Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLEVM_OVMSA-2022-0003.NASL
HistoryJan 11, 2022 - 12:00 a.m.

OracleVM 3.4 : xen (OVMSA-2022-0003)

2022-01-1100:00:00
This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10
JSON

The remote OracleVM system is missing necessary patches to address security updates:

  • An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.
    (CVE-2017-17044)

  • An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors. (CVE-2017-17045)

  • issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs;
    the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.) (CVE-2021-28705, CVE-2021-28709)

  • guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound. (CVE-2021-28706)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were
# extracted from OracleVM Security Advisory OVMSA-2022-0003.
##

include('compat.inc');

if (description)
{
  script_id(156595);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/01/26");

  script_cve_id(
    "CVE-2017-17044",
    "CVE-2017-17045",
    "CVE-2021-28705",
    "CVE-2021-28706",
    "CVE-2021-28709"
  );

  script_name(english:"OracleVM 3.4 : xen (OVMSA-2022-0003)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OracleVM host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote OracleVM system is missing necessary patches to address security updates:

  - An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service
    (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors.
    (CVE-2017-17044)

  - An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host
    OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the
    mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors. (CVE-2017-17045)

  - issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs;
    the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be
    started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory
    assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These
    hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of
    pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error
    handling in certain PoD cases has been insufficient in that in particular partial success of some
    operations was not properly accounted for. There are two code paths affected - page removal
    (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix
    to both issues.) (CVE-2021-28705, CVE-2021-28709)

  - guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of
    memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator
    established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It
    would then only be the overflowed (and hence small) number which gets compared against the established
    upper bound. (CVE-2021-28706)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2017-17044.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2017-17045.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2021-28705.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2021-28706.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2021-28709.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/OVMSA-2022-0003.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected xen / xen-tools packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17045");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/01/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/01/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"OracleVM Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

var pkgs = [
    {'reference':'xen-4.4.4-222.0.45.el6', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'xen-4.4.4-222'},
    {'reference':'xen-tools-4.4.4-222.0.45.el6', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'xen-tools-4.4.4-222'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var release = NULL;
  var sp = NULL;
  var cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
    if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0); 
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xen / xen-tools');
}
VendorProductVersionCPE
oraclevmxenp-cpe:/a:oracle:vm:xen
oraclevmxen-toolsp-cpe:/a:oracle:vm:xen-tools
oraclevm_server3.4cpe:/o:oracle:vm_server:3.4

Related

nessus 29
openvas 28
ubuntucve 5
fedora 13
cve 5
xen 4
debiancve 5
alpinelinux 1
osv 9
cvelist 5
prion 5
debian 3
suse 2
citrix 2
veracode 3
redhatcve 2
gentoo 2
nessus
nessus
OracleVM 3.4 : xen (OVMSA-2022-0004)
2022-01-11 00:00:00
Fedora 27 : xen (2017-4bfcd57172)
2018-01-15 00:00:00
OracleVM 3.3 : xen (OVMSA-2017-0177)
2017-12-14 00:00:00
openvas
openvas
Fedora Update for xen FEDORA-2017-4bfcd57172
2017-12-10 00:00:00
Fedora: Security Advisory for xen (FEDORA-2021-2b3a2de94f)
2021-12-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2021:3813-1)
2021-11-30 00:00:00
ubuntucve
ubuntucve
CVE-2021-28705
2021-11-24 00:00:00
CVE-2021-28709
2021-11-24 00:00:00
CVE-2021-28706
2021-11-24 00:00:00
fedora
fedora
[SECURITY] Fedora 27 Update: xen-4.9.1-2.fc27
2017-12-10 05:11:32
[SECURITY] Fedora 34 Update: xen-4.14.3-3.fc34
2021-12-09 01:35:12
[SECURITY] Fedora 35 Update: xen-4.15.1-4.fc35
2021-12-01 01:21:44
cve
cve
CVE-2021-28709
2021-11-24 02:15:00
CVE-2021-28705
2021-11-24 02:15:00
CVE-2021-28706
2021-11-24 01:15:00
xen
xen
issues with partially successful P2M updates on x86
2021-11-23 12:00:00
guests may exceed their designated memory limit
2021-11-23 12:00:00
Missing p2m error checking in PoD code
2017-11-28 11:58:00
debiancve
debiancve
CVE-2021-28709
2021-11-24 02:15:00
CVE-2021-28705
2021-11-24 02:15:00
CVE-2017-17045
2017-11-28 23:29:00
alpinelinux
alpinelinux
CVE-2021-28709
2021-11-24 02:15:00
osv
osv
CVE-2021-28709
2021-11-24 02:15:06
CVE-2021-28705
2021-11-24 02:15:06
xen - security update
2021-12-05 00:00:00
cvelist
cvelist
CVE-2021-28709
2021-11-24 00:00:00
CVE-2021-28705
2021-11-24 00:00:00
CVE-2021-28706
2021-11-24 00:00:00
prion
prion
Design/Logic Flaw
2021-11-24 02:15:00
Design/Logic Flaw
2021-11-24 02:15:00
Design/Logic Flaw
2017-11-28 23:29:00
debian
debian
[SECURITY] [DSA 5017-1] xen security update
2021-12-05 11:35:48
[SECURITY] [DLA 1230-1] xen security update
2018-01-05 07:26:19
[SECURITY] [DLA 1559-1] xen security update
2018-10-30 07:46:55
suse
suse
Security update for xen (moderate)
2021-12-07 00:00:00
Security update for xen (moderate)
2021-12-06 00:00:00
citrix
citrix
Citrix XenServer Multiple Security Updates
2017-12-01 05:00:00
Citrix Hypervisor Security Update
2022-01-12 11:09:52
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-11-25 15:21:56
Denial Of Service (DoS)
2021-11-25 15:22:01
Regular Expression Denial Of Service (ReDoS)
2021-11-25 15:22:09
redhatcve
redhatcve
CVE-2017-17045
2017-11-29 12:50:10
CVE-2017-17044
2017-11-29 12:49:55
gentoo
gentoo
Xen: Multiple vulnerabilities
2018-01-14 00:00:00
Xen: Multiple Vulnerabilities
2024-02-04 00:00:00
JSON
Related for ORACLEVM_OVMSA-2022-0003.NASL
nessus29openvas28ubuntucve5fedora13cve5xen4debiancve5alpinelinux1osv9cvelist5prion5debian3suse2citrix2veracode3redhatcve2gentoo2