2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
14.2%
A denial of service (DoS) vulnerability exists in Xen servers when using x86 PV guest kernels due to a mishandling of SYSENTER state sanitization activities. An authenticated, local attacker can exploit this issue, via the SYSENTER instruction in 64bit mode, to cause a VM Denial of Service.
Note that only x86 PV guests can exploit the vulnerability.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(141501);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/11/13");
script_cve_id("CVE-2020-25596");
script_xref(name:"IAVB", value:"2020-B-0056-S");
script_name(english:"Xen x86 PV guest kernels DoS (XSA-339)");
script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
script_set_attribute(attribute:"description", value:
"A denial of service (DoS) vulnerability exists in Xen servers when using x86 PV guest kernels due to a mishandling of
SYSENTER state sanitization activities. An authenticated, local attacker can exploit this issue, via the SYSENTER
instruction in 64bit mode, to cause a VM Denial of Service.
Note that only x86 PV guests can exploit the vulnerability.");
script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-339.htmll");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory or by running only x86 PVH / HVM guests avoids the
vulnerability.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25596");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/22");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/19");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("xen_server_detect.nbin");
script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
exit(0);
}
include('install_func.inc');
app_name = 'Xen Hypervisor';
install = get_single_install(app_name:app_name);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
version = install['version'];
display_version = install['display_version'];
path = install['path'];
managed_status = install['Managed status'];
changeset = install['Changeset'];
if (!empty_or_null(changeset))
display_version += ' (changeset ' + changeset + ')';
# Installations that are vendor-managed are handled by OS-specific local package checks
if (managed_status == 'managed')
audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
fixes['4.10']['fixed_ver'] = '4.10.4';
fixes['4.10']['fixed_ver_display'] = '4.10.4 (changeset 5402540)';
fixes['4.10']['affected_ver_regex'] = '^4\\.10\\.';
fixes['4.10']['affected_changesets'] = make_list("f85223f", "635ae12",
"3d14937", "4218b74", "93be943", "4418841", "d9c67d3", "8976bab",
"388e303", "0b0a155", "9df4399", "fd57038", "a9bda69", "a380168",
"c1a4914", "6261a06", "fd6e49e", "bd20589", "ce05683", "934d6e1",
"6e636f2", "dfc0b23", "2f83654", "bf467cc", "6df4d40", "e20bb58",
"a1a9b05", "afca67f", "b922c44", "b413732", "3d60903", "b01c84e",
"1e722e6", "59cf3a0", "fabfce8", "a4dd2fe", "6e63a6f", "24d62e1",
"cbedabf", "38e589d", "a91b8fc", "3e0c316", "49a5d6e", "6cb1cb9",
"ba2776a", "9d143e8", "fe8dab3", "07e546e", "fefa5f9", "c9f9ff7",
"406d40d", "e489955", "37139f1", "fde09cb", "804ba02", "e8c3971",
"a8c4293", "aa40452", "1da3dab", "e5632c4", "902e72d", "6a14610",
"ea815b2", "13ad331", "61b75d9", "e70e7bf", "e966e2e", "dfa16a1",
"a71e199", "c98be9e", "a548e10", "d3c0e84", "53b1572", "7203f9a",
"6d1659d", "a782173", "24e90db", "0824bc6", "e6f3135", "3131bf9");
fixes['4.11']['fixed_ver'] = '4.11.4';
fixes['4.11']['fixed_ver_display'] = '4.11.4 (changeset 9703a2f)';
fixes['4.11']['affected_ver_regex'] = '^4\\.11\\.';
fixes['4.11']['affected_changesets'] = make_list("7284bfa", "2fe163d",
"2031bd3", "7bf4983", "7129b9e", "ddaaccb", "e6ddf4a", "f2bc74c",
"d623658", "37c853a", "8bf72ea", "2d11e6d", "4ed0007", "7def72c",
"18be3aa", "a3a392e", "e96cdba", "2b77729", "9be7992", "b8d476a",
"1c751c4", "7dd2ac3", "a58bba2", "7d8fa6a", "4777208", "48e8564",
"2efca7e", "afe82f5", "e84b634", "96a8b5b");
fixes['4.12']['fixed_ver'] = '4.12.4';
fixes['4.12']['fixed_ver_display'] = '4.12.4-pre (changeset 3e039e1)';
fixes['4.12']['affected_ver_regex'] = '^4\\.12\\.';
fixes['4.12']['affected_changesets'] = make_list("b2db007", "1dfd2e2",
"76a0760", "d28c52e", "8b8fff2", "320e7a7", "0446e3d", "a81e655",
"caebaf3", "76d9349", "81564c4", "ff79981", "3186568", "40e0cf8",
"fbf016f", "8c1c3e7", "5bd49ca", "e0bd899", "c481b9f", "1336ca1",
"dca9cc7", "07fd5d3", "85ce36d", "df9a0ad", "7cce3f2", "43258ce",
"a1aae54", "df11056", "19e0bbb", "d96c0f1", "653811e", "26072a5",
"b292255", "38dc269", "5733de6", "d69f305", "8faa45e", "731bdaf",
"ec57b9a", "a634229", "050fe48", "436ec68", "96e8aba", "7cdc0cf",
"d937532", "7641573", "7eed533", "74a1230", "946113a", "6182e5d",
"ad20170", "218a19b", "aca68b9", "1f581f9", "4969f34", "ed44947",
"2eb277e", "b3af150", "f769c99", "bcdaffc", "2b10a32", "a022f36",
"dd49ddf", "bc775d0", "be5c240");
fixes['4.13']['fixed_ver'] = '4.13.2';
fixes['4.13']['fixed_ver_display'] = '4.13.2-pre (changeset 0537543)';
fixes['4.13']['affected_ver_regex'] = '^4\\.13\\.';
fixes['4.13']['affected_changesets'] = make_list("ae922b9", "f27980a",
"b7fcbe0", "42fcdd4", "286b353", "b980319", "aa1d9a7", "bd63ab5",
"4fb1ad7", "4a0c174", "6ef4dad", "c663fa5", "761e8df", "6469039",
"b908343", "ac4ec48", "a7f0434", "0861885", "9b367b2", "e182965",
"befa216", "e9e72fb", "b67bb90", "fff1874", "ec972cb", "d967a2b",
"665f5c1", "ddb6fd3", "378321b", "572e349", "0c8c10d", "493e143",
"8b9be8f", "f1055a2", "005d5ea", "1c7a98c", "2b34d8c", "56e117f",
"7a76deb", "3e41b72", "9f7e8ba", "cdd8f95", "a9d46ba", "05ba427",
"780d376", "31c5d84", "27d4f1a", "11ea967", "53bafb5", "b4afe05",
"74ce65c", "0243559", "8ad99de", "ea7e8d2", "350aaca", "c3eea2c",
"0523225", "672976c", "a6f2080", "c437e06", "0a85f84", "85ac008",
"7f6b66d", "04aedf4", "f2ad77b", "d61fef6", "eccc242", "6bfb364",
"bdddd33", "7d57caa", "d74eb10", "9eec3ee", "d112db3", "333519f");
fixes['4.14']['fixed_ver'] = '4.14.1';
fixes['4.14']['fixed_ver_display'] = '4.14.1-pre (changeset eb4a543)';
fixes['4.14']['affected_ver_regex'] = '^4\\.14\\.';
fixes['4.14']['affected_changesets'] = make_list("e417504", "0bc4177",
"5ad3152", "fc8200a", "5eab5f0", "b04d673", "28855eb", "174be04",
"158c3bd", "3535f23", "de7e543", "483b43c", "431d52a", "ceafff7",
"369e7a3", "98aa6ea", "80dec06", "5482c28", "edf5b86", "eca6d5e",
"c3a0fc2", "864d570", "afed8e4", "a5dab0a", "b8c3e33", "f836759");
fix = NULL;
foreach ver_branch (keys(fixes))
{
if (version =~ fixes[ver_branch]['affected_ver_regex'])
{
ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
if (ret < 0)
fix = fixes[ver_branch]['fixed_ver_display'];
else if (ret == 0)
{
if (empty_or_null(changeset))
fix = fixes[ver_branch]['fixed_ver_display'];
else
foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
if (changeset == affected_changeset)
fix = fixes[ver_branch]['fixed_ver_display'];
}
}
}
if (empty_or_null(fix))
audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
items = make_array(
'Installed version', display_version,
'Fixed version', fix,
'Path', path
);
order = make_list('Path', 'Installed version', 'Fixed version');
report = report_items_str(report_items:items, ordered_fields:order) + '\n';
security_report_v4(port:0, extra:report, severity:SECURITY_NOTE);
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
14.2%