CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
17.1%
Xenstore: Two malicious guests working together can create an arbitrary number of Xenstore nodes and drive xenstored into an out of memory situation. This is possible by domain A letting domain B write into domain A local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0 number of nodes isn’t limited by Xenstore quota.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable Inc.
##
include('compat.inc');
if (description)
{
script_id(168053);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/25");
script_cve_id("CVE-2022-42322", "CVE-2022-42323");
script_name(english:"Xenstore: Cooperating guests can create arbitrary numbers of nodes (XSA-419)");
script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
script_set_attribute(attribute:"description", value:
"Xenstore: Two malicious guests working together can create an arbitrary number of Xenstore nodes and drive
xenstored into an out of memory situation. This is possible by domain A letting domain B write into domain A
local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now
be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created,
as Dom0 number of nodes isn't limited by Xenstore quota.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://xenbits.xenproject.org/xsa/advisory-417.txt");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-42323");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/01");
script_set_attribute(attribute:"patch_publication_date", value:"2022/11/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/11/22");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("xen_server_detect.nbin");
script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var fixes;
var app = 'Xen Hypervisor';
var app_info = vcf::xen_hypervisor::get_app_info(app:app);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
fixes['4.13']['fixed_ver'] = '4.13.4';
fixes['4.13']['fixed_ver_display'] = '4.13.4 (changeset 94b2f97)';
fixes['4.13']['affected_ver_regex'] = "^4\.13([^0-9]|$)";
fixes['4.13']['affected_changesets'] = make_list('3545d0f', '1458716',
'a8922c6', '8c8a5b3', '1cfbd25', 'ba1cff4', 'd816b47', 'e2b7fa7',
'b97e59f', 'e6655e8', '2fdf874', 'e30f7c6', '0252d04', '723e248',
'c3c5f0a', '0135300', 'bc93157', 'c084ee8', 'd71e4ec', '63dc2a1',
'146b954', '7dc06ed', 'c17d491', '115156c', 'b917d57', '8cd25ae',
'f859218', '5fa4f2c', 'e84ef3b', '2963ee5', '538b61b', 'cde36e0',
'1761828', '6f31127', '95fe444', 'fcba6c7', '149ebf0', '5b66863',
'3954468', '0be63c2', '042de08', '867fcf6', 'e6b1e38', '2ae9bbe',
'9992c08', 'eed4ef4', '3e7aa35', '6e537d3', '08eec20', '181ff7a',
'aa78910', '0021c26', '763f965', '4e38cc1', '5475195', 'bde3b13',
'd8a6930', 'c946524', 'f8614c7', '3feba68', '3c71016', 'ebe3f5d',
'5994b73', 'fbf19ba', 'ba33672', '196b4f4', '10d8c56', '4b42462',
'a7e7287', '159e223', 'b8d573a', '074e388', 'bf5f5e8', '8974821',
'55e4c72', 'd43b47e', '4eddf13', 'f614e3c', '8a2cc1e', '14c5e0c',
'87ff113', '413b083', 'a84bc5b', '1575075', 'f9ae12f', 'e8c04e4',
'8d9f361', 'fce392f', 'c7da430', '7669737', '3826ba5', 'fe97133',
'd64d466', 'a6902a6', '169a283', '454d535', 'e6d6b5b', '7cfe357',
'ab37463', '92acf6b', '73e25ec', '235aa15', '33c1365', '81918ce',
'650b888', '920e93d', '2ce2aec', '8ed46cc', '7b9814b', 'fbabb62',
'47125f5', 'd99df7d', '03db213', '9a8804a', 'ce49a1d', 'e48c787',
'2d601a5', 'd0e2c27', 'd3c2319', 'd3cfb4b', 'd94d006', '0b28069',
'b4bb02d', '6e2fc12');
fixes['4.14']['fixed_ver'] = '4.14.5';
fixes['4.14']['fixed_ver_display'] = '4.14.5 (changeset 0cd209a)';
fixes['4.14']['affected_ver_regex'] = "^4\.14([^0-9]|$)";
fixes['4.14']['affected_changesets'] = make_list('7036cb9', '3925487',
'e5bdcec', 'baa5f58', '7f969f3', '1de79dc', '4e19742', '7d4c2de',
'4d2fe1d', '2761f00', '55e23bf', '2cf1372', '8db5e6f', 'b8b3734',
'7f5d36d', '3a67865', '276908c', 'f6a5a1d', '0bc44ec', '7c5316d',
'0cc9d66', '36812ae', '3a7c46a', 'cc28906', '03889b6', '0406917',
'93a9c3a', '82dfb67', '9ad9fde', '83b9da9', '3dafa5a', '36ed7fe',
'a03e2a3', '3530aa6', '00240cf', 'bd50953', 'd0dd461', '96220ae',
'f25c377', '016de62', '6e5608d', '7d64fb5', '4220eac', 'fd688b0',
'e3b66e5', '804f83b', 'f90615c', 'fc10984', '9b5a7fd', 'b8f4a5d',
'0bab3ab', '3163e34', '54b6eab', '9c975e6', '7a7406b', '4ed063a',
'261b882', 'ef571a5', '87d90d5', '5bccfbb', '318d7bc', '0a6561b',
'd2f0cf7', '51e812a', '73465a7', 'b60c995', 'e5fd508', '2d31666',
'f178689', 'a556377', '104dd46', 'c5f774e', '9f07848', '878e684',
'd7ebe3d', '82ba97e', '25c7ade', '204d4f1', '07fbed8', 'a72146d',
'758f40d', 'c70071e', '17848df');
fixes['4.15']['fixed_ver'] = '4.15.4';
fixes['4.15']['fixed_ver_display'] = '4.15.4-pre (changeset b9ede09)';
fixes['4.15']['affected_ver_regex'] = "^4\.15([^0-9]|$)";
fixes['4.15']['affected_changesets'] = make_list('bc39211', '4269999',
'da87661', '84674f2', '9ead584', 'a95277e', '4096512', '83b6c51',
'b9a005b', '62755d0', '8012324', '607e186', '26faa6b', '64048b4',
'9e5290d', 'fccdca8', 'bbb4cea', '9f89883', '4581622', '8fabb96',
'4d30175', '1fc3ecc', '32efe29', '9c2e71f', '0113aac', 'aa29eb6',
'ccef72b', '1035371', '8ee7ed7', '3e51699', '97c251f', '56300e8',
'53a77b8', '8999db8', 'b322923', '0d8bea4', '579e733', 'ee03d9b',
'ddab5b1', 'b68e3fd', 'a46f01f', '317894f', '9b8b65c', 'bff4c44',
'6b035f4', '08bc78b', '9c51146', '1f679f0', 'b833014', '916668b',
'3885fa4', 'f8915cd', '6f948fd', '816580a', '0d23392', '9690bb2',
'62e534d', '3ac64b3', '182f8bb', '19cf28b', 'd176808', 'd638c20',
'735b108', '7923ea4', 'd65ebac', 'bb43a10', '7ad38a3', 'c521504',
'45336d8', '0c0680d', 'b03074b', '686c920', '7f055b0', '4f9b535',
'1e26afa', '95f6d55', 'd24a10a', '0f3eab9', '0d805f9', '09fc590',
'9acedc3', 'a075900', '104a54a', 'fba0c22', 'c373ad3', '1e31848',
'5efcae1', '8ae0b4d', 'df3395f', '1b9845d', 'b64f1c9', '30d3de4',
'4799a20', 'a095c6c', '5f1d017', 'c370994', 'a2684d9', '2173d9c',
'3859f3e', '35bf91d', '409976b', '2b29ac4', 'f0d78e0', 'd7f5fb1',
'c707015', '2cfbca3', '156ab77', '505771b');
fixes['4.16']['fixed_ver'] = '4.16.3';
fixes['4.16']['fixed_ver_display'] = '4.16.3-pre (changeset 5b0919f)';
fixes['4.16']['affected_ver_regex'] = "^4\.16([^0-9]|$)";
fixes['4.16']['affected_changesets'] = make_list('1f5b394', '8b81fc1',
'825332d', '7682de6', '1514de3', 'f5a4c26', 'c5a76df', '01ab491',
'32ff913', '074b32e', '036fa87', 'c758765', 'a026fdd', 'cec3c52',
'ea15678', '59981b0', '8b60ad4', 'a63bbcf', 'ab21bb1', 'b0e95b4',
'b584b9b', '0a67b4e', '578d422', 'bce9857', '30c8e75', '2e406cf',
'2d39cf7', '7017cfe', '717460e', '787241f', 'b270ad4', '49344fb',
'd08cdf0', 'e26d6f4', 'f8af1a2', 'ce6aea7', '427e86b', '28ea39a',
'62e7fb7', 'c229b16', '2f75e36', '08f6c88', '426a834', 'aac1085',
'8f3f8f2', '96d26f1', '9fdb4f1', '88f2bf5', '481465f', '54f8ed8',
'd4a11d6', '02ab5e9', '5dae065', 'e5a5bde', '86cb374', '1bce7fb',
'3f4da85', 'b956076', '4951007', '2b694dd', '4f3204c', 'c377cea',
'd4e971a', 'e8882bc', 'e85e2a3', '32cb815', '44e9dcc', '3a16da8',
'914fc8e', '755a9b5', 'a603386', 'f5959ed', '943635d', '745e0b3',
'28d3f67', '40e9daf', '3422c19', '8fc19c1', '937fdba', '8d9531a', '4aa3291');
vcf::xen_hypervisor::check_version_and_report(app_info:app_info, fixes:fixes, severity:SECURITY_WARNING);