ID OPENVAS:1361412562310882613 Type openvas Reporter Copyright (C) 2016 Greenbone Networks GmbH Modified 2019-03-08T00:00:00
Description
Check the version of xen
###############################################################################
# OpenVAS Vulnerability Test
#
# CentOS Update for xen CESA-2016:2963 centos5
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.882613");
script_version("$Revision: 14058 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $");
script_tag(name:"creation_date", value:"2016-12-21 05:44:51 +0100 (Wed, 21 Dec 2016)");
script_cve_id("CVE-2016-9637");
script_tag(name:"cvss_base", value:"3.7");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:H/Au:N/C:P/I:P/A:P");
script_tag(name:"qod_type", value:"package");
script_name("CentOS Update for xen CESA-2016:2963 centos5");
script_tag(name:"summary", value:"Check the version of xen");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"Xen is a virtual machine monitor
Security Fix(es):
* An out of bounds array access issue was found in the Xen virtual machine
monitor, built with the QEMU ioport support. It could occur while doing
ioport read/write operations, if guest was to supply a 32bit address
parameter. A privileged guest user/process could use this flaw to
potentially escalate their privileges on a host. (CVE-2016-9637)
Red Hat would like to thank the Xen project for reporting this issue.");
script_tag(name:"affected", value:"xen on CentOS 5");
script_tag(name:"solution", value:"Please install the updated packages.");
script_xref(name:"CESA", value:"2016:2963");
script_xref(name:"URL", value:"http://lists.centos.org/pipermail/centos-announce/2016-December/022181.html");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
script_family("CentOS Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/centos", "ssh/login/rpms", re:"ssh/login/release=CentOS5");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "CentOS5")
{
if ((res = isrpmvuln(pkg:"xen", rpm:"xen~3.0.3~148.el5_11", rls:"CentOS5")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"xen-devel", rpm:"xen-devel~3.0.3~148.el5_11", rls:"CentOS5")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isrpmvuln(pkg:"xen-libs", rpm:"xen-libs~3.0.3~148.el5_11", rls:"CentOS5")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310882613", "type": "openvas", "bulletinFamily": "scanner", "title": "CentOS Update for xen CESA-2016:2963 centos5", "description": "Check the version of xen", "published": "2016-12-21T00:00:00", "modified": "2019-03-08T00:00:00", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882613", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["2016:2963", "http://lists.centos.org/pipermail/centos-announce/2016-December/022181.html"], "cvelist": ["CVE-2016-9637"], "lastseen": "2019-05-29T18:35:13", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9637", "CVE-2016-2963"]}, {"type": "citrix", "idList": ["CTX219136"]}, {"type": "nessus", "idList": ["FEDORA_2016-CC2916DCF4.NASL", "CENTOS_RHSA-2016-2963.NASL", "CITRIX_XENSERVER_CTX219136.NASL", "ORACLEVM_OVMSA-2016-0171.NASL", "DEBIAN_DLA-1270.NASL", "SL_20161220_XEN_ON_SL5_X.NASL", "ORACLEVM_OVMSA-2016-0172.NASL", "FEDORA_2016-BCBAE0781F.NASL", "ORACLELINUX_ELSA-2016-2963.NASL", "REDHAT-RHSA-2016-2963.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2963"]}, {"type": "xen", "idList": ["XSA-199"]}, {"type": "redhat", "idList": ["RHSA-2016:2963"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310871729", "OPENVAS:1361412562310851495", "OPENVAS:1361412562310872184", "OPENVAS:1361412562310851463", "OPENVAS:1361412562310872166", "OPENVAS:1361412562310851466", "OPENVAS:1361412562310891270"]}, {"type": "centos", "idList": ["CESA-2016:2963"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1270-1:33BEE"]}, {"type": "fedora", "idList": ["FEDORA:B93A9606730B", "FEDORA:3D25F60BA90D"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:0008-1", "SUSE-SU-2016:3174-1", "OPENSUSE-SU-2016:3134-1", "SUSE-SU-2016:3273-1", "OPENSUSE-SU-2017:0007-1", "SUSE-SU-2016:3044-1", "SUSE-SU-2016:3067-1", "SUSE-SU-2016:3083-1", "SUSE-SU-2016:3156-1"]}, {"type": "gentoo", "idList": ["GLSA-201612-56"]}], "modified": "2019-05-29T18:35:13", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2019-05-29T18:35:13", "rev": 2}, "vulnersScore": 7.2}, "pluginID": "1361412562310882613", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for xen CESA-2016:2963 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882613\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:44:51 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2016-9637\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for xen CESA-2016:2963 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of xen\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Xen is a virtual machine monitor\n\nSecurity Fix(es):\n\n * An out of bounds array access issue was found in the Xen virtual machine\nmonitor, built with the QEMU ioport support. It could occur while doing\nioport read/write operations, if guest was to supply a 32bit address\nparameter. A privileged guest user/process could use this flaw to\npotentially escalate their privileges on a host. (CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\");\n script_tag(name:\"affected\", value:\"xen on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:2963\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-December/022181.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~3.0.3~148.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xen-devel\", rpm:\"xen-devel~3.0.3~148.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~3.0.3~148.el5_11\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "CentOS Local Security Checks"}
{"cve": [{"lastseen": "2021-02-02T06:28:14", "description": "The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.", "edition": 4, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-02-17T02:59:00", "title": "CVE-2016-9637", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 3.7, "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9637"], "modified": "2018-02-08T02:29:00", "cpe": ["cpe:/a:citrix:xenserver:6.0.2", "cpe:/a:citrix:xenserver:7.0", "cpe:/a:citrix:xenserver:6.5", "cpe:/a:citrix:xenserver:6.2.0"], "id": "CVE-2016-9637", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9637", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:citrix:xenserver:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.5:sp1:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:citrix:xenserver:6.2.0:sp1:*:*:*:*:*:*"]}], "citrix": [{"lastseen": "2020-12-24T11:42:49", "bulletinFamily": "software", "cvelist": ["CVE-2016-9637"], "description": "<section class=\"article-content\" data-swapid=\"ArticleContent\">\n<div class=\"content-block\" data-swapid=\"ContentBlock\"><div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"DescriptionofProblem\"> Description of Problem</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<p>A security vulnerability has been identified in Citrix XenServer that may allow malicious privileged-mode code running within an HVM guest VM to compromise the host.</p>\n<p>This vulnerability affects all currently supported versions of Citrix XenServer up to and including Citrix XenServer 7.0.</p>\n<p>The following vulnerability has been addressed:</p>\n<ul>\n<li>CVE-2016-9637: QEMU ioport array overflow</li>\n</ul>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"MitigatingFactors\"> Mitigating Factors</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<p>Customers with only PV guests are unaffected by this issue.<br/> <br/> Customers with HVM guests where the guest operating system and administrators are trusted are significantly less at risk from this issue.<br/> <br/> </p>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"WhatCustomersShouldDo\"> What Customers Should Do</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<p>Hotfixes have been released to address these issues. Citrix strongly recommends that affected customers install these hotfixes, which can be downloaded from the following locations:</p>\n<ul>\n<li>Citrix XenServer 7.0: CTX219203 \u2013 <a href=\"https://support.citrix.com/article/CTX219203\">https://support.citrix.com/article/CTX219203</a></li>\n<li>Citrix XenServer 6.5 SP1: CTX219202 \u2013 <a href=\"https://support.citrix.com/article/CTX219202\">https://support.citrix.com/article/CTX219202</a></li>\n<li>Citrix XenServer 6.2 SP1: CTX219201 \u2013 <a href=\"https://support.citrix.com/article/CTX219201\">https://support.citrix.com/article/CTX219201</a></li>\n<li>Citrix XenServer 6.0.2 Common Criteria: CTX219200 \u2013 <a href=\"https://support.citrix.com/article/CTX219200\">https://support.citrix.com/article/CTX219200</a><br/> </li>\n</ul>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"WhatCitrixIsDoing\"> What Citrix Is Doing</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=\"http://support.citrix.com/\">http://support.citrix.com/</a></u>.</p>\n</div>\n</div>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"ObtainingSupportonThisIssue\"> Obtaining Support on This Issue</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=\"https://www.citrix.com/support/open-a-support-case.html\">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>\n</div>\n</div>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"ReportingSecurityVulnerabilities\"> Reporting Security Vulnerabilities</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 \u2013 <a href=\"http://support.citrix.com/article/CTX081743\">Reporting Security Issues to Citrix</a></p>\n</div>\n</div>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n<div>\n<!--googleoff: all-->\n<h2 id=\"Changelog\"> Changelog</h2>\n<!--googleon: all-->\n<div>\n<div>\n<div>\n<table border=\"1\" cellpadding=\"1\" cellspacing=\"0\" width=\"100%\">\n<tbody>\n<tr>\n<td>Date </td>\n<td>Change</td>\n</tr>\n<tr>\n<td> </td>\n<td> </td>\n</tr>\n</tbody>\n</table>\n</div>\n</div>\n</div>\n<!--googleoff: all-->\n<hr/>\n</div>\n</div></div>\n</section>", "modified": "2019-08-15T04:00:00", "published": "2016-12-06T05:00:00", "id": "CTX219136", "href": "https://support.citrix.com/article/CTX219136", "type": "citrix", "title": "CVE-2016-9637 - Citrix XenServer Security Update", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-12-21T00:00:00", "id": "OPENVAS:1361412562310871729", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871729", "type": "openvas", "title": "RedHat Update for xen RHSA-2016:2963-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for xen RHSA-2016:2963-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871729\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:44:22 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2016-9637\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for xen RHSA-2016:2963-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Xen is a virtual machine monitor\n\nSecurity Fix(es):\n\n * An out of bounds array access issue was found in the Xen virtual machine\nmonitor, built with the QEMU ioport support. It could occur while doing\nioport read/write operations, if guest was to supply a 32bit address\nparameter. A privileged guest user/process could use this flaw to\npotentially escalate their privileges on a host. (CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\");\n script_tag(name:\"affected\", value:\"xen on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2963-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-December/msg00023.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen-debuginfo\", rpm:\"xen-debuginfo~3.0.3~148.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~3.0.3~148.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:11:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2017-15590", "CVE-2017-2620", "CVE-2016-9603"], "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor, which\ncould result in privilege escalation..", "modified": "2020-01-29T00:00:00", "published": "2018-02-21T00:00:00", "id": "OPENVAS:1361412562310891270", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891270", "type": "openvas", "title": "Debian LTS: Security Advisory for xen (DLA-1270-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891270\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-9603\", \"CVE-2016-9637\", \"CVE-2017-15590\", \"CVE-2017-2620\");\n script_name(\"Debian LTS: Security Advisory for xen (DLA-1270-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-21 00:00:00 +0100 (Wed, 21 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"xen on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n4.1.6.lts1-12.\n\nWe recommend that you upgrade your xen packages..\");\n\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in the Xen hypervisor, which\ncould result in privilege escalation..\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libxen-4.1\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxen-dev\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxen-ocaml\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxen-ocaml-dev\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libxenstore3.0\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-docs-4.1\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-hypervisor-4.1-amd64\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-hypervisor-4.1-i386\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-system-amd64\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-system-i386\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-utils-4.1\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-utils-common\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xenstore-utils\", ver:\"4.1.6.lts1-12\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-9818", "CVE-2016-9915", "CVE-2016-9922", "CVE-2016-9916", "CVE-2016-9815", "CVE-2016-9914", "CVE-2016-9816", "CVE-2016-9921", "CVE-2016-9913", "CVE-2016-9817"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-19T00:00:00", "id": "OPENVAS:1361412562310872166", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872166", "type": "openvas", "title": "Fedora Update for xen FEDORA-2016-cc2916dcf4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2016-cc2916dcf4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872166\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-19 06:13:39 +0100 (Mon, 19 Dec 2016)\");\n script_cve_id(\"CVE-2016-9815\", \"CVE-2016-9816\", \"CVE-2016-9817\", \"CVE-2016-9818\", \"CVE-2016-9921\", \"CVE-2016-9922\", \"CVE-2016-9637\", \"CVE-2016-9913\", \"CVE-2016-9914\", \"CVE-2016-9915\", \"CVE-2016-9916\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2016-cc2916dcf4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"xen on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-cc2916dcf4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBJRH37EFT37GXFTPXFFF6VA2QUNBKPB\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.5.5~5.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-9818", "CVE-2016-9915", "CVE-2016-9922", "CVE-2016-9932", "CVE-2016-9916", "CVE-2016-9815", "CVE-2016-9914", "CVE-2016-9816", "CVE-2016-9921", "CVE-2016-9913", "CVE-2016-9817"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-26T00:00:00", "id": "OPENVAS:1361412562310872184", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872184", "type": "openvas", "title": "Fedora Update for xen FEDORA-2016-bcbae0781f", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2016-bcbae0781f\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872184\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-26 06:03:41 +0100 (Mon, 26 Dec 2016)\");\n script_cve_id(\"CVE-2016-9932\", \"CVE-2016-9815\", \"CVE-2016-9816\", \"CVE-2016-9817\",\n \"CVE-2016-9818\", \"CVE-2016-9921\", \"CVE-2016-9922\", \"CVE-2016-9637\",\n \"CVE-2016-9913\", \"CVE-2016-9914\", \"CVE-2016-9915\", \"CVE-2016-9916\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2016-bcbae0781f\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"xen on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-bcbae0781f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTUTHSETSKEL5RS2HA3FWRYANKYMNOXJ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.6.4~4.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-06-11T17:32:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-9378", "CVE-2016-7777", "CVE-2016-9384", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-9377", "CVE-2016-7908"], "description": "The remote host is missing an update for the ", "modified": "2020-06-09T00:00:00", "published": "2017-02-22T00:00:00", "id": "OPENVAS:1361412562310851495", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851495", "type": "openvas", "title": "openSUSE: Security Advisory for xen (openSUSE-SU-2016:3134-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851495\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-22 15:15:10 +0100 (Wed, 22 Feb 2017)\");\n script_cve_id(\"CVE-2016-7777\", \"CVE-2016-7908\", \"CVE-2016-7909\", \"CVE-2016-8667\",\n \"CVE-2016-8669\", \"CVE-2016-8910\", \"CVE-2016-9377\", \"CVE-2016-9378\",\n \"CVE-2016-9379\", \"CVE-2016-9380\", \"CVE-2016-9381\", \"CVE-2016-9382\",\n \"CVE-2016-9383\", \"CVE-2016-9384\", \"CVE-2016-9385\", \"CVE-2016-9386\",\n \"CVE-2016-9637\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for xen (openSUSE-SU-2016:3134-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"xen was updated to version 4.7.1 to fix 17 security issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652).\n\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100).\n\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103).\n\n - CVE-2016-9385: x86 segment base write emulation lacked canonical address\n checks, allowing a malicious guest administrator to crash the host\n (bsc#1009104).\n\n - CVE-2016-9384: Guest 32-bit ELF symbol table load leaking host data to\n unprivileged guest users (bsc#1009105).\n\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitrary code\n execution (bsc#1009107).\n\n - CVE-2016-9377: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108).\n\n - CVE-2016-9378: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108)\n\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109).\n\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111).\n\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111).\n\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106).\n\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring description ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"xen on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:3134-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"xen-debugsource\", rpm:\"xen-debugsource~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-devel\", rpm:\"xen-devel~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo\", rpm:\"xen-libs-debuginfo~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU\", rpm:\"xen-tools-domU~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU-debuginfo\", rpm:\"xen-tools-domU-debuginfo~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-doc-html\", rpm:\"xen-doc-html~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-32bit\", rpm:\"xen-libs-32bit~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo-32bit\", rpm:\"xen-libs-debuginfo-32bit~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools\", rpm:\"xen-tools~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-debuginfo\", rpm:\"xen-tools-debuginfo~4.7.1_02~3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:27:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-7777", "CVE-2016-9932", "CVE-2016-10013", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-10024", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-7908"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-01-04T00:00:00", "id": "OPENVAS:1361412562310851463", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851463", "type": "openvas", "title": "openSUSE: Security Advisory for xen (openSUSE-SU-2017:0008-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851463\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-01-04 09:00:24 +0100 (Wed, 04 Jan 2017)\");\n script_cve_id(\"CVE-2016-10013\", \"CVE-2016-10024\", \"CVE-2016-7777\", \"CVE-2016-7908\",\n \"CVE-2016-7909\", \"CVE-2016-8576\", \"CVE-2016-8667\", \"CVE-2016-8669\",\n \"CVE-2016-8909\", \"CVE-2016-8910\", \"CVE-2016-9379\", \"CVE-2016-9380\",\n \"CVE-2016-9381\", \"CVE-2016-9382\", \"CVE-2016-9383\", \"CVE-2016-9385\",\n \"CVE-2016-9386\", \"CVE-2016-9637\", \"CVE-2016-9932\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for xen (openSUSE-SU-2017:0008-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This updates xen to version 4.4.4_06 to fix the following issues:\n\n - An unprivileged user in a guest could gain guest could escalate\n privilege to that of the guest kernel, if it had could invoke the\n instruction emulator. Only 64-bit x86 HVM guest were affected. Linux\n guest have not been vulnerable. (boo#1016340, CVE-2016-10013)\n\n - An unprivileged user in a 64 bit x86 guest could gain information from\n the host, crash the host or gain privilege of the host (boo#1009107,\n CVE-2016-9383)\n\n - An unprivileged guest process could (unintentionally or maliciously)\n obtain\n or ocorrupt sensitive information of other programs in the same guest.\n Only x86 HVM guests have been affected. The attacker needs to be able\n to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777)\n\n - A guest on x86 systems could read small parts of hypervisor stack data\n (boo#1012651, CVE-2016-9932)\n\n - A malicious guest kernel could hang or crash the host system\n (boo#1014298, CVE-2016-10024)\n\n - A malicious guest administrator could escalate their privilege to that\n of the host. Only affects x86 HVM guests using qemu older version 1.6.0\n or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637)\n\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100,\n CVE-2016-9386)\n\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator (on AMD CPUs) or crash the system (on Intel CPUs) on\n 32-bit x86 HVM guests. Only guest operating systems that allowed a new\n task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382)\n\n - A malicious guest administrator could crash the host on x86 PV guests\n only (boo#1009104, CVE-2016-9385)\n\n - A malicious guest administrator could get privilege of the host emulator\n process on x86 HVM guests. (boo#1009109, CVE-2016-9381)\n\n - A vulnerability in pygrub allowed a malicious guest administrator to\n obtain the contents of sensitive host files, or even delete those files\n (boo#1009111, CVE-2016-9379, CVE-2016-9380)\n\n - A privileged guest user could cause an infinite loop in the RTL8139\n ethernet emulation to consume CPU cycles on the host, causing a DoS\n situation (boo#1007157, CVE-2016-8910)\n\n - A privileged guest user could cause an infinite loop in the intel-hda\n sound emulation to consume CPU cycles on the host, causing a DoS\n situation (boo#1007160, CVE-2016-8909)\n\n - A privileged guest user could cause a crash of the emulator process on\n the host by exploiting a divide by zero vulnerability of the JAZZ RC4030\n chipse ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"xen on openSUSE 13.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0008-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-debugsource\", rpm:\"xen-debugsource~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-devel\", rpm:\"xen-devel~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo\", rpm:\"xen-libs-debuginfo~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU\", rpm:\"xen-tools-domU~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU-debuginfo\", rpm:\"xen-tools-domU-debuginfo~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-doc-html\", rpm:\"xen-doc-html~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default\", rpm:\"xen-kmp-default~4.4.4_06_k3.16.7_53~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default-debuginfo\", rpm:\"xen-kmp-default-debuginfo~4.4.4_06_k3.16.7_53~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-desktop\", rpm:\"xen-kmp-desktop~4.4.4_06_k3.16.7_53~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-desktop-debuginfo\", rpm:\"xen-kmp-desktop-debuginfo~4.4.4_06_k3.16.7_53~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-32bit\", rpm:\"xen-libs-32bit~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo-32bit\", rpm:\"xen-libs-debuginfo-32bit~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools\", rpm:\"xen-tools~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-debuginfo\", rpm:\"xen-tools-debuginfo~4.4.4_06~58.1\", rls:\"openSUSE13.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:27:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-9101", "CVE-2016-9776", "CVE-2016-9378", "CVE-2016-7777", "CVE-2016-7995", "CVE-2016-9932", "CVE-2016-10013", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-10024", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-9377", "CVE-2016-7908"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-01-04T00:00:00", "id": "OPENVAS:1361412562310851466", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851466", "type": "openvas", "title": "openSUSE: Security Advisory for xen (openSUSE-SU-2017:0007-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851466\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-01-04 09:00:45 +0100 (Wed, 04 Jan 2017)\");\n script_cve_id(\"CVE-2016-10013\", \"CVE-2016-10024\", \"CVE-2016-7777\", \"CVE-2016-7908\",\n \"CVE-2016-7909\", \"CVE-2016-7995\", \"CVE-2016-8576\", \"CVE-2016-8667\",\n \"CVE-2016-8669\", \"CVE-2016-8909\", \"CVE-2016-8910\", \"CVE-2016-9101\",\n \"CVE-2016-9377\", \"CVE-2016-9378\", \"CVE-2016-9379\", \"CVE-2016-9380\",\n \"CVE-2016-9381\", \"CVE-2016-9382\", \"CVE-2016-9383\", \"CVE-2016-9385\",\n \"CVE-2016-9386\", \"CVE-2016-9637\", \"CVE-2016-9776\", \"CVE-2016-9932\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for xen (openSUSE-SU-2017:0007-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xen'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This updates xen to version 4.5.5 to fix the following issues:\n\n - An unprivileged user in a guest could gain guest could escalate\n privilege to that of the guest kernel, if it had could invoke the\n instruction emulator. Only 64-bit x86 HVM guest were affected. Linux\n guest have not been vulnerable. (boo#1016340, CVE-2016-10013)\n\n - An unprivileged user in a 64 bit x86 guest could gain information from\n the host, crash the host or gain privilege of the host (boo#1009107,\n CVE-2016-9383)\n\n - An unprivileged guest process could (unintentionally or maliciously)\n obtain\n or ocorrupt sensitive information of other programs in the same guest.\n Only x86 HVM guests have been affected. The attacker needs to be able\n to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777)\n\n - A guest on x86 systems could read small parts of hypervisor stack data\n (boo#1012651, CVE-2016-9932)\n\n - A malicious guest kernel could hang or crash the host system\n (boo#1014298, CVE-2016-10024)\n\n - The epro100 emulated network device caused a memory leak in the host\n when unplugged in the guest. A privileged user in the guest could use\n this to cause a DoS on the host or potentially crash the guest process\n on the host (boo#1013668, CVE-2016-9101)\n\n - The ColdFire Fast Ethernet Controller was vulnerable to an infinite loop\n that could be triggered by a privileged user in the guest, leading to DoS\n (boo#1013657, CVE-2016-9776)\n\n - A malicious guest administrator could escalate their privilege to that\n of the host. Only affects x86 HVM guests using qemu older version 1.6.0\n or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637)\n\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100,\n CVE-2016-9386)\n\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator (on AMD CPUs) or crash the system (on Intel CPUs) on\n 32-bit x86 HVM guests. Only guest operating systems that allowed a new\n task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382)\n\n - A malicious guest administrator could crash the host on x86 PV guests\n only (boo#1009104, CVE-2016-9385)\n\n - An unprivileged guest user was able to crash the guest. (boo#1009108,\n CVE-2016-9377, CVE-2016-9378)\n\n - A malicious guest administrator could get privilege of the host emulator\n process on x86 HVM guests. (boo#1009109, CVE-2016-9381)\n\n - A vulnerability in pygrub allowed a malicious guest administrator to\n obtain the contents of sensitive host files, or even delete those files\n (boo#1009111, CV ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"xen on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0007-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"xen-debugsource\", rpm:\"xen-debugsource~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-devel\", rpm:\"xen-devel~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs\", rpm:\"xen-libs~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo\", rpm:\"xen-libs-debuginfo~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU\", rpm:\"xen-tools-domU~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-domU-debuginfo\", rpm:\"xen-tools-domU-debuginfo~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-doc-html\", rpm:\"xen-doc-html~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default\", rpm:\"xen-kmp-default~4.5.5_06_k4.1.36_41~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-kmp-default-debuginfo\", rpm:\"xen-kmp-default-debuginfo~4.5.5_06_k4.1.36_41~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-32bit\", rpm:\"xen-libs-32bit~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-libs-debuginfo-32bit\", rpm:\"xen-libs-debuginfo-32bit~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools\", rpm:\"xen-tools~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"xen-tools-debuginfo\", rpm:\"xen-tools-debuginfo~4.5.5_06~18.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:39:21", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2963\n\n\nXen is a virtual machine monitor\n\nSecurity Fix(es):\n\n* An out of bounds array access issue was found in the Xen virtual machine\nmonitor, built with the QEMU ioport support. It could occur while doing ioport\nread/write operations, if guest was to supply a 32bit address parameter. A\nprivileged guest user/process could use this flaw to potentially escalate their\nprivileges on a host. (CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-December/034219.html\n\n**Affected packages:**\nxen\nxen-devel\nxen-libs\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2963.html", "edition": 4, "modified": "2016-12-20T16:58:37", "published": "2016-12-20T16:58:37", "href": "http://lists.centos.org/pipermail/centos-announce/2016-December/034219.html", "id": "CESA-2016:2963", "title": "xen security update", "type": "centos", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637"], "description": "Xen is a virtual machine monitor\n\nSecurity Fix(es):\n\n* An out of bounds array access issue was found in the Xen virtual machine\nmonitor, built with the QEMU ioport support. It could occur while doing ioport\nread/write operations, if guest was to supply a 32bit address parameter. A\nprivileged guest user/process could use this flaw to potentially escalate their\nprivileges on a host. (CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\n", "modified": "2017-09-08T12:18:10", "published": "2016-12-20T05:00:00", "id": "RHSA-2016:2963", "href": "https://access.redhat.com/errata/RHSA-2016:2963", "type": "redhat", "title": "(RHSA-2016:2963) Important: xen security update", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "xen": [{"lastseen": "2016-12-06T13:30:14", "bulletinFamily": "software", "cvelist": ["CVE-2016-9637"], "edition": 1, "description": "#### ISSUE DESCRIPTION\nThe code in qemu which implements ioport read/write looks up the specified ioport address in a dispatch table. The argument to the dispatch function is a uint32_t, and is used without a range check, even though the table has entries for only 2^16 ioports.\nWhen qemu is used as a standalone emulator, ioport accesses are generated only from cpu instructions emulated by qemu, and are therefore necessarily 16-bit, so there is no vulnerability.\nWhen qemu is used as a device model within Xen, io requests are generated by the hypervisor and read by qemu from a shared ring. The entries in this ring use a common structure, including a 64-bit address field, for various accesses, including ioport addresses.\nXen will write only 16-bit address ioport accesses. However, depending on the Xen and qemu version, the ring may be writeable by the guest. If so, the guest can generate out-of-range ioport accesses, resulting in wild pointer accesses within qemu.\n #### IMPACT\nA malicious guest administrator can escalate their privilege to that of the qemu process.\n #### VULNERABLE SYSTEMS\nPV guests cannot exploit the vulnerability.\nARM systems are not vulnerable.\nHVM domains run with QEMU stub domains cannot exploit the vulnerability. (A QEMU stub domain is used if xl's domain configuration file contains "device_model_stubdomain_override=1".)\nGuests using the modern "qemu-xen" device model, with a qemu version of at least 1.6.0 (for example, as provided by the Xen Project in its Xen 4.4.0 and later releases), cannot exploit the vulnerability.\nx86 HVM guests, not configured with qemu stub domains, using a version of qemu older than qemu upstream 1.6.0, can exploit the vulnerability.\nx86 HVM guests using the traditional "qemu-xen-traditional", not configured with qemu stub domains, can therefore exploit the vulnerability.\nIn tabular form:\n Guest Xen QEMU QEMU "traditional" Status type version stub and/or qemu version\n ARM any n/a n/a any OK x86 PV any n/a n/a any OK\n x86 HVM any yes qemu-xen-traditional OK\n x86 HVM any no qemu-xen* >= 1.6.0 OK x86 HVM >= 4.4 no qemu-xen* Xen supplied OK\n x86 HVM any no qemu-xen* < 1.6.0 Vulnerable x86 HVM <= 4.3 no qemu-xen* Xen supplied Vulnerable\n x86 HVM any no qemu-xen-traditional Vulnerable\n[*] qemu-xen is the default when qemu stub domains are not in use, since Xen 4.3.\n ", "modified": "2016-12-06T12:11:00", "published": "2016-12-06T12:00:00", "href": "http://xenbits.xen.org/xsa/advisory-199.html", "id": "XSA-199", "type": "xen", "title": "qemu ioport array overflow", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637"], "description": "[3.0.3-148.el5_11]\n- xen-qemu-ioport-array-overflow.patch [bz#1401521]\n- Resolves: bz#1401521\n (CVE-2016-9637 xsa199 xen: qemu ioport array overflow (XSA-199) [rhel-5.11.z])", "edition": 4, "modified": "2016-12-20T00:00:00", "published": "2016-12-20T00:00:00", "id": "ELSA-2016-2963", "href": "http://linux.oracle.com/errata/ELSA-2016-2963.html", "title": "xen security update", "type": "oraclelinux", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-02-01T01:38:16", "description": "The version of Citrix XenServer running on the remote host is missing\na security hotfix. It is, therefore, affected by a privilege\nescalation vulnerability in the QEMU ioport component due to an array\noverflow that is triggered during the handling of addresses in ioport\nread and write look-ups. A local administrative user on the guest\nsystem can exploit this issue to gain elevated privileges on the host\nsystem.", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-09T00:00:00", "title": "Citrix XenServer QEMU ioport Array Overflow Guest-to-Host Privilege Escalation (CTX219136)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:citrix:xenserver"], "id": "CITRIX_XENSERVER_CTX219136.NASL", "href": "https://www.tenable.com/plugins/nessus/95659", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95659);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2016-9637\");\n script_bugtraq_id(93970);\n\n script_name(english:\"Citrix XenServer QEMU ioport Array Overflow Guest-to-Host Privilege Escalation (CTX219136)\");\n script_summary(english:\"Checks for patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Citrix XenServer running on the remote host is missing\na security hotfix. It is, therefore, affected by a privilege\nescalation vulnerability in the QEMU ioport component due to an array\noverflow that is triggered during the handling of addresses in ioport\nread and write look-ups. A local administrative user on the guest\nsystem can exploit this issue to gain elevated privileges on the host\nsystem.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX219136\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate hotfix according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9637\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:citrix:xenserver\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_xenserver_version.nbin\");\n script_require_keys(\"Host/XenServer/version\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"Citrix XenServer\";\nversion = get_kb_item_or_exit(\"Host/XenServer/version\");\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\npatches = get_kb_item(\"Host/XenServer/patches\");\nvuln = FALSE;\nfix = '';\n\nif (version == \"6.0.2\")\n{\n fix = \"XS602ECC038\"; # CTX219200\n if (fix >!< patches) vuln = TRUE;\n}\nelse if (version =~ \"^6\\.2\\.\")\n{\n fix = \"XS62ESP1053\"; # CTX219201\n if (fix >!< patches) vuln = TRUE;\n}\nelse if (version =~ \"^6\\.5\\.\")\n{\n fix = \"XS65ESP1044\"; # CTX219202\n if (fix >!< patches) vuln = TRUE;\n}\nelse if (version =~ \"^7\\.0\")\n{\n fix = \"XS70E022\"; # CTX219203\n if (fix >!< patches) vuln = TRUE;\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nif (vuln)\n{\n port = 0;\n report = report_items_str(\n report_items:make_array(\n \"Installed version\", version,\n \"Missing hotfix\", fix\n ),\n ordered_fields:make_list(\"Installed version\", \"Missing hotfix\")\n );\n security_report_v4(port:port, severity:SECURITY_NOTE, extra:report);\n}\nelse audit(AUDIT_PATCH_INSTALLED, fix);\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T05:33:49", "description": "An update for xen is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nXen is a virtual machine monitor\n\nSecurity Fix(es) :\n\n* An out of bounds array access issue was found in the Xen virtual\nmachine monitor, built with the QEMU ioport support. It could occur\nwhile doing ioport read/write operations, if guest was to supply a\n32bit address parameter. A privileged guest user/process could use\nthis flaw to potentially escalate their privileges on a host.\n(CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.", "edition": 31, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-21T00:00:00", "title": "RHEL 5 : xen (RHSA-2016:2963)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:xen-debuginfo", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:xen-devel", "p-cpe:/a:redhat:enterprise_linux:xen", "p-cpe:/a:redhat:enterprise_linux:xen-libs"], "id": "REDHAT-RHSA-2016-2963.NASL", "href": "https://www.tenable.com/plugins/nessus/95982", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2963. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95982);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-9637\");\n script_xref(name:\"RHSA\", value:\"2016:2963\");\n\n script_name(english:\"RHEL 5 : xen (RHSA-2016:2963)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for xen is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nXen is a virtual machine monitor\n\nSecurity Fix(es) :\n\n* An out of bounds array access issue was found in the Xen virtual\nmachine monitor, built with the QEMU ioport support. It could occur\nwhile doing ioport read/write operations, if guest was to supply a\n32bit address parameter. A privileged guest user/process could use\nthis flaw to potentially escalate their privileges on a host.\n(CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2963\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9637\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xen-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2963\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"xen-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"xen-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"xen-debuginfo-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"xen-debuginfo-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"xen-devel-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"xen-devel-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"xen-libs-3.0.3-148.el5_11\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"xen-libs-3.0.3-148.el5_11\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen / xen-debuginfo / xen-devel / xen-libs\");\n }\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:30:55", "description": "An update for xen is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nXen is a virtual machine monitor\n\nSecurity Fix(es) :\n\n* An out of bounds array access issue was found in the Xen virtual\nmachine monitor, built with the QEMU ioport support. It could occur\nwhile doing ioport read/write operations, if guest was to supply a\n32bit address parameter. A privileged guest user/process could use\nthis flaw to potentially escalate their privileges on a host.\n(CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.", "edition": 32, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-21T00:00:00", "title": "CentOS 5 : xen (CESA-2016:2963)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2016-12-21T00:00:00", "cpe": ["p-cpe:/a:centos:centos:xen", "p-cpe:/a:centos:centos:xen-libs", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:xen-devel"], "id": "CENTOS_RHSA-2016-2963.NASL", "href": "https://www.tenable.com/plugins/nessus/95953", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2963 and \n# CentOS Errata and Security Advisory 2016:2963 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95953);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9637\");\n script_xref(name:\"RHSA\", value:\"2016:2963\");\n\n script_name(english:\"CentOS 5 : xen (CESA-2016:2963)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for xen is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nXen is a virtual machine monitor\n\nSecurity Fix(es) :\n\n* An out of bounds array access issue was found in the Xen virtual\nmachine monitor, built with the QEMU ioport support. It could occur\nwhile doing ioport read/write operations, if guest was to supply a\n32bit address parameter. A privileged guest user/process could use\nthis flaw to potentially escalate their privileges on a host.\n(CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-December/022181.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1cfeb266\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected xen packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9637\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xen-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"xen-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"xen-devel-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"xen-libs-3.0.3-148.el5_11\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen / xen-devel / xen-libs\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T13:24:04", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - qemu: ioport_read, ioport_write: be defensive about\n 32-bit addresses On x86, ioport addresses are 16-bit.\n That these functions take 32-bit arguments is a mistake.\n Changing the argument type to 16-bit will discard the\n top bits of any erroneous values from elsewhere in qemu.\n Also, check just before use that the value is in range.\n (This turns an ill-advised change to MAX_IOPORTS into a\n possible guest crash rather than a privilege escalation\n vulnerability.) And, in the Xen ioreq processor, clamp\n incoming ioport addresses to 16-bit values. Xen will\n never write >16-bit values but the guest may have access\n to the ioreq ring. We want to defend the rest of the\n qemu code from wrong values. This is XSA-199.\n (CVE-2016-9637)", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-08T00:00:00", "title": "OracleVM 3.2 : xen (OVMSA-2016-0172)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2016-12-08T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:xen-devel", "cpe:/o:oracle:vm_server:3.2", "p-cpe:/a:oracle:vm:xen", "p-cpe:/a:oracle:vm:xen-tools"], "id": "ORACLEVM_OVMSA-2016-0172.NASL", "href": "https://www.tenable.com/plugins/nessus/95619", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0172.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95619);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9637\");\n\n script_name(english:\"OracleVM 3.2 : xen (OVMSA-2016-0172)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - qemu: ioport_read, ioport_write: be defensive about\n 32-bit addresses On x86, ioport addresses are 16-bit.\n That these functions take 32-bit arguments is a mistake.\n Changing the argument type to 16-bit will discard the\n top bits of any erroneous values from elsewhere in qemu.\n Also, check just before use that the value is in range.\n (This turns an ill-advised change to MAX_IOPORTS into a\n possible guest crash rather than a privilege escalation\n vulnerability.) And, in the Xen ioreq processor, clamp\n incoming ioport addresses to 16-bit values. Xen will\n never write >16-bit values but the guest may have access\n to the ioreq ring. We want to defend the rest of the\n qemu code from wrong values. This is XSA-199.\n (CVE-2016-9637)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-December/000599.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?559639b9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xen / xen-devel / xen-tools packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:xen-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.2\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.2\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.2\", reference:\"xen-4.1.3-25.el5.223.45\")) flag++;\nif (rpm_check(release:\"OVS3.2\", reference:\"xen-devel-4.1.3-25.el5.223.45\")) flag++;\nif (rpm_check(release:\"OVS3.2\", reference:\"xen-tools-4.1.3-25.el5.223.45\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen / xen-devel / xen-tools\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:49:30", "description": "Security Fix(es) :\n\n - An out of bounds array access issue was found in the Xen\n virtual machine monitor, built with the QEMU ioport\n support. It could occur while doing ioport read/write\n operations, if guest was to supply a 32bit address\n parameter. A privileged guest user/process could use\n this flaw to potentially escalate their privileges on a\n host. (CVE-2016-9637)", "edition": 17, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-21T00:00:00", "title": "Scientific Linux Security Update : xen on SL5.x i386/x86_64 (20161220)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2016-12-21T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:xen-libs", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:xen-debuginfo", "p-cpe:/a:fermilab:scientific_linux:xen-devel", "p-cpe:/a:fermilab:scientific_linux:xen"], "id": "SL_20161220_XEN_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/95985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95985);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-9637\");\n\n script_name(english:\"Scientific Linux Security Update : xen on SL5.x i386/x86_64 (20161220)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - An out of bounds array access issue was found in the Xen\n virtual machine monitor, built with the QEMU ioport\n support. It could occur while doing ioport read/write\n operations, if guest was to supply a 32bit address\n parameter. A privileged guest user/process could use\n this flaw to potentially escalate their privileges on a\n host. (CVE-2016-9637)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1612&L=scientific-linux-errata&F=&S=&P=17477\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?332d0cde\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:xen-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"xen-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"xen-debuginfo-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"xen-devel-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"xen-libs-3.0.3-148.el5_11\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen / xen-debuginfo / xen-devel / xen-libs\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T13:24:04", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - qemu_up: ioport_read, ioport_write: be defensive about\n 32-bit addresses On x86, ioport addresses are 16-bit.\n That these functions take 32-bit arguments is a mistake.\n Changing the argument type to 16-bit will discard the\n top bits of any erroneous values from elsewhere in qemu.\n Also, check just before use that the value is in range.\n (This turns an ill-advised change to MAX_IOPORTS into a\n possible guest crash rather than a privilege escalation\n vulnerability.) And, in the Xen ioreq processor, clamp\n incoming ioport addresses to 16-bit values. Xen will\n never write >16-bit values but the guest may have access\n to the ioreq ring. We want to defend the rest of the\n qemu code from wrong values. This is XSA-199.\n (CVE-2016-9637)\n\n - qemu: ioport_read, ioport_write: be defensive about\n 32-bit addresses On x86, ioport addresses are 16-bit.\n That these functions take 32-bit arguments is a mistake.\n Changing the argument type to 16-bit will discard the\n top bits of any erroneous values from elsewhere in qemu.\n Also, check just before use that the value is in range.\n (This turns an ill-advised change to MAX_IOPORTS into a\n possible guest crash rather than a privilege escalation\n vulnerability.) And, in the Xen ioreq processor, clamp\n incoming ioport addresses to 16-bit values. Xen will\n never write >16-bit values but the guest may have access\n to the ioreq ring. We want to defend the rest of the\n qemu code from wrong values. This is XSA-199.\n (CVE-2016-9637)", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-08T00:00:00", "title": "OracleVM 3.3 : xen (OVMSA-2016-0171)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2016-12-08T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:xen", "p-cpe:/a:oracle:vm:xen-tools"], "id": "ORACLEVM_OVMSA-2016-0171.NASL", "href": "https://www.tenable.com/plugins/nessus/95618", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0171.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95618);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9637\");\n\n script_name(english:\"OracleVM 3.3 : xen (OVMSA-2016-0171)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - qemu_up: ioport_read, ioport_write: be defensive about\n 32-bit addresses On x86, ioport addresses are 16-bit.\n That these functions take 32-bit arguments is a mistake.\n Changing the argument type to 16-bit will discard the\n top bits of any erroneous values from elsewhere in qemu.\n Also, check just before use that the value is in range.\n (This turns an ill-advised change to MAX_IOPORTS into a\n possible guest crash rather than a privilege escalation\n vulnerability.) And, in the Xen ioreq processor, clamp\n incoming ioport addresses to 16-bit values. Xen will\n never write >16-bit values but the guest may have access\n to the ioreq ring. We want to defend the rest of the\n qemu code from wrong values. This is XSA-199.\n (CVE-2016-9637)\n\n - qemu: ioport_read, ioport_write: be defensive about\n 32-bit addresses On x86, ioport addresses are 16-bit.\n That these functions take 32-bit arguments is a mistake.\n Changing the argument type to 16-bit will discard the\n top bits of any erroneous values from elsewhere in qemu.\n Also, check just before use that the value is in range.\n (This turns an ill-advised change to MAX_IOPORTS into a\n possible guest crash rather than a privilege escalation\n vulnerability.) And, in the Xen ioreq processor, clamp\n incoming ioport addresses to 16-bit values. Xen will\n never write >16-bit values but the guest may have access\n to the ioreq ring. We want to defend the rest of the\n qemu code from wrong values. This is XSA-199.\n (CVE-2016-9637)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-December/000598.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f42439e2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xen / xen-tools packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:xen-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"xen-4.3.0-55.el6.119.62\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"xen-tools-4.3.0-55.el6.119.62\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen / xen-tools\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:50:55", "description": "From Red Hat Security Advisory 2016:2963 :\n\nAn update for xen is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nXen is a virtual machine monitor\n\nSecurity Fix(es) :\n\n* An out of bounds array access issue was found in the Xen virtual\nmachine monitor, built with the QEMU ioport support. It could occur\nwhile doing ioport read/write operations, if guest was to supply a\n32bit address parameter. A privileged guest user/process could use\nthis flaw to potentially escalate their privileges on a host.\n(CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-21T00:00:00", "title": "Oracle Linux 5 : xen (ELSA-2016-2963)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637"], "modified": "2016-12-21T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:xen-devel", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:xen", "p-cpe:/a:oracle:linux:xen-libs"], "id": "ORACLELINUX_ELSA-2016-2963.NASL", "href": "https://www.tenable.com/plugins/nessus/95979", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:2963 and \n# Oracle Linux Security Advisory ELSA-2016-2963 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95979);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-9637\");\n script_xref(name:\"RHSA\", value:\"2016:2963\");\n\n script_name(english:\"Oracle Linux 5 : xen (ELSA-2016-2963)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:2963 :\n\nAn update for xen is now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nXen is a virtual machine monitor\n\nSecurity Fix(es) :\n\n* An out of bounds array access issue was found in the Xen virtual\nmachine monitor, built with the QEMU ioport support. It could occur\nwhile doing ioport read/write operations, if guest was to supply a\n32bit address parameter. A privileged guest user/process could use\nthis flaw to potentially escalate their privileges on a host.\n(CVE-2016-9637)\n\nRed Hat would like to thank the Xen project for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-December/006589.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected xen packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xen-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"xen-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"xen-devel-3.0.3-148.el5_11\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"xen-libs-3.0.3-148.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen / xen-devel / xen-libs\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:39:02", "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor,\nwhich could result in privilege escalation.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.1.6.lts1-12.\n\nWe recommend that you upgrade your xen packages.\n\nPlease note that CVE-2017-15590 (XSA-237) will *not* be fixed in\nwheezy as the patches are too intrusive to backport. The vulnerability\ncan be mitigated by not passing through physical devices to untrusted\nguests. More information can be found on\nhttps://xenbits.xen.org/xsa/advisory-237.html\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 19, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2018-02-07T00:00:00", "title": "Debian DLA-1270-1 : xen security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2017-15590", "CVE-2017-2620", "CVE-2016-9603"], "modified": "2018-02-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-amd64", "p-cpe:/a:debian:debian_linux:xen-system-i386", "p-cpe:/a:debian:debian_linux:xen-utils-4.1", "p-cpe:/a:debian:debian_linux:xen-system-amd64", "p-cpe:/a:debian:debian_linux:xenstore-utils", "p-cpe:/a:debian:debian_linux:xen-docs-4.1", "p-cpe:/a:debian:debian_linux:libxen-ocaml", "p-cpe:/a:debian:debian_linux:libxen-ocaml-dev", "p-cpe:/a:debian:debian_linux:libxenstore3.0", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-i386", "p-cpe:/a:debian:debian_linux:xen-utils-common", "p-cpe:/a:debian:debian_linux:libxen-dev", "p-cpe:/a:debian:debian_linux:libxen-4.1"], "id": "DEBIAN_DLA-1270.NASL", "href": "https://www.tenable.com/plugins/nessus/106633", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1270-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(106633);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9603\", \"CVE-2016-9637\", \"CVE-2017-2620\");\n script_xref(name:\"IAVB\", value:\"2017-B-0024\");\n\n script_name(english:\"Debian DLA-1270-1 : xen security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in the Xen hypervisor,\nwhich could result in privilege escalation.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.1.6.lts1-12.\n\nWe recommend that you upgrade your xen packages.\n\nPlease note that CVE-2017-15590 (XSA-237) will *not* be fixed in\nwheezy as the patches are too intrusive to backport. The vulnerability\ncan be mitigated by not passing through physical devices to untrusted\nguests. More information can be found on\nhttps://xenbits.xen.org/xsa/advisory-237.html\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/02/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/xen\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://xenbits.xen.org/xsa/advisory-237.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxen-4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxen-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxen-ocaml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxen-ocaml-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxenstore3.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-docs-4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-hypervisor-4.1-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-system-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-system-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-utils-4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xen-utils-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xenstore-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/07\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libxen-4.1\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxen-dev\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxen-ocaml\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxen-ocaml-dev\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libxenstore3.0\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-docs-4.1\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-hypervisor-4.1-amd64\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-hypervisor-4.1-i386\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-system-amd64\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-system-i386\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-utils-4.1\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xen-utils-common\", reference:\"4.1.6.lts1-12\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"xenstore-utils\", reference:\"4.1.6.lts1-12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:14:49", "description": "ARM guests may induce host asynchronous abort [XSA-201, CVE-2016-9815,\nCVE-2016-9816, CVE-2016-9817, CVE-2016-9818] (#1399747) qemu: Divide\nby zero vulnerability in cirrus_do_copy (#1399055) [CVE-2016-9921,\nCVE-2016-9922] Qemu: 9pfs: memory leakage via proxy/handle callbacks\n(#1402278) qemu ioport array overflow [XSA-199, CVE-2016-9637]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 23, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-20T00:00:00", "title": "Fedora 23 : xen (2016-cc2916dcf4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-9818", "CVE-2016-9922", "CVE-2016-9815", "CVE-2016-9816", "CVE-2016-9921", "CVE-2016-9913", "CVE-2016-9817"], "modified": "2016-12-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:xen", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-CC2916DCF4.NASL", "href": "https://www.tenable.com/plugins/nessus/96025", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-cc2916dcf4.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96025);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9637\", \"CVE-2016-9815\", \"CVE-2016-9816\", \"CVE-2016-9817\", \"CVE-2016-9818\", \"CVE-2016-9913\", \"CVE-2016-9921\", \"CVE-2016-9922\");\n script_xref(name:\"FEDORA\", value:\"2016-cc2916dcf4\");\n\n script_name(english:\"Fedora 23 : xen (2016-cc2916dcf4)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ARM guests may induce host asynchronous abort [XSA-201, CVE-2016-9815,\nCVE-2016-9816, CVE-2016-9817, CVE-2016-9818] (#1399747) qemu: Divide\nby zero vulnerability in cirrus_do_copy (#1399055) [CVE-2016-9921,\nCVE-2016-9922] Qemu: 9pfs: memory leakage via proxy/handle callbacks\n(#1402278) qemu ioport array overflow [XSA-199, CVE-2016-9637]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-cc2916dcf4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected xen package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"xen-4.5.5-5.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:14:44", "description": "x86 CMPXCHG8B emulation fails to ignore operand size override\n[XSA-200, CVE-2016-9932] (#1404262)\n\n----\n\nARM guests may induce host asynchronous abort [XSA-201, CVE-2016-9815,\nCVE-2016-9816, CVE-2016-9817, CVE-2016-9818] (#1399747) qemu: Divide\nby zero vulnerability in cirrus_do_copy (#1399055) [CVE-2016-9921,\nCVE-2016-9922] Qemu: 9pfs: memory leakage via proxy/handle callbacks\n(#1402278) qemu ioport array overflow [XSA-199, CVE-2016-9637]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 24, "cvss3": {"score": 7.5, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2016-12-27T00:00:00", "title": "Fedora 24 : xen (2016-bcbae0781f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9637", "CVE-2016-9818", "CVE-2016-9922", "CVE-2016-9932", "CVE-2016-9815", "CVE-2016-9816", "CVE-2016-9921", "CVE-2016-9913", "CVE-2016-9817"], "modified": "2016-12-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:xen", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-BCBAE0781F.NASL", "href": "https://www.tenable.com/plugins/nessus/96113", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-bcbae0781f.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96113);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9637\", \"CVE-2016-9815\", \"CVE-2016-9816\", \"CVE-2016-9817\", \"CVE-2016-9818\", \"CVE-2016-9913\", \"CVE-2016-9921\", \"CVE-2016-9922\", \"CVE-2016-9932\");\n script_xref(name:\"FEDORA\", value:\"2016-bcbae0781f\");\n\n script_name(english:\"Fedora 24 : xen (2016-bcbae0781f)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"x86 CMPXCHG8B emulation fails to ignore operand size override\n[XSA-200, CVE-2016-9932] (#1404262)\n\n----\n\nARM guests may induce host asynchronous abort [XSA-201, CVE-2016-9815,\nCVE-2016-9816, CVE-2016-9817, CVE-2016-9818] (#1399747) qemu: Divide\nby zero vulnerability in cirrus_do_copy (#1399055) [CVE-2016-9921,\nCVE-2016-9922] Qemu: 9pfs: memory leakage via proxy/handle callbacks\n(#1402278) qemu ioport array overflow [XSA-199, CVE-2016-9637]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-bcbae0781f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected xen package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"xen-4.6.4-4.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xen\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2017-15590", "CVE-2017-2620", "CVE-2016-9603"], "description": "Package : xen\nVersion : 4.1.6.lts1-12\nCVE ID : CVE-2016-9603 CVE-2016-9637 CVE-2017-2620\n\nMultiple vulnerabilities have been discovered in the Xen hypervisor, which\ncould result in privilege escalation.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.1.6.lts1-12.\n\nWe recommend that you upgrade your xen packages.\n\nPlease note that CVE-2017-15590 (XSA-237) will *not* be fixed in wheezy as\nthe patches are too intrusive to backport.\nThe vulnerability can be mitigated by not passing through physical devices\nto untrusted guests.\nMore information can be found on https://xenbits.xen.org/xsa/advisory-237.html\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2018-02-06T12:35:37", "published": "2018-02-06T12:35:37", "id": "DEBIAN:DLA-1270-1:33BEE", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201802/msg00005.html", "title": "[SECURITY] [DLA 1270-1] xen security update", "type": "debian", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9815", "CVE-2016-9816", "CVE-2016-9817", "CVE-2016-9818", "CVE-2016-9913", "CVE-2016-9914", "CVE-2016-9915", "CVE-2016-9921", "CVE-2016-9922"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-12-19T01:27:21", "published": "2016-12-19T01:27:21", "id": "FEDORA:3D25F60BA90D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: xen-4.5.5-5.fc23", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9815", "CVE-2016-9816", "CVE-2016-9817", "CVE-2016-9818", "CVE-2016-9913", "CVE-2016-9914", "CVE-2016-9915", "CVE-2016-9921", "CVE-2016-9922", "CVE-2016-9932"], "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "modified": "2016-12-23T13:51:19", "published": "2016-12-23T13:51:19", "id": "FEDORA:B93A9606730B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xen-4.6.4-4.fc24", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "suse": [{"lastseen": "2016-12-07T22:19:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-7777", "CVE-2016-6351", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-7909", "CVE-2016-7908"], "edition": 1, "description": "xen was updated to fix several security issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652).\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100)\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103)\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109)\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106)\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157)\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004)\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005)\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030)\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032)\n - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with\n ESP/NCR53C9x controller emulation support, allowed local guest OS\n administrators to cause a denial of service (out-of-bounds write and\n QEMU process crash) or execute arbitrary code on the host via vectors\n involving DMA read into ESP command buffer (bsc#990843)\n\n This non-security issue was fixed:\n\n - bsc#1000893: virsh setmem didn't allow to set current guest memory to\n max limit\n\n", "modified": "2016-12-07T20:07:43", "published": "2016-12-07T20:07:43", "id": "SUSE-SU-2016:3044-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00023.html", "title": "Security update for xen (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-27T18:05:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-7777", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-8909", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-7909", "CVE-2016-7908"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652)\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100)\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103)\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109)\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106)\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157)\n - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via an entry with the same value for\n buffer length and pointer position (bsc#1007160)\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004)\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005)\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030)\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032)\n\n This non-security issue was fixed:\n\n - bsc#1000893: virsh setmem didn't allow to set current guest memory to\n max limit\n\n", "modified": "2016-12-27T17:11:00", "published": "2016-12-27T17:11:00", "id": "SUSE-SU-2016:3273-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00096.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T18:02:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-7777", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-7908"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652)\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100)\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103)\n - CVE-2016-9385: x86 segment base write emulation lacked canonical address\n checks, allowing a malicious guest administrator to crash the host\n (bsc#1009104)\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109)\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106)\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157)\n - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via an entry with the same value for\n buffer length and pointer position (bsc#1007160)\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004)\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005)\n - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by leveraging failure to limit the number\n of link Transfer Request Blocks (TRB) to process (bsc#1004016)\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030)\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032)\n\n These non-security issues were fixed:\n\n - bsc#953518: Unplug also SCSI disks in qemu-xen-traditional for upstream\n unplug protocol\n - bsc#953518: Unplug also SCSI disks in qemu-xen\n\n", "modified": "2016-12-14T18:07:56", "published": "2016-12-14T18:07:56", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00065.html", "id": "SUSE-SU-2016:3156-1", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-16T18:05:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-7777", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-7908"], "edition": 1, "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652)\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100)\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103)\n - CVE-2016-9385: x86 segment base write emulation lacked canonical address\n checks, allowing a malicious guest administrator to crash the host\n (bsc#1009104)\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109)\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106)\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157)\n - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via an entry with the same value for\n buffer length and pointer position (bsc#1007160)\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004)\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005)\n - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by leveraging failure to limit the number\n of link Transfer Request Blocks (TRB) to process (bsc#1004016)\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030)\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032)\n\n This non-security issue wasfixed:\n - bsc#1000893: virsh setmem didn't allow to set current guest memory to\n max limit\n\n This update also delivers man-pages-supplement since some of the man-pages\n in there are now contained in the xen package itself.\n\n", "modified": "2016-12-16T16:07:44", "published": "2016-12-16T16:07:44", "id": "SUSE-SU-2016:3174-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00068.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T02:02:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9378", "CVE-2016-7777", "CVE-2016-9384", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-9377", "CVE-2016-7908"], "edition": 1, "description": "xen was updated to version 4.7.1 to fix 17 security issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652).\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100).\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103).\n - CVE-2016-9385: x86 segment base write emulation lacked canonical address\n checks, allowing a malicious guest administrator to crash the host\n (bsc#1009104).\n - CVE-2016-9384: Guest 32-bit ELF symbol table load leaking host data to\n unprivileged guest users (bsc#1009105).\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107).\n - CVE-2016-9377: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108).\n - CVE-2016-9378: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109).\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111).\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111).\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106).\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157).\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004).\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005).\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030).\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032).\n\n These non-security issues were fixed:\n\n - bsc#1004981: Xen RPM didn't contain debug hypervisor for EFI systems\n - bsc#1007941: Xen tools limited the number of vcpus to 256\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "modified": "2016-12-14T01:18:52", "published": "2016-12-14T01:18:52", "id": "OPENSUSE-SU-2016:3134-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00060.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-09T17:30:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9378", "CVE-2016-7777", "CVE-2016-9384", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-9377", "CVE-2016-7908"], "edition": 1, "description": "xen was updated to version 4.7.1 to fix 17 security issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652).\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100).\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103).\n - CVE-2016-9385: x86 segment base write emulation lacked canonical address\n checks, allowing a malicious guest administrator to crash the host\n (bsc#1009104).\n - CVE-2016-9384: Guest 32-bit ELF symbol table load leaking host data to\n unprivileged guest users (bsc#1009105).\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107).\n - CVE-2016-9377: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108).\n - CVE-2016-9378: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109).\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111).\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111).\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106).\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157).\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004).\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005).\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030).\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032).\n\n These non-security issues were fixed:\n\n - bsc#1004981: Xen RPM didn't contain debug hypervisor for EFI systems\n - bsc#1007941: Xen tools limited the number of vcpus to 256\n\n", "modified": "2016-12-09T18:07:27", "published": "2016-12-09T18:07:27", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00031.html", "id": "SUSE-SU-2016:3067-1", "title": "Security update for xen (important)", "type": "suse", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-12T14:02:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9378", "CVE-2016-7777", "CVE-2016-7995", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-9377", "CVE-2016-7908"], "edition": 1, "description": "This update for xen to version 4.5.5 fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2016-9637: ioport array overflow allowing a malicious guest\n administrator can escalate their privilege to that of the host\n (bsc#1011652)\n - CVE-2016-9386: x86 null segments were not always treated as unusable\n allowing an unprivileged guest user program to elevate its privilege to\n that of the guest operating system. Exploit of this vulnerability is\n easy on Intel and more complicated on AMD (bsc#1009100)\n - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a\n unprivileged guest process to escalate its privilege to that of the\n guest operating system on AMD hardware. On Intel hardware a malicious\n unprivileged guest process can crash the guest (bsc#1009103)\n - CVE-2016-9385: x86 segment base write emulation lacked canonical address\n checks, allowing a malicious guest administrator to crash the host\n (bsc#1009104)\n - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken,\n allowing a guest to modify arbitrary memory leading to arbitray code\n execution (bsc#1009107)\n - CVE-2016-9378: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108)\n - CVE-2016-9377: x86 software interrupt injection was mis-handled,\n allowing an unprivileged guest user to crash the guest (bsc#1009108)\n - CVE-2016-9381: Improper processing of shared rings allowing guest\n administrators take over the qemu process, elevating their privilege to\n that of the qemu process (bsc#1009109)\n - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed\n guest administrators to obtain the contents of sensitive host files or\n delete the files (bsc#1009111)\n - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which\n allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM\n register state information belonging to arbitrary tasks on the guest by\n modifying an instruction while the hypervisor is preparing to emulate it\n (bsc#1000106)\n - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) by leveraging failure to limit the\n ring descriptor count (bsc#1007157)\n - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c\n allowed local guest OS administrators to cause a denial of service\n (infinite loop and CPU consumption) via an entry with the same value for\n buffer length and pointer position (bsc#1007160).\n - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed\n local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via a large interval timer\n reload value (bsc#1005004)\n - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c\n allowed local guest OS administrators to cause a denial of service\n (divide-by-zero error and QEMU process crash) via vectors involving a\n value of divider greater than baud base (bsc#1005005)\n - CVE-2016-7995: A memory leak in ehci_process_itd allowed a privileged\n user inside guest to DoS the host (bsc#1003870).\n - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by leveraging failure to limit the number\n of link Transfer Request Blocks (TRB) to process (bsc#1004016).\n - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not\n properly limit the buffer descriptor count when transmitting packets,\n which allowed local guest OS administrators to cause a denial of service\n (infinite loop and QEMU process crash) via vectors involving a buffer\n descriptor with a length of 0 and crafted values in bd.flags\n (bsc#1003030)\n - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed\n local guest OS administrators to cause a denial of service (infinite\n loop and QEMU process crash) by setting the (1) receive or (2) transmit\n descriptor ring length to 0 (bsc#1003032)\n\n", "modified": "2016-12-12T13:07:59", "published": "2016-12-12T13:07:59", "id": "SUSE-SU-2016:3083-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00039.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-01-02T18:05:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-7777", "CVE-2016-9932", "CVE-2016-10013", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-10024", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-7908"], "edition": 1, "description": "This updates xen to version 4.4.4_06 to fix the following issues:\n\n - An unprivileged user in a guest could gain guest could escalate\n privilege to that of the guest kernel, if it had could invoke the\n instruction emulator. Only 64-bit x86 HVM guest were affected. Linux\n guest have not been vulnerable. (boo#1016340, CVE-2016-10013)\n - An unprivileged user in a 64 bit x86 guest could gain information from\n the host, crash the host or gain privilege of the host (boo#1009107,\n CVE-2016-9383)\n - An unprivileged guest process could (unintentionally or maliciously)\n obtain\n or ocorrupt sensitive information of other programs in the same guest.\n Only x86 HVM guests have been affected. The attacker needs to be able\n to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777)\n - A guest on x86 systems could read small parts of hypervisor stack data\n (boo#1012651, CVE-2016-9932)\n - A malicious guest kernel could hang or crash the host system\n (boo#1014298, CVE-2016-10024)\n - A malicious guest administrator could escalate their privilege to that\n of the host. Only affects x86 HVM guests using qemu older version 1.6.0\n or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637)\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100,\n CVE-2016-9386)\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator (on AMD CPUs) or crash the system (on Intel CPUs) on\n 32-bit x86 HVM guests. Only guest operating systems that allowed a new\n task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382)\n - A malicious guest administrator could crash the host on x86 PV guests\n only (boo#1009104, CVE-2016-9385)\n - A malicious guest administrator could get privilege of the host emulator\n process on x86 HVM guests. (boo#1009109, CVE-2016-9381)\n - A vulnerability in pygrub allowed a malicious guest administrator to\n obtain the contents of sensitive host files, or even delete those files\n (boo#1009111, CVE-2016-9379, CVE-2016-9380)\n - A privileged guest user could cause an infinite loop in the RTL8139\n ethernet emulation to consume CPU cycles on the host, causing a DoS\n situation (boo#1007157, CVE-2016-8910)\n - A privileged guest user could cause an infinite loop in the intel-hda\n sound emulation to consume CPU cycles on the host, causing a DoS\n situation (boo#1007160, CVE-2016-8909)\n - A privileged guest user could cause a crash of the emulator process on\n the host by exploiting a divide by zero vulnerability of the JAZZ RC4030\n chipset emulation (boo#1005004 CVE-2016-8667)\n - A privileged guest user could cause a crash of the emulator process on\n the host by exploiting a divide by zero issue of the 16550A UART\n emulation (boo#1005005, CVE-2016-8669)\n - A privileged guest user could cause an infinite loop in the USB xHCI\n emulation, causing a DoS situation on the host (boo#1004016,\n CVE-2016-8576)\n - A privileged guest user could cause an infinite loop in the ColdFire\n Fash Ethernet Controller emulation, causing a DoS situation on the host\n (boo#1003030, CVE-2016-7908)\n - A privileged guest user could cause an infinite loop in the AMD PC-Net\n II emulation, causing a DoS situation on the host (boo#1003032,\n CVE-2016-7909)\n - Cause a reload of clvm in the block-dmmd script to avoid a blocking\n lvchange call (boo#1002496)\n - Also unplug SCSI disks in qemu-xen-traditional for upstream unplug\n protocol. Before a single SCSI storage devices added to HVM guests could\n appear multiple times in the guest. (boo#953518)\n - Fix a kernel panic / black screen when trying to boot a XEN kernel on\n some UEFI firmwares (boo#1000195)\n\n", "modified": "2017-01-02T13:12:23", "published": "2017-01-02T13:12:23", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00003.html", "id": "OPENSUSE-SU-2017:0008-1", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-01-02T18:05:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9101", "CVE-2016-9776", "CVE-2016-9378", "CVE-2016-7777", "CVE-2016-7995", "CVE-2016-9932", "CVE-2016-10013", "CVE-2016-9383", "CVE-2016-8669", "CVE-2016-9380", "CVE-2016-8910", "CVE-2016-8667", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-10024", "CVE-2016-8909", "CVE-2016-8576", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-7909", "CVE-2016-9377", "CVE-2016-7908"], "edition": 1, "description": "This updates xen to version 4.5.5 to fix the following issues:\n\n - An unprivileged user in a guest could gain guest could escalate\n privilege to that of the guest kernel, if it had could invoke the\n instruction emulator. Only 64-bit x86 HVM guest were affected. Linux\n guest have not been vulnerable. (boo#1016340, CVE-2016-10013)\n - An unprivileged user in a 64 bit x86 guest could gain information from\n the host, crash the host or gain privilege of the host (boo#1009107,\n CVE-2016-9383)\n - An unprivileged guest process could (unintentionally or maliciously)\n obtain\n or ocorrupt sensitive information of other programs in the same guest.\n Only x86 HVM guests have been affected. The attacker needs to be able\n to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777)\n - A guest on x86 systems could read small parts of hypervisor stack data\n (boo#1012651, CVE-2016-9932)\n - A malicious guest kernel could hang or crash the host system\n (boo#1014298, CVE-2016-10024)\n - The epro100 emulated network device caused a memory leak in the host\n when unplugged in the guest. A privileged user in the guest could use\n this to cause a DoS on the host or potentially crash the guest process\n on the host (boo#1013668, CVE-2016-9101)\n - The ColdFire Fast Ethernet Controller was vulnerable to an infinite loop\n that could be trigged by a privileged user in the guest, leading to DoS\n (boo#1013657, CVE-2016-9776)\n - A malicious guest administrator could escalate their privilege to that\n of the host. Only affects x86 HVM guests using qemu older version 1.6.0\n or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637)\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100,\n CVE-2016-9386)\n - An unprivileged guest user could escalate privilege to that of the guest\n administrator (on AMD CPUs) or crash the system (on Intel CPUs) on\n 32-bit x86 HVM guests. Only guest operating systems that allowed a new\n task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382)\n - A malicious guest administrator could crash the host on x86 PV guests\n only (boo#1009104, CVE-2016-9385)\n - An unprivileged guest user was able to crash the guest. (boo#1009108,\n CVE-2016-9377, CVE-2016-9378)\n - A malicious guest administrator could get privilege of the host emulator\n process on x86 HVM guests. (boo#1009109, CVE-2016-9381)\n - A vulnerability in pygrub allowed a malicious guest administrator to\n obtain the contents of sensitive host files, or even delete those files\n (boo#1009111, CVE-2016-9379, CVE-2016-9380)\n - A privileged guest user could cause an infinite loop in the RTL8139\n ethernet emulation to consume CPU cycles on the host, causing a DoS\n situation (boo#1007157, CVE-2016-8910)\n - A privileged guest user could cause an infinite loop in the intel-hda\n sound emulation to consume CPU cycles on the host, causing a DoS\n situation (boo#1007160, CVE-2016-8909)\n - A privileged guest user could cause a crash of the emulator process on\n the host by exploiting a divide by zero vulnerability of the JAZZ RC4030\n chipset emulation (boo#1005004 CVE-2016-8667)\n - A privileged guest user could cause a crash of the emulator process on\n the host by exploiting a divide by zero issue of the 16550A UART\n emulation (boo#1005005, CVE-2016-8669)\n - A privileged guest user could cause a memory leak in the USB EHCI\n emulation, causing a DoS situation on the host (boo#1003870,\n CVE-2016-7995)\n - A privileged guest user could cause an infinite loop in the USB xHCI\n emulation, causing a DoS situation on the host (boo#1004016,\n CVE-2016-8576)\n - A privileged guest user could cause an infinite loop in the ColdFire\n Fash Ethernet Controller emulation, causing a DoS situation on the host\n (boo#1003030, CVE-2016-7908)\n - A privileged guest user could cause an infinite loop in the AMD PC-Net\n II emulation, causing a DoS situation on the host (boo#1003032,\n CVE-2016-7909)\n - Cause a reload of clvm in the block-dmmd script to avoid a blocking\n lvchange call (boo#1002496)\n\n", "modified": "2017-01-02T13:08:06", "published": "2017-01-02T13:08:06", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00002.html", "id": "OPENSUSE-SU-2017:0007-1", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2017-01-01T02:13:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9637", "CVE-2016-9818", "CVE-2016-9378", "CVE-2016-9384", "CVE-2016-9932", "CVE-2016-9383", "CVE-2016-9815", "CVE-2016-9380", "CVE-2016-9816", "CVE-2016-9381", "CVE-2016-9382", "CVE-2016-10024", "CVE-2016-9379", "CVE-2016-9386", "CVE-2016-9385", "CVE-2016-9817", "CVE-2016-9377"], "edition": 1, "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly execute arbitrary code with the privileges of the process, could gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.7.1-r4\"\n \n\nAll Xen Tools users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/xen-tools-4.7.1-r4\"\n \n\nAll Xen PvGrub users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/xen-pvgrub-4.7.1-r1\"", "modified": "2016-12-31T00:00:00", "published": "2016-12-31T00:00:00", "href": "https://security.gentoo.org/glsa/201612-56", "id": "GLSA-201612-56", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}]}
