Lucene search
K

82 matches found

Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.57 views

FreeBSD : xen-kernel -- guest 32-bit ELF symbol table load leaking host data (5555120d-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load kernel symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These...

6.5CVSS6.9AI score0.00386EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.59 views

FreeBSD : xen-kernel -- x86: Mishandling of instruction pointer truncation during emulation (49211361-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to...

8.2CVSS7.8AI score0.00425EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.32 views

FreeBSD : xen-kernel -- x86 64-bit bit test instruction emulation broken (56f0f11e-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source....

8.8CVSS8.1AI score0.00509EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.34 views

FreeBSD : xen-kernel -- x86 segment base write emulation lacking canonical address checks (53dbd096-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against GP...

6CVSS7.1AI score0.00432EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.46 views

FreeBSD : xen-kernel -- CR0.TS and CR0.EM not always honored for x86 HVM guests (4d7cf654-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception NM when either CR0.EM or CR0.TS are set. Their AVX or AVX-512 extensions would consider only CR0.TS. While during normal operation this is ensured by the hardware, if ...

6.3CVSS7.2AI score0.00303EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.53 views

FreeBSD : xen-kernel -- x86: Disallow L3 recursive pagetable for 32-bit PV guests (45ca25b5-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. The L3 entries are cached in processor registers, and don't actually form part of the pagewalk. When running a 32-bit PV...

8.2CVSS7.6AI score0.00402EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.36 views

FreeBSD : xen-kernel -- x86 HVM: Overflow of sh_ctxt->seg_reg[] (4aae54be-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. A malicious HVM guest administrator ca...

4.1CVSS6.3AI score0.00392EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/12/05 12:0 a.m.48 views

FreeBSD : xen-kernel -- use after free in FIFO event channel code (4bf57137-ba4d-11e6-ae1b-002590263bf5)

The Xen Project reports : When the EVTCHNOPinitcontrol operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations EVTCHNOPexpandarray or another EVTCHNOPinitcontrol, upon...

7.2CVSS7.6AI score0.00502EPSS
Exploits0References4
FreeBSD
FreeBSD
added 2016/11/22 12:0 a.m.27 views

xen-kernel -- x86 task switch to VM86 mode mis-handled

The Xen Project reports: LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. On SVM AMD hardware: a malicious unprivileged guest process can escalate its...

7.8CVSS1.2AI score0.00452EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2016/08/02 12:0 a.m.32 views

FreeBSD : xen-kernel -- x86: Privilege escalation in PV guests (032aa524-5854-11e6-b334-002590263bf5) (Bunker Buster)

The Xen Project reports : The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. A malicious PV guest administrat...

8.8CVSS7.4AI score0.004EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2016/08/02 12:0 a.m.29 views

FreeBSD : xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery (04cf89e3-5854-11e6-b334-002590263bf5)

The Xen Project reports : Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the excepti...

6.2CVSS7AI score0.00639EPSS
Exploits0References4
FreeBSD
FreeBSD
added 2016/07/26 12:0 a.m.45 views

xen-kernel -- x86: Missing SMAP whitelisting in 32-bit exception / event delivery

The Xen Project reports: Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exceptio...

6.2CVSS2.5AI score0.00639EPSS
Exploits0References1
BDU FSTEC
BDU FSTEC
added 2016/07/07 12:0 a.m.7 views

Vulnerabilities in the Debian GNU/Linux operating system that allow a remote attacker to compromise the confidentiality, integrity, and accessibility of protected information

The Linux-modules-2.6.26-1-xen-686 package from the Debian GNU/Linux operating system has multiple vulnerabilities. Exploitation of these vulnerabilities may lead to breaches of confidentiality, integrity, and accessibility of protected information. These vulnerabilities can be exploited remotely...

10CVSS5.8AI score0.1673EPSS
Exploits12References23Affected Software1
BDU FSTEC
BDU FSTEC
added 2016/07/06 12:0 a.m.4 views

Vulnerabilities of the Debian GNU/Linux operating system that allow a remote attacker to compromise the accessibility of protected information

The Linux-image-2.6.26-2-xen-686 package from the Debian GNU/Linux operating system has multiple vulnerabilities. Exploitation of these vulnerabilities may lead to a violation of the accessibility of protected information. These vulnerabilities can be exploited remotely...

7.8CVSS6.8AI score0.21402EPSS
Exploits19References27Affected Software1
BDU FSTEC
BDU FSTEC
added 2016/07/06 12:0 a.m.5 views

Vulnerabilities of the Debian GNU/Linux operating system that allow a remote attacker to compromise the accessibility of protected information

The Linux-modules-2.6.26-2-xen-686 package from the Debian GNU/Linux operating system has multiple vulnerabilities. Exploitation of these vulnerabilities may result in a violation of the accessibility of protected information. These vulnerabilities can be exploited remotely...

7.8CVSS6.8AI score0.21402EPSS
Exploits19References27Affected Software1
Tenable Nessus
Tenable Nessus
added 2016/07/05 12:0 a.m.32 views

FreeBSD : xen-kernel -- x86 software guest page walk PS bit handling flaw (e43b210a-4212-11e6-942d-bc5ff45d0f28)

The Xen Project reports : The Page Size PS page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 depending on hardware capabilities. The software page table walker in the hypervisor, however, so far ignored that...

8.4CVSS8AI score0.00542EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2016/07/05 12:0 a.m.30 views

FreeBSD : xen-kernel -- x86 shadow pagetables: address width overflow (d51ced72-4212-11e6-942d-bc5ff45d0f28)

The Xen Project reports : In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing a...

8.8CVSS7.8AI score0.00455EPSS
Exploits0References3
FreeBSD
FreeBSD
added 2016/05/17 12:0 a.m.38 views

xen-kernel -- x86 software guest page walk PS bit handling flaw

The Xen Project reports: The Page Size PS page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 depending on hardware capabilities. The software page table walker in the hypervisor, however, so far ignored that b...

8.4CVSS1.4AI score0.00542EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2016/02/29 12:0 a.m.35 views

FreeBSD : xen-kernel -- VMX: intercept issue with INVLPG on non-canonical address (80adc394-ddaf-11e5-b2bd-002590263bf5)

The Xen Project reports : While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its 'individual address' variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug...

6.3CVSS7.1AI score0.01277EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2016/02/29 12:0 a.m.43 views

FreeBSD : xen-kernel -- VMX: guest user mode may crash guest with non-canonical RIP (81f9d6a4-ddaf-11e5-b2bd-002590263bf5)

The Xen Project reports : VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information...

5.5CVSS6.9AI score0.00391EPSS
Exploits0References3
Rows per page
Query Builder