is passed.

Problem description :

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call.

Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.

Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important)

* It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ('allow_unsafe=on'). This option should only be used with hosts that are running trusted guests, as setting it to 'on' reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934, Moderate)

Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.

Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Three security issues were found in XEN.

Two security issues are fixed by this update :

  - Due to incorrect fault handling in the XEN hypervisor it     was possible for a XEN guest domain administrator to     execute code in the XEN host environment.
    (CVE-2012-0217)

  - Also a guest user could crash the guest XEN kernel due     to a protection fault bounce. (CVE-2012-0218)

The third fix is changing the Xen behaviour on certain hardware :

  - The issue is a denial of service issue on older pre-SVM     AMD CPUs (AMD Erratum 121). (CVE-2012-2934)

    AMD Erratum #121 is described in 'Revision Guide for AMD     Athlon 64 and AMD Opteron Processors':
    http://support.amd.com/us/Processor_TechDocs/25759.pdf

    The following 130nm and 90nm (DDR1-only) AMD processors     are subject to this erratum :

o

First-generation AMD-Opteron(tm) single and dual core processors in either 939 or 940 packages :

  - AMD Opteron(tm) 100-Series Processors

  - AMD Opteron(tm) 200-Series Processors

  - AMD Opteron(tm) 800-Series Processors

  - AMD Athlon(tm) processors in either 754, 939 or 940     packages

  - AMD Sempron(tm) processor in either 754 or 939 packages

  - AMD Turion(tm) Mobile Technology in 754 package This     issue does not effect Intel processors.

    The impact of this flaw is that a malicious PV guest     user can halt the host system.

    As this is a hardware flaw, it is not fixable except by     upgrading your hardware to a newer revision, or not     allowing untrusted 64bit guestsystems.

    The patch changes the behaviour of the host system     booting, which makes it unable to create guest machines     until a specific boot option is set.

    There is a new XEN boot option 'allow_unsafe' for GRUB     which allows the host to start guests again.

    This is added to /boot/grub/menu.lst in the line looking     like this :

    kernel /boot/xen.gz .... allow_unsafe

    Note: .... in this example represents the existing boot     options for the host.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0721 advisory.

    The kernel packages contain the Linux kernel, the core of any Linux     operating system.

    This update fixes the following security issues:

    * It was found that the Xen hypervisor implementation as shipped with Red     Hat Enterprise Linux 5 did not properly restrict the syscall return     addresses in the sysret return path to canonical addresses. An unprivileged     user in a 64-bit para-virtualized guest, that is running on a 64-bit host     that has an Intel CPU, could use this flaw to crash the host or,     potentially, escalate their privileges, allowing them to execute arbitrary     code at the hypervisor level. (CVE-2012-0217, Important)

    * It was found that guests could trigger a bug in earlier AMD CPUs, leading     to a CPU hard lockup, when running on the Xen hypervisor implementation. An     unprivileged user in a 64-bit para-virtualized guest could use this flaw to     crash the host. Warning: After installing this update, hosts that are using     an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will     fail to boot. In order to boot such hosts, the new kernel parameter,     allow_unsafe, can be used (allow_unsafe=on). This option should only be     used with hosts that are running trusted guests, as setting it to on     reintroduces the flaw (allowing guests to crash the host). (CVE-2012-2934,     Moderate)

    Note: For Red Hat Enterprise Linux guests, only privileged guest users can     exploit the CVE-2012-0217 and CVE-2012-2934 issues.

    Red Hat would like to thank the Xen project for reporting these issues.
    Upstream acknowledges Rafal Wojtczuk as the original reporter of     CVE-2012-0217.

    Users should upgrade to these updated packages, which contain backported     patches to correct these issues. The system must be rebooted for this     update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a Windows kernel version that is affected by multiple elevation of privilege vulnerabilities :

  - A vulnerability exists in the way that the Windows User     Mode Scheduler handles system requests that can be     exploited to execute arbitrary code in kernel mode.
    (CVE-2012-0217)

  - A vulnerability exists in the way that Windows handles     BIOS memory that can be exploited to execute arbitrary     code in kernel mode. (CVE-2012-1515)

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2012-0721.

ID	Name	Product	Family	Severity
181028	Oracle Linux 5 : ELSA-2012-0721-1: / kernel (ELSA-2012-07211) (deprecated)	Nessus	Oracle Linux Local Security Checks	high
79478	OracleVM 2.2 : xen (OVMSA-2012-0022)	Nessus	OracleVM Local Security Checks	high
79477	OracleVM 3.1 : xen (OVMSA-2012-0021)	Nessus	OracleVM Local Security Checks	high
79476	OracleVM 3.0 : xen (OVMSA-2012-0020)	Nessus	OracleVM Local Security Checks	high
76829	Oracle Solaris Critical Patch Update : oct2012_SRU10_5	Nessus	Solaris Local Security Checks	high
74683	openSUSE Security Update : xen (openSUSE-2012-404)	Nessus	SuSE Local Security Checks	high
74682	openSUSE Security Update : xen (openSUSE-SU-2012:0886-1)	Nessus	SuSE Local Security Checks	high
70184	GLSA-201309-24 : Xen: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
68540	Oracle Linux 5 : kernel (ELSA-2012-0721)	Nessus	Oracle Linux Local Security Checks	high
68539	Oracle Linux 5 : kernel (ELSA-2012-0721-1)	Nessus	Oracle Linux Local Security Checks	high
64233	SuSE 11.1 Security Update : Xen (SAT Patch Number 6399)	Nessus	SuSE Local Security Checks	high
64039	RHEL 5 : kernel (RHSA-2012:0720)	Nessus	Red Hat Local Security Checks	high
61326	Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20120612)	Nessus	Scientific Linux Local Security Checks	high
60088	Debian DSA-2508-1 : kfreebsd-8 - privilege escalation	Nessus	Debian Local Security Checks	high
59779	Debian DSA-2501-1 : xen - several vulnerabilities	Nessus	Debian Local Security Checks	high
59748	FreeBSD : FreeBSD -- Privilege escalation when returning from kernel (aed44c4e-c067-11e1-b5e0-000c299b62e1)	Nessus	FreeBSD Local Security Checks	high
59479	CentOS 5 : kernel (CESA-2012:0721)	Nessus	CentOS Local Security Checks	high
59469	SuSE 10 Security Update : Xen (ZYPP Patch Number 8180)	Nessus	SuSE Local Security Checks	high
59467	RHEL 5 : kernel (RHSA-2012:0721)	Nessus	Red Hat Local Security Checks	high
59460	MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)	Nessus	Windows : Microsoft Bulletins	high
801518	CentOS RHSA-2012-0721 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2012-0217

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high