Lucene search
K

Xen Hypervisor Multiple Vulnerabilities (XSA-213 - XSA-215)

🗓️ 11 May 2017 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 29 Views

Xen Hypervisor Multiple Vulnerabilities: Info disclosure, Privilege escalation, Memory corruptio

Refs
Code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100124);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/06/03");

  script_xref(name:"IAVB", value:"2017-B-0050-S");

  script_name(english:"Xen Hypervisor Multiple Vulnerabilities (XSA-213 - XSA-215)");
  script_summary(english:"Checks 'xl info' output for the Xen hypervisor version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Xen hypervisor
installed on the remote host is affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists in the
    get_user() function due to permissions for accessing
    MMIO ranges being checked only after accessing them. An
    attacker on the guest can exploit this to disclose
    potentially sensitive information in the host memory.

  - A privilege escalation vulnerability exists when an IRET
    hypercall is placed within a multicall batch due to
    improper handling of kernel-mode access to pagetables.
    An attacker on the guest can exploit this to access
    arbitrary system memory and gain elevated privileges on
    the host.

  - A privilege escalation vulnerability exists in the
    steal_page() function within file xen/arch/x86/mm.c when
    transferring pages from one guest to another PV guest
    with a different bitness or an HVM guest. An attacker
    with access to multiple guests can exploit this to
    access arbitrary system memory and gain elevated
    privileges on the host.

  - A flaw exists within arch/x86/x86_64/entry.S when
    handling failsafe callbacks due to improper validation
    of certain input. An attacker on the guest can exploit
    this to corrupt memory, potentially resulting in gaining
    elevated privileges.

Note that Nessus has checked the changeset versions based on the
xen.git change log. Nessus did not check guest hardware configurations
or if patches were applied manually to the source code before a
recompile and reinstall.");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-213.html");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-214.html");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-215.html");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/gitweb/?p=xen.git;a=summary");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("xen_server_detect.nbin");
  script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("install_func.inc");
include("misc_func.inc");

app_name = "Xen Hypervisor";
install  = get_single_install(app_name:app_name);
if (report_paranoia < 2) audit(AUDIT_PARANOID);

version         = install['version'];
display_version = install['display_version'];
path            = install['path'];
managed_status  = install['Managed status'];
changeset       = install['Changeset'];

if (!empty_or_null(changeset))
  display_version += " (changeset " + changeset + ")";

# Installations that are vendor-managed are handled by OS-specific local package checks
if (managed_status == "managed")
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);

# XSA-213
fixes['4.5']['fixed_ver']           = '4.5.5';
fixes['4.5']['fixed_ver_display']   = '4.5.5 (changeset 6eb61e4)';
fixes['4.5']['affected_ver_regex']  = '^4\\.5\\.';
fixes['4.5']['affected_changesets'] = make_list("b1fcfed", "5779d6a",
  "afdd77e", "c18367a", "7b7fd80", "b30e165", "62ef9b2", "8071724",
  "235b5d5", "a28b99d", "ff294fc", "bc01e2d", "da50922", "386cc94",
  "139960f", "ec3ddd6", "988929a", "1c48dff", "20d4248", "9610422",
  "cd76cd3", "455fd66", "b820c31", "ac3d8bc", "cde86fc", "1678521",
  "83cb2db", "43d06ef", "2b17bf4", "1a2bda5", "0bd7faf", "e3426e2",
  "37281bc", "27be856", "bdf3ef1", "cc325c0", "8e7b84d", "387b8ae",
  "34fbae7", "1530da2", "274a1f6", "b679cfa", "877b760", "cfe165d",
  "84e4e56", "e4ae4b0");

fixes['4.6']['fixed_ver']           = '4.6.6';
fixes['4.6']['fixed_ver_display']   = '4.6.6-pre (changeset fc78396)';
fixes['4.6']['affected_ver_regex']  = '^4\\.6\\.';
fixes['4.6']['affected_changesets'] = make_list("cf35a35", "9746247",
  "f0f3d43", "d9c4094", "66cb2eb", "3d1affc", "4eff891", "05ccb71",
  "1eebd16", "f4d16c9", "9050a97", "5c609c8", "4d69c19", "ab889fb",
  "3073573", "bf22c39", "898b7c4", "159a610", "3972629", "ebb5a34",
  "a991af7", "06222e5", "a57a99a", "400063d", "f6d0888", "bb92bb7",
  "ef63a62", "f96efeb", "7ff6d9f", "7017321", "541ad61", "4f96171",
  "9eb0aa2", "ac4c5d4", "18949dc", "eea0742", "90ae9a7", "ef5eb08",
  "48c3bd0");

fixes['4.7']['fixed_ver']           = '4.7.3';
fixes['4.7']['fixed_ver_display']   = '4.7.3-pre (changeset c99967f)';
fixes['4.7']['affected_ver_regex']  = '^4\\.7\\.';
fixes['4.7']['affected_changesets'] = make_list("469fc7e", "6cf0da5",
  "c93ec9a", "e2141f1", "75ce43b", "a7f74db", "8106372", "5029638",
  "4a48e47", "167d989", "42ca46b", "d431ba3", "51833a2", "9e82ebf",
  "fb79c3a", "1df3d6c", "8b77a2c", "b5c7dea", "e0b9499", "ada9e10",
  "4bd66bc", "47ba140", "4a1dc28", "5466c77", "25f3d95", "e5e7f35",
  "683b886", "9f2540d", "9d9be1e", "ac8d90e", "bc868a2", "d5f9489",
  "b2a180e", "01abcc0", "9c404df", "ddc0cfe", "9a54dcd", "4351611",
  "c782e61", "d166f07", "099f67b", "d756bf1", "10debc0", "461dba2",
  "188809f", "3daa62a");

fixes['4.8']['fixed_ver']           = '4.8.1';
fixes['4.8']['fixed_ver_display']   = '4.8.1 (changeset 17051bd)';
fixes['4.8']['affected_ver_regex']  = '^4\\.8\\.';
fixes['4.8']['affected_changesets'] = make_list("98e05a3", "5ebb4de",
  "c2a5415");

# XSA-214
fixes['4.5']['fixed_ver']           = '4.5.5';
fixes['4.5']['fixed_ver_display']   = '4.5.5 (changeset d7e3725)';
fixes['4.5']['affected_ver_regex']  = '^4\\.5\\.';
fixes['4.5']['affected_changesets'] = make_list("6eb61e4", "b1fcfed",
  "5779d6a", "afdd77e", "c18367a", "7b7fd80", "b30e165", "62ef9b2",
  "8071724", "235b5d5", "a28b99d", "ff294fc", "bc01e2d", "da50922",
  "386cc94", "139960f", "ec3ddd6", "988929a", "1c48dff", "20d4248",
  "9610422", "cd76cd3", "455fd66", "b820c31", "ac3d8bc", "cde86fc",
  "1678521", "83cb2db", "43d06ef", "2b17bf4", "1a2bda5", "0bd7faf",
  "e3426e2", "37281bc", "27be856", "bdf3ef1", "cc325c0", "8e7b84d",
  "387b8ae", "34fbae7", "1530da2", "274a1f6", "b679cfa", "877b760",
  "cfe165d", "84e4e56", "e4ae4b0");

fixes['4.6']['fixed_ver']           = '4.6.6';
fixes['4.6']['fixed_ver_display']   = '4.6.6-pre (changeset dcef165)';
fixes['4.6']['affected_ver_regex']  = '^4\\.6\\.';
fixes['4.6']['affected_changesets'] = make_list("fc78396", "cf35a35",
  "9746247", "f0f3d43", "d9c4094", "66cb2eb", "3d1affc", "4eff891",
  "05ccb71", "1eebd16", "f4d16c9", "9050a97", "5c609c8", "4d69c19",
  "ab889fb", "3073573", "bf22c39", "898b7c4", "159a610", "3972629",
  "ebb5a34", "a991af7", "06222e5", "a57a99a", "400063d", "f6d0888",
  "bb92bb7", "ef63a62", "f96efeb", "7ff6d9f", "7017321", "541ad61",
  "4f96171", "9eb0aa2", "ac4c5d4", "18949dc", "eea0742", "90ae9a7",
  "ef5eb08", "48c3bd0");

fixes['4.7']['fixed_ver']           = '4.7.3';
fixes['4.7']['fixed_ver_display']   = '4.7.3-pre (changeset a7f041a)';
fixes['4.7']['affected_ver_regex']  = '^4\\.7\\.';
fixes['4.7']['affected_changesets'] = make_list("c99967f", "469fc7e",
  "6cf0da5", "c93ec9a", "e2141f1", "75ce43b", "a7f74db", "8106372",
  "5029638", "4a48e47", "167d989", "42ca46b", "d431ba3", "51833a2",
  "9e82ebf", "fb79c3a", "1df3d6c", "8b77a2c", "b5c7dea", "e0b9499",
  "ada9e10", "4bd66bc", "47ba140", "4a1dc28", "5466c77", "25f3d95",
  "e5e7f35", "683b886", "9f2540d", "9d9be1e", "ac8d90e", "bc868a2",
  "d5f9489", "b2a180e", "01abcc0", "9c404df", "ddc0cfe", "9a54dcd",
  "4351611", "c782e61", "d166f07", "099f67b", "d756bf1", "10debc0",
  "461dba2", "188809f", "3daa62a");

fixes['4.8']['fixed_ver']           = '4.8.1';
fixes['4.8']['fixed_ver_display']   = '4.8.1 (changeset 16ed8dd)';
fixes['4.8']['affected_ver_regex']  = '^4\\.8\\.';
fixes['4.8']['affected_changesets'] = make_list("17051bd", "98e05a3",
  "5ebb4de", "c2a5415");

# XSA-215
fixes['4.5']['fixed_ver']           = '4.5.5';
fixes['4.5']['fixed_ver_display']   = '4.5.5 (changeset 8825df1)';
fixes['4.5']['affected_ver_regex']  = '^4\\.5\\.';
fixes['4.5']['affected_changesets'] = make_list("d7e3725", "6eb61e4",
  "b1fcfed", "5779d6a", "afdd77e", "c18367a", "7b7fd80", "b30e165",
  "62ef9b2", "8071724", "235b5d5", "a28b99d", "ff294fc", "bc01e2d",
  "da50922", "386cc94", "139960f", "ec3ddd6", "988929a", "1c48dff",
  "20d4248", "9610422", "cd76cd3", "455fd66", "b820c31", "ac3d8bc",
  "cde86fc", "1678521", "83cb2db", "43d06ef", "2b17bf4", "1a2bda5",
  "0bd7faf", "e3426e2", "37281bc", "27be856", "bdf3ef1", "cc325c0",
  "8e7b84d", "387b8ae", "34fbae7", "1530da2", "274a1f6", "b679cfa",
  "877b760", "cfe165d", "84e4e56", "e4ae4b0");

fixes['4.6']['fixed_ver']           = '4.6.6';
fixes['4.6']['fixed_ver_display']   = '4.6.6-pre (changeset eb9a3bf)';
fixes['4.6']['affected_ver_regex']  = '^4\\.6\\.';
fixes['4.6']['affected_changesets'] = make_list("dcef165", "fc78396",
  "cf35a35", "9746247", "f0f3d43", "d9c4094", "66cb2eb", "3d1affc",
  "4eff891", "05ccb71", "1eebd16", "f4d16c9", "9050a97", "5c609c8",
  "4d69c19", "ab889fb", "3073573", "bf22c39", "898b7c4", "159a610",
  "3972629", "ebb5a34", "a991af7", "06222e5", "a57a99a", "400063d",
  "f6d0888", "bb92bb7", "ef63a62", "f96efeb", "7ff6d9f", "7017321",
  "541ad61", "4f96171", "9eb0aa2", "ac4c5d4", "18949dc", "eea0742",
  "90ae9a7", "ef5eb08", "48c3bd0");

fix = NULL;
foreach ver_branch (keys(fixes))
{
  if (version =~ fixes[ver_branch]['affected_ver_regex'])
  {
    ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
    if (ret < 0)
      fix = fixes[ver_branch]['fixed_ver_display'];
    else if (ret == 0)
    {
      if (empty_or_null(changeset))
        fix = fixes[ver_branch]['fixed_ver_display'];
      else
        foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
          if (changeset == affected_changeset)
            fix = fixes[ver_branch]['fixed_ver_display'];
    }
  }
}

if (empty_or_null(fix))
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);

items  = make_array("Installed version", display_version,
                    "Fixed version", fix,
                    "Path", path);
order  = make_list("Path", "Installed version", "Fixed version");
report = report_items_str(report_items:items, ordered_fields:order) + '\n';

security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation