4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.4%
A privilege escalation vulnerability exists in EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset due to a race condition present in evtchn_reset(). An authenticated, local attacker can exploit this, via a violation of various internal assumptions, to gain elevate their privilege to that of the host.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(141502);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/11/13");
script_cve_id("CVE-2020-25599");
script_xref(name:"IAVB", value:"2020-B-0056-S");
script_name(english:"Xen evtchn_reset() race conditions privelege escalation (XSA-339)");
script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
script_set_attribute(attribute:"description", value:
"A privilege escalation vulnerability exists in EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset
due to a race condition present in evtchn_reset(). An authenticated, local attacker can exploit this, via a violation of
various internal assumptions, to gain elevate their privilege to that of the host.");
script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-343.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25599");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/22");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/19");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("xen_server_detect.nbin");
script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
exit(0);
}
include('install_func.inc');
app_name = 'Xen Hypervisor';
install = get_single_install(app_name:app_name);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
version = install['version'];
display_version = install['display_version'];
path = install['path'];
managed_status = install['Managed status'];
changeset = install['Changeset'];
if (!empty_or_null(changeset))
display_version += ' (changeset ' + changeset + ')';
# Installations that are vendor-managed are handled by OS-specific local package checks
if (managed_status == 'managed')
audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
fixes['4.10']['fixed_ver'] = '4.10.4';
fixes['4.10']['fixed_ver_display'] = '4.10.4 (changeset 83b7f04)';
fixes['4.10']['affected_ver_regex'] = '^4\\.10\\.';
fixes['4.10']['affected_changesets'] = make_list("e081568", "7f0793a",
"8fac37e", "baf80b6", "5402540", "f85223f", "635ae12", "3d14937",
"4218b74", "93be943", "4418841", "d9c67d3", "8976bab", "388e303",
"0b0a155", "9df4399", "fd57038", "a9bda69", "a380168", "c1a4914",
"6261a06", "fd6e49e", "bd20589", "ce05683", "934d6e1", "6e636f2",
"dfc0b23", "2f83654", "bf467cc", "6df4d40", "e20bb58", "a1a9b05",
"afca67f", "b922c44", "b413732", "3d60903", "b01c84e", "1e722e6",
"59cf3a0", "fabfce8", "a4dd2fe", "6e63a6f", "24d62e1", "cbedabf",
"38e589d", "a91b8fc", "3e0c316", "49a5d6e", "6cb1cb9", "ba2776a",
"9d143e8", "fe8dab3", "07e546e", "fefa5f9", "c9f9ff7", "406d40d",
"e489955", "37139f1", "fde09cb", "804ba02", "e8c3971", "a8c4293",
"aa40452", "1da3dab", "e5632c4", "902e72d", "6a14610", "ea815b2",
"13ad331", "61b75d9", "e70e7bf", "e966e2e", "dfa16a1", "a71e199",
"c98be9e", "a548e10", "d3c0e84", "53b1572", "7203f9a", "6d1659d",
"a782173", "24e90db", "0824bc6", "e6f3135", "3131bf9");
fixes['4.11']['fixed_ver'] = '4.11.4';
fixes['4.11']['fixed_ver_display'] = '4.11.4 (changeset 30b3f29)';
fixes['4.11']['affected_ver_regex'] = '^4\\.11\\.';
fixes['4.11']['affected_changesets'] = make_list("3def846", "cc1561a",
"6e9de08", "13f60bf", "9703a2f", "7284bfa", "2fe163d", "2031bd3",
"7bf4983", "7129b9e", "ddaaccb", "e6ddf4a", "f2bc74c", "d623658",
"37c853a", "8bf72ea", "2d11e6d", "4ed0007", "7def72c", "18be3aa",
"a3a392e", "e96cdba", "2b77729", "9be7992", "b8d476a", "1c751c4",
"7dd2ac3", "a58bba2", "7d8fa6a", "4777208", "48e8564", "2efca7e",
"afe82f5", "e84b634", "96a8b5b");
fixes['4.12']['fixed_ver'] = '4.12.4';
fixes['4.12']['fixed_ver_display'] = '4.12.4-pre (changeset 8e25d52)';
fixes['4.12']['affected_ver_regex'] = '^4\\.12\\.';
fixes['4.12']['affected_changesets'] = make_list("9c2a027", "9dda47c",
"b8c9776", "253a1e6", "3e039e1", "b2db007", "1dfd2e2", "76a0760",
"d28c52e", "8b8fff2", "320e7a7", "0446e3d", "a81e655", "caebaf3",
"76d9349", "81564c4", "ff79981", "3186568", "40e0cf8", "fbf016f",
"8c1c3e7", "5bd49ca", "e0bd899", "c481b9f", "1336ca1", "dca9cc7",
"07fd5d3", "85ce36d", "df9a0ad", "7cce3f2", "43258ce", "a1aae54",
"df11056", "19e0bbb", "d96c0f1", "653811e", "26072a5", "b292255",
"38dc269", "5733de6", "d69f305", "8faa45e", "731bdaf", "ec57b9a",
"a634229", "050fe48", "436ec68", "96e8aba", "7cdc0cf", "d937532",
"7641573", "7eed533", "74a1230", "946113a", "6182e5d", "ad20170",
"218a19b", "aca68b9", "1f581f9", "4969f34", "ed44947", "2eb277e",
"b3af150", "f769c99", "bcdaffc", "2b10a32", "a022f36", "dd49ddf",
"bc775d0", "be5c240");
fixes['4.13']['fixed_ver'] = '4.13.2';
fixes['4.13']['fixed_ver_display'] = '4.13.2-pre (changeset 43572a4)';
fixes['4.13']['affected_ver_regex'] = '^4\\.13\\.';
fixes['4.13']['affected_changesets'] = make_list("2105429", "a8122e9",
"e1364e0", "5867a14", "0537543", "ae922b9", "f27980a", "b7fcbe0",
"42fcdd4", "286b353", "b980319", "aa1d9a7", "bd63ab5", "4fb1ad7",
"4a0c174", "6ef4dad", "c663fa5", "761e8df", "6469039", "b908343",
"ac4ec48", "a7f0434", "0861885", "9b367b2", "e182965", "befa216",
"e9e72fb", "b67bb90", "fff1874", "ec972cb", "d967a2b", "665f5c1",
"ddb6fd3", "378321b", "572e349", "0c8c10d", "493e143", "8b9be8f",
"f1055a2", "005d5ea", "1c7a98c", "2b34d8c", "56e117f", "7a76deb",
"3e41b72", "9f7e8ba", "cdd8f95", "a9d46ba", "05ba427", "780d376",
"31c5d84", "27d4f1a", "11ea967", "53bafb5", "b4afe05", "74ce65c",
"0243559", "8ad99de", "ea7e8d2", "350aaca", "c3eea2c", "0523225",
"672976c", "a6f2080", "c437e06", "0a85f84", "85ac008", "7f6b66d",
"04aedf4", "f2ad77b", "d61fef6", "eccc242", "6bfb364", "bdddd33",
"7d57caa", "d74eb10", "9eec3ee", "d112db3", "333519f");
fixes['4.14']['fixed_ver'] = '4.14.1';
fixes['4.14']['fixed_ver_display'] = '4.14.1-pre (changeset ecc6428)';
fixes['4.14']['affected_ver_regex'] = '^4\\.14\\.';
fixes['4.14']['affected_changesets'] = make_list("2ee270e", "9b9fc8e",
"b8c2efb", "f546906", "eb4a543", "e417504", "0bc4177", "5ad3152",
"fc8200a", "5eab5f0", "b04d673", "28855eb", "174be04", "158c3bd",
"3535f23", "de7e543", "483b43c", "431d52a", "ceafff7", "369e7a3",
"98aa6ea", "80dec06", "5482c28", "edf5b86", "eca6d5e", "c3a0fc2",
"864d570", "afed8e4", "a5dab0a", "b8c3e33", "f836759");
fix = NULL;
foreach ver_branch (keys(fixes))
{
if (version =~ fixes[ver_branch]['affected_ver_regex'])
{
ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
if (ret < 0)
fix = fixes[ver_branch]['fixed_ver_display'];
else if (ret == 0)
{
if (empty_or_null(changeset))
fix = fixes[ver_branch]['fixed_ver_display'];
else
foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
if (changeset == affected_changeset)
fix = fixes[ver_branch]['fixed_ver_display'];
}
}
}
if (empty_or_null(fix))
audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
items = make_array(
'Installed version', display_version,
'Fixed version', fix,
'Path', path
);
order = make_list('Path', 'Installed version', 'Fixed version');
report = report_items_str(report_items:items, ordered_fields:order) + '\n';
security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.4%