Xen Multiple Vulnerabilities (XSA-191 - XSA-198)

high Nessus Plugin ID 95630

Synopsis

The remote Xen hypervisor installation is missing a security update.

Description

According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities :

- A flaw exists in the inject_swint() function in x86_emulate.c due to improper handling of the format of IDT lookups when emulating instructions which generate software interrupts. A guest attacker can exploit this to crash the host, resulting in a denial of service condition. (CVE-2016-9377)

- A flaw exists in the svm_inject_trap() function in svm.c due to a failure to properly perform IDT privilege checks when emulating instructions which generate software interrupts. A guest attacker can exploit this to crash the host, resulting in a denial of service condition. (CVE-2016-9378)

- A flaw exists in the sniff_netware() function in file tools/pygrub/src/pygrub due to improper handling of string quotes and S-expressions in the bootloader when the S-expressions output format is requested. A guest attacker can exploit this to cause the bootloader configuration file to produce incorrect output, resulting in the disclosure or deletion of files from the host. (CVE-2016-9379)

- A flaw exists in the sniff_netware() function in file tools/pygrub/src/pygrub due to improper handling of NULL bytes in the bootloader when the null-delimited output format is requested. A guest attacker can exploit this to cause configuration files to output ambiguous or confusing results, resulting in the disclosure or deletion of files from the host. (CVE-2016-9380)

- A double-fetch flaw exists that is triggered when the compiler omits QEMU optimizations. A guest attacker can exploit this to gain elevated privileges on the host.
(CVE-2016-9381)

- A flaw exists in the hvm_task_switch() function in hvm.c due to improper handling of x86 task switching to VM86 mode. A guest attacker can exploit this to cause a denial of service condition or gain elevated privileges within the guest environment. (CVE-2016-9382)

- A flaw exists in the x86_emulate() function in x86_emulate.c that allows a guest attacker to cause changes to memory and thereby gain elevated privileges on the host. (CVE-2016-9383)

- A flaw exists that is triggered as unused bytes in image metadata are not properly cleared during symbol table loading. This may allow a guest attacker to disclose potentially sensitive information from the host. (CVE-2016-9384)

- A flaw exists due to improper clearing of unused bytes in image metadata during symbol table loading. A guest attacker can exploit this to disclose sensitive information from the host. (CVE-2016-9384)

- A flaw exists in the x86 segment base write emulation due to a lack of canonical address checks. A guest attacker can exploit this issue to crash the host, resulting in a denial of service condition.
(CVE-2016-9385)

- A flaw exists in the x86 emulator due to improper validation of the usability of segments when performing memory accesses. A guest attacker can exploit this to gain elevated privileges within the guest environment.
(CVE-2016-9386)

Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.

Solution

Apply the appropriate patch according to the vendor advisories.

See Also

https://xenbits.xen.org/xsa/advisory-191.html

https://xenbits.xen.org/xsa/advisory-192.html

https://xenbits.xen.org/xsa/advisory-193.html

https://xenbits.xen.org/xsa/advisory-194.html

https://xenbits.xen.org/xsa/advisory-195.html

https://xenbits.xen.org/xsa/advisory-196.html

https://xenbits.xen.org/xsa/advisory-197.html

https://xenbits.xen.org/xsa/advisory-198.html

https://xenbits.xen.org/gitweb/?p=xen.git;a=summary

Plugin Details

Severity: High

ID: 95630

File Name: xen_server_XSA-198.nasl

Version: 1.8

Type: local

Family: Misc.

Published: 12/8/2016

Updated: 7/10/2020

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-9383

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:xen:xen

Required KB Items: installed_sw/Xen Hypervisor, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 11/22/2016

Vulnerability Publication Date: 11/22/2016

Reference Information

CVE: CVE-2016-9377, CVE-2016-9378, CVE-2016-9379, CVE-2016-9380, CVE-2016-9381, CVE-2016-9382, CVE-2016-9383, CVE-2016-9384, CVE-2016-9385, CVE-2016-9386

BID: 94468, 94470, 94471, 94472, 94473, 94474, 94475, 94476

IAVB: 2016-B-0177-S