SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2022:2597-1)

high Nessus Plugin ID 163647

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:2597-1 advisory.

- Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21123)

- Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)

- Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21166)

- Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure. (CVE-2022-23825)

- x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g.
PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited. (CVE-2022-26362)

- x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables;
updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non- coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
(CVE-2022-26363, CVE-2022-26364)

- Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-29900)

- insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. (CVE-2022-33745)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1027519

https://bugzilla.suse.com/1199965

https://bugzilla.suse.com/1199966

https://bugzilla.suse.com/1200549

https://bugzilla.suse.com/1201394

https://bugzilla.suse.com/1201469

https://www.suse.com/security/cve/CVE-2022-21123

https://www.suse.com/security/cve/CVE-2022-21125

https://www.suse.com/security/cve/CVE-2022-21166

https://www.suse.com/security/cve/CVE-2022-23825

https://www.suse.com/security/cve/CVE-2022-26362

https://www.suse.com/security/cve/CVE-2022-26363

https://www.suse.com/security/cve/CVE-2022-26364

https://www.suse.com/security/cve/CVE-2022-29900

https://www.suse.com/security/cve/CVE-2022-33745

http://www.nessus.org/u?57869942

Plugin Details

Severity: High

ID: 163647

File Name: suse_SU-2022-2597-1.nasl

Version: 1.10

Type: local

Agent: unix

Published: 7/30/2022

Updated: 1/16/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-26364

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2022-33745

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:xen-tools, p-cpe:/a:novell:suse_linux:xen-tools-xendomains-wait-disk, p-cpe:/a:novell:suse_linux:xen-tools-domu, p-cpe:/a:novell:suse_linux:xen, p-cpe:/a:novell:suse_linux:xen-libs, p-cpe:/a:novell:suse_linux:xen-devel, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/29/2022

Vulnerability Publication Date: 12/2/2021

Reference Information

CVE: CVE-2022-21123, CVE-2022-21125, CVE-2022-21166, CVE-2022-23825, CVE-2022-26362, CVE-2022-26363, CVE-2022-26364, CVE-2022-29900, CVE-2022-33745

SuSE: SUSE-SU-2022:2597-1