Debian DSA-5184-1 : xen - security update

medium Nessus Plugin ID 163265

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5184 advisory.

- Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21123)

- Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)

- Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21166)

- Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure. (CVE-2022-23825)

- x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g.
PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited. (CVE-2022-26362)

- x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables;
updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non- coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
(CVE-2022-26363, CVE-2022-26364)

- AMD microprocessor families 15h to 18h are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-29900)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the xen packages.

For the stable distribution (bullseye), these problems have been fixed in version 4.14.5+24-g87d90d511c-1.

See Also

https://security-tracker.debian.org/tracker/source-package/xen

https://www.debian.org/security/2022/dsa-5184

https://security-tracker.debian.org/tracker/CVE-2022-21123

https://security-tracker.debian.org/tracker/CVE-2022-21125

https://security-tracker.debian.org/tracker/CVE-2022-21166

https://security-tracker.debian.org/tracker/CVE-2022-23825

https://security-tracker.debian.org/tracker/CVE-2022-26362

https://security-tracker.debian.org/tracker/CVE-2022-26363

https://security-tracker.debian.org/tracker/CVE-2022-26364

https://security-tracker.debian.org/tracker/CVE-2022-29900

https://packages.debian.org/source/bullseye/xen

Plugin Details

Severity: Medium

ID: 163265

File Name: debian_DSA-5184.nasl

Version: 1.6

Type: local

Agent: unix

Published: 7/16/2022

Updated: 1/16/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-26364

CVSS v3

Risk Factor: Medium

Base Score: 6.7

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libxen-dev, p-cpe:/a:debian:debian_linux:libxencall1, p-cpe:/a:debian:debian_linux:libxendevicemodel1, p-cpe:/a:debian:debian_linux:libxenevtchn1, p-cpe:/a:debian:debian_linux:libxenforeignmemory1, p-cpe:/a:debian:debian_linux:libxengnttab1, p-cpe:/a:debian:debian_linux:libxenhypfs1, p-cpe:/a:debian:debian_linux:libxenmisc4.14, p-cpe:/a:debian:debian_linux:libxenstore3.0, p-cpe:/a:debian:debian_linux:libxentoolcore1, p-cpe:/a:debian:debian_linux:libxentoollog1, p-cpe:/a:debian:debian_linux:xen-doc, p-cpe:/a:debian:debian_linux:xen-hypervisor-4.14-amd64, p-cpe:/a:debian:debian_linux:xen-hypervisor-4.14-arm64, p-cpe:/a:debian:debian_linux:xen-hypervisor-4.14-armhf, p-cpe:/a:debian:debian_linux:xen-hypervisor-common, p-cpe:/a:debian:debian_linux:xen-system-amd64, p-cpe:/a:debian:debian_linux:xen-system-arm64, p-cpe:/a:debian:debian_linux:xen-system-armhf, p-cpe:/a:debian:debian_linux:xen-utils-4.14, p-cpe:/a:debian:debian_linux:xen-utils-common, p-cpe:/a:debian:debian_linux:xenstore-utils, cpe:/o:debian:debian_linux:11.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/15/2022

Vulnerability Publication Date: 6/9/2022

Reference Information

CVE: CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-23825, CVE-2022-26362, CVE-2022-26363, CVE-2022-26364, CVE-2022-29900