OracleVM 3.3 : xen (OVMSA-2014-0025)

2014-11-26T00:00:00
ID ORACLEVM_OVMSA-2014-0025.NASL
Type nessus
Reporter Tenable
Modified 2017-02-14T00:00:00

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

  • x86/HVM: properly bound x2APIC MSR range This is XSA-108. Additional changelog comments added to 4.3.0-55.el6.0.0.3 (CVE-2014-7188)

  • Fix for bug 19698535

  • x86emul: only emulate software interrupt injection for real mode Protected mode emulation currently lacks proper privilege checking of the referenced IDT entry, and there's currently no legitimate way for any of the respective instructions to reach the emulator when the guest is in protected mode. This is XSA-106. (CVE-2014-7156)

  • x86/emulate: check cpl for all privileged instructions Without this, it is possible for userspace to load its own IDT or GDT. This is XSA-105. (CVE-2014-7155)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2014-0025.
#

include("compat.inc");

if (description)
{
  script_id(79541);
  script_version("$Revision: 1.4 $");
  script_cvs_date("$Date: 2017/02/14 17:16:23 $");

  script_cve_id("CVE-2014-7155", "CVE-2014-7156", "CVE-2014-7188");
  script_bugtraq_id(70057, 70062, 70198);
  script_osvdb_id(112435);

  script_name(english:"OracleVM 3.3 : xen (OVMSA-2014-0025)");
  script_summary(english:"Checks the RPM output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote OracleVM host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote OracleVM system is missing necessary patches to address
critical security updates :

  - x86/HVM: properly bound x2APIC MSR range This is
    XSA-108. Additional changelog comments added to
    4.3.0-55.el6.0.0.3 (CVE-2014-7188)

  - Fix for bug 19698535

  - x86emul: only emulate software interrupt injection for
    real mode Protected mode emulation currently lacks
    proper privilege checking of the referenced IDT entry,
    and there's currently no legitimate way for any of the
    respective instructions to reach the emulator when the
    guest is in protected mode. This is XSA-106.
    (CVE-2014-7156)

  - x86/emulate: check cpl for all privileged instructions
    Without this, it is possible for userspace to load its
    own IDT or GDT. This is XSA-105. (CVE-2014-7155)"
  );
  # https://oss.oracle.com/pipermail/oraclevm-errata/2014-October/000226.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?464e91f4"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected xen / xen-tools packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/10/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.");
  script_family(english:"OracleVM Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! ereg(pattern:"^OVS" + "3\.3" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

flag = 0;
if (rpm_check(release:"OVS3.3", reference:"xen-4.3.0-55.el6.0.0.4")) flag++;
if (rpm_check(release:"OVS3.3", reference:"xen-tools-4.3.0-55.el6.0.0.4")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-tools");
}