Synopsis
The remote Xen hypervisor installation is missing a security update.
Description
According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists in the inject_swint() function in x86_emulate.c due to improper handling of the format of IDT lookups when emulating instructions which generate software interrupts. A guest attacker can exploit this to crash the host, resulting in a denial of service condition. (CVE-2016-9377)
- A flaw exists in the svm_inject_trap() function in svm.c due to a failure to properly perform IDT privilege checks when emulating instructions which generate software interrupts. A guest attacker can exploit this to crash the host, resulting in a denial of service condition. (CVE-2016-9378)
- A flaw exists in the sniff_netware() function in file tools/pygrub/src/pygrub due to improper handling of string quotes and S-expressions in the bootloader when the S-expressions output format is requested. A guest attacker can exploit this to cause the bootloader configuration file to produce incorrect output, resulting in the disclosure or deletion of files from the host. (CVE-2016-9379)
- A flaw exists in the sniff_netware() function in file tools/pygrub/src/pygrub due to improper handling of NULL bytes in the bootloader when the null-delimited output format is requested. A guest attacker can exploit this to cause configuration files to output ambiguous or confusing results, resulting in the disclosure or deletion of files from the host. (CVE-2016-9380)
- A double-fetch flaw exists that is triggered when the compiler omits QEMU optimizations. A guest attacker can exploit this to gain elevated privileges on the host.
(CVE-2016-9381)
- A flaw exists in the hvm_task_switch() function in hvm.c due to improper handling of x86 task switching to VM86 mode. A guest attacker can exploit this to cause a denial of service condition or gain elevated privileges within the guest environment. (CVE-2016-9382)
- A flaw exists in the x86_emulate() function in x86_emulate.c that allows a guest attacker to cause changes to memory and thereby gain elevated privileges on the host. (CVE-2016-9383)
- A flaw exists that is triggered as unused bytes in image metadata are not properly cleared during symbol table loading. This may allow a guest attacker to disclose potentially sensitive information from the host. (CVE-2016-9384)
- A flaw exists due to improper clearing of unused bytes in image metadata during symbol table loading. A guest attacker can exploit this to disclose sensitive information from the host. (CVE-2016-9384)
- A flaw exists in the x86 segment base write emulation due to a lack of canonical address checks. A guest attacker can exploit this issue to crash the host, resulting in a denial of service condition.
(CVE-2016-9385)
- A flaw exists in the x86 emulator due to improper validation of the usability of segments when performing memory accesses. A guest attacker can exploit this to gain elevated privileges within the guest environment.
(CVE-2016-9386)
Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
Solution
Apply the appropriate patch according to the vendor advisories.
Plugin Details
File Name: xen_server_XSA-198.nasl
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:xen:xen
Required KB Items: installed_sw/Xen Hypervisor, Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 11/22/2016
Vulnerability Publication Date: 11/22/2016
Reference Information
CVE: CVE-2016-9377, CVE-2016-9378, CVE-2016-9379, CVE-2016-9380, CVE-2016-9381, CVE-2016-9382, CVE-2016-9383, CVE-2016-9384, CVE-2016-9385, CVE-2016-9386
BID: 94468, 94470, 94471, 94472, 94473, 94474, 94475, 94476