Lucene search

K
nessusThis script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.XEN_SERVER_XSA-346.NASL
HistoryJan 14, 2021 - 12:00 a.m.

Xen mishandle IOMMU TLB flushes DoS (XSA-346)

2021-01-1400:00:00
This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0

Percentile

14.2%

A denial of service (DoS) vulnerability exists in Xen x86 HVM and PVH guest OS users due to mishandled coalesce per-page IOMMU TLB flushes. A guest OS user might be able to cause denial of service (data corruption), data leak, or possibly gain privileges.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(144976);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/06/03");

  script_cve_id("CVE-2020-27671");
  script_xref(name:"IAVB", value:"2020-B-0056-S");

  script_name(english:"Xen mishandle IOMMU TLB flushes DoS (XSA-346)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
  script_set_attribute(attribute:"description", value:
"A denial of service (DoS) vulnerability exists in Xen x86 HVM and PVH guest OS users due to mishandled coalesce 
per-page IOMMU TLB flushes. A guest OS user might be able to cause denial of service (data corruption), data leak, 
or possibly gain privileges.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version 
number.");
  script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-346.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch or workaround according to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27671");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(269);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/10/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/01/14");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("xen_server_detect.nbin");
  script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app = 'Xen Hypervisor';

app_info = vcf::xen_hypervisor::get_app_info(app:app);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

fixes['4.10']['fixed_ver']           = '4.10.4';
fixes['4.10']['fixed_ver_display']   = '4.10.4 (changeset 17ec9b4)';
fixes['4.10']['affected_ver_regex']  = "^4\.10\.";
fixes['4.10']['affected_changesets'] = make_list('15b2980', '398f91c',
  '5114e77', '7a4ec79', '78d903e', '2012db4', '71da63b', '56f8da7', 
  'd73e972', '6f012ec', '75a05da', 'c334b87', '07ad8ff', '1719f79', 
  'f58caa4', 'f2befb6', '83b7f04', 'e081568', '7f0793a', '8fac37e', 
  'baf80b6', '5402540', 'f85223f', '635ae12', '3d14937', '4218b74', 
  '93be943', '4418841', 'd9c67d3', '8976bab', '388e303', '0b0a155', 
  '9df4399', 'fd57038', 'a9bda69', 'a380168', 'c1a4914', '6261a06', 
  'fd6e49e', 'bd20589', 'ce05683', '934d6e1', '6e636f2', 'dfc0b23', 
  '2f83654', 'bf467cc', '6df4d40', 'e20bb58', 'a1a9b05', 'afca67f', 
  'b922c44', 'b413732', '3d60903', 'b01c84e', '1e722e6', '59cf3a0', 
  'fabfce8', 'a4dd2fe', '6e63a6f', '24d62e1', 'cbedabf', '38e589d', 
  'a91b8fc', '3e0c316', '49a5d6e', '6cb1cb9', 'ba2776a', '9d143e8', 
  'fe8dab3', '07e546e', 'fefa5f9', 'c9f9ff7', '406d40d', 'e489955', 
  '37139f1', 'fde09cb', '804ba02', 'e8c3971', 'a8c4293', 'aa40452', 
  '1da3dab', 'e5632c4', '902e72d', '6a14610', 'ea815b2', '13ad331', 
  '61b75d9', 'e70e7bf', 'e966e2e', 'dfa16a1', 'a71e199', 'c98be9e', 
  'a548e10', 'd3c0e84', '53b1572', '7203f9a', '6d1659d', 'a782173', 
  '24e90db', '0824bc6', 'e6f3135', '3131bf9');

fixes['4.11']['fixed_ver']           = '4.11.4';
fixes['4.11']['fixed_ver_display']   = '4.11.4 (changeset 62aed78)';
fixes['4.11']['affected_ver_regex']  = "^4\.11\.";
fixes['4.11']['affected_changesets'] = make_list('1447d44', '3b5de11',
  '65fad0a', 'b5eb495', 'e274c8b', '1d021db', '63199df', '7739ffd', 
  '4f35f7f', '490c517', '7912bbe', 'f5ec9f2', 'ad7d040', '3630a36', 
  '3263f25', '3e565a9', '30b3f29', '3def846', 'cc1561a', '6e9de08', 
  '13f60bf', '9703a2f', '7284bfa', '2fe163d', '2031bd3', '7bf4983', 
  '7129b9e', 'ddaaccb', 'e6ddf4a', 'f2bc74c', 'd623658', '37c853a', 
  '8bf72ea', '2d11e6d', '4ed0007', '7def72c', '18be3aa', 'a3a392e', 
  'e96cdba', '2b77729', '9be7992', 'b8d476a', '1c751c4', '7dd2ac3', 
  'a58bba2', '7d8fa6a', '4777208', '48e8564', '2efca7e', 'afe82f5', 
  'e84b634', '96a8b5b');

fixes['4.12']['fixed_ver']           = '4.12.4';
fixes['4.12']['fixed_ver_display']   = '4.12.4 (changeset 6602544)';
fixes['4.12']['affected_ver_regex']  = "^4\.12\.";
fixes['4.12']['affected_changesets'] = make_list('14c9c0f', 'dee5d47',
  '7b2f479', '46ad884', 'eaafa72', '0e6975b', '8e0c2a2', '51eca39', 
  '7ae2afb', '5e11fd5', '34056b2', 'fd4cc0b', '4f9294d', '97b7b55');

fixes['4.13']['fixed_ver']           = '4.13.2';
fixes['4.13']['fixed_ver_display']   = '4.13.2 (changeset 5e4914e)';
fixes['4.13']['affected_ver_regex']  = "^4\.13\.";
fixes['4.13']['affected_changesets'] = make_list('d4c0483', '33483f8',
  '6434a63', '971a9d1', 'a92f935', 'a5756aa', '43edb26', 'd204083', 
  'e596bf7', 'c64c15f', '1892cb9', '75c5799', 'b3b43ac', 'c0dc42a', 
  '8311549', '0060ac2');

fixes['4.14']['fixed_ver']           = '4.14.1';
fixes['4.14']['fixed_ver_display']   = '4.14.1-pre (changeset 0057b1f)';
fixes['4.14']['affected_ver_regex']  = "^4\.14\.";
fixes['4.14']['affected_changesets'] = make_list('d101b41', 'd95f450',
  '73a0927', 'a38060e', '78a53f0', '89ae1b1', '7398a44', '59b8366', 
  '1f9f1cb', 'f728b2d', '71a12a9', '0c96e42', '29b48aa', 'd131310', 
  '7d2b21f', 'f61c5d0', 'fc8fab1', '898864c', '9f954ae', '5784d1e', 
  '10bb63c', '941f69a', '7b1e587', 'ee47e8e', '4ba3fb0', 'd2ba323', 
  'b081a5f', 'e936515', '9c1cc64', '829dbe2', '8d14800', '0521dc9', 
  '64c3951', '0974e00', 'a279fcb', 'f7ab0c1', '7339975', '94c157f', 
  '79f1701', '9e757fc', '809a70b', 'b427109', 'c93b520', 'f37a1cf', 
  '5478934', '43eceee', '03019c2', '66cdf34', 'ecc6428', '2ee270e', 
  '9b9fc8e', 'b8c2efb', 'f546906', 'eb4a543', 'e417504', '0bc4177', 
  '5ad3152', 'fc8200a', '5eab5f0', 'b04d673', '28855eb', '174be04', 
  '158c3bd', '3535f23', 'de7e543', '483b43c', '431d52a', 'ceafff7', 
  '369e7a3', '98aa6ea', '80dec06', '5482c28', 'edf5b86', 'eca6d5e', 
  'c3a0fc2', '864d570', 'afed8e4', 'a5dab0a', 'b8c3e33', 'f836759');

vcf::xen_hypervisor::check_version_and_report(app_info:app_info, fixes:fixes, severity:SECURITY_WARNING);
VendorProductVersionCPE
xenxencpe:/o:xen:xen

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0

Percentile

14.2%