Missing privilege level checks in x86 emulation of far branches
2014-11-18T12:00:00
ID XSA-110 Type xen Reporter Xen Project Modified 2014-11-18T12:23:00
Description
ISSUE DESCRIPTION
The emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks.
However these instructions are not usually handled by the emulator. Exceptions to this are
- when a memory operand lives in (emulated or passed through) memory mapped IO space,
- in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update,
- when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones,
- when the guest is in real mode (in which case there are no privilege checks anyway).
IMPACT
Malicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest.
VULNERABLE SYSTEMS
Xen 3.2.1 and onward are vulnerable on x86 systems.
ARM systems are not vulnerable.
Only user processes in x86 HVM guests can take advantage of this vulnerability.
{"enchantments": {"vulnersScore": 7.2}, "published": "2014-11-18T12:00:00", "id": "XSA-110", "modified": "2014-11-18T12:23:00", "edition": 1, "reporter": "Xen Project", "history": [], "description": "#### ISSUE DESCRIPTION\nThe emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks.\nHowever these instructions are not usually handled by the emulator. Exceptions to this are\n- when a memory operand lives in (emulated or passed through) memory mapped IO space,\n- in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update,\n- when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones,\n- when the guest is in real mode (in which case there are no privilege checks anyway).\n#### IMPACT\nMalicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest.\n#### VULNERABLE SYSTEMS\nXen 3.2.1 and onward are vulnerable on x86 systems.\nARM systems are not vulnerable.\nOnly user processes in x86 HVM guests can take advantage of this vulnerability.\n", "bulletinFamily": "software", "viewCount": 0, "cvelist": ["CVE-2014-8595"], "affectedSoftware": [{"version": "3.2.1", "name": "Xen", "operator": "ge"}], "type": "xen", "hash": "4fed16da291e312e8e5edd28b72dca9a95ecf31d19e96a3f50147a51398bd6e3", "references": [], "title": "Missing privilege level checks in x86 emulation of far branches", "href": "http://xenbits.xen.org/xsa/advisory-110.html", "lastseen": "2016-09-04T11:24:07", "objectVersion": "1.2", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}
{"result": {"cve": [{"id": "CVE-2014-8595", "type": "cve", "title": "CVE-2014-8595", "description": "arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction.", "published": "2014-11-19T13:59:11", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8595", "cvelist": ["CVE-2014-8595"], "lastseen": "2017-11-15T11:55:36"}], "nessus": [{"id": "ORACLEVM_OVMSA-2015-0096.NASL", "type": "nessus", "title": "OracleVM 3.2 : xen (OVMSA-2015-0096)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0096 for details.", "published": "2015-07-28T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85038", "cvelist": ["CVE-2014-8595", "CVE-2015-5154", "CVE-2015-2152"], "lastseen": "2017-10-29T13:37:33"}, {"id": "FEDORA_2014-15503.NASL", "type": "nessus", "title": "Fedora 19 : xen-4.2.5-5.fc19 (2014-15503)", "description": "Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling Insufficient restrictions on certain MMU update hypercalls, Missing privilege level checks in x86 emulation of far branches, Add fix for CVE-2014-0150 to qemu-dm, though it probably isn't exploitable from xen\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-12-02T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79651", "cvelist": ["CVE-2014-8595", "CVE-2014-8594", "CVE-2014-0150", "CVE-2014-9030"], "lastseen": "2017-10-29T13:40:13"}, {"id": "FEDORA_2014-15951.NASL", "type": "nessus", "title": "Fedora 21 : xen-4.4.1-9.fc21 (2014-15951)", "description": "Excessive checking in compatibility mode hypercall argument translation, Insufficient bounding of 'REP MOVS' to MMIO emulated inside the hypervisor, fix segfaults and failures in xl migrate\n--debug Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling Insufficient restrictions on certain MMU update hypercalls, Missing privilege level checks in x86 emulation of far branches, Add fix for CVE-2014-0150 to qemu-dm, though it probably isn't exploitable from xen\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-12-15T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79902", "cvelist": ["CVE-2014-8595", "CVE-2014-8594", "CVE-2014-0150", "CVE-2014-9030"], "lastseen": "2017-10-29T13:44:09"}, {"id": "SUSE_11_XEN-11SP3-2014-11-26-141127.NASL", "type": "nessus", "title": "SuSE 11.3 Security Update : Xen (SAT Patch Number 10018)", "description": "Xen has been updated to version 4.2.5 with additional patches to fix six security issues :\n\n - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling. (CVE-2014-9030)\n\n - Insufficient bounding of 'REP MOVS' to MMIO emulated inside the hypervisor. (CVE-2014-8867)\n\n - Excessive checking in compatibility mode hypercall argument translation. (CVE-2014-8866)\n\n - Guest user mode triggerable VM exits not handled by hypervisor. (bnc#903850)\n\n - Missing privilege level checks in x86 emulation of far branches. (CVE-2014-8595)\n\n - Insufficient restrictions on certain MMU update hypercalls (CVE-2014-8594). These non-security issues have been fixed :\n\n - Xen save/restore of HVM guests cuts off disk and networking. (bnc#866902)\n\n - Windows 2012 R2 fails to boot up with greater than 60 vcpus. (bnc#882089)\n\n - Increase limit domUloader to 32MB. (bnc#901317)\n\n - Adjust xentop column layout. (bnc#896023)", "published": "2014-12-26T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=80254", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030"], "lastseen": "2017-10-29T13:44:31"}, {"id": "FEDORA_2014-15521.NASL", "type": "nessus", "title": "Fedora 20 : xen-4.3.3-5.fc20 (2014-15521)", "description": "Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling Insufficient restrictions on certain MMU update hypercalls, Missing privilege level checks in x86 emulation of far branches, Add fix for CVE-2014-0150 to qemu-dm, though it probably isn't exploitable from xen\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-12-02T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79652", "cvelist": ["CVE-2014-8595", "CVE-2014-8594", "CVE-2014-0150", "CVE-2014-9030"], "lastseen": "2017-10-29T13:41:29"}, {"id": "DEBIAN_DSA-3140.NASL", "type": "nessus", "title": "Debian DSA-3140-1 : xen - security update", "description": "Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation.\n\n - CVE-2014-8594 Roger Pau Monne and Jan Beulich discovered that incomplete restrictions on MMU update hypercalls may result in privilege escalation.\n\n - CVE-2014-8595 Jan Beulich discovered that missing privilege level checks in the x86 emulation of far branches may result in privilege escalation.\n\n - CVE-2014-8866 Jan Beulich discovered that an error in compatibility mode hypercall argument translation may result in denial of service.\n\n - CVE-2014-8867 Jan Beulich discovered that an insufficient restriction in acceleration support for the 'REP MOVS' instruction may result in denial of service.\n\n - CVE-2014-9030 Andrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE handling, resulting in denial of service.", "published": "2015-01-28T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81027", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030"], "lastseen": "2017-10-29T13:45:41"}, {"id": "CITRIX_XENSERVER_CTX200288.NASL", "type": "nessus", "title": "Citrix XenServer Multiple Vulnerabilities (CTX200288)", "description": "The remote host is running a version of Citrix XenServer that is affected by multiple vulnerabilities :\n\n - A local privilege escalation vulnerability exists due to improperly restricted access to 'PHYSDEVOP_{prepare,release}_msix' operations by unprivileged guests. An attacker with access to a guest operating system can exploit this issue to gain elevated privileges on affected computers. (CVE-2014-1666)\n\n - A local privilege escalation vulnerability exists due to missing privilege level checks in x86 emulation of far branches. This flaw exists in the CALL, JMP, and RETF instructions in the Intel assembly syntax, and the LCALL, LJMP, and LRET instructions in the AT&T syntax.\n An attacker with access to a guest operating system can exploit this issue to gain elevated privileges on affected computers. (CVE-2014-8595)\n\n - A denial of service vulnerability exists due to a failure to restrict access to the hypercall argument translation feature. An attacker with access to a guest operating system can crash the host with excessive checks on the final register state for 32-bit guests running on a 64-bit hypervisor. (CVE-2014-8866)\n\n - A denial of service vulnerability exists due to insufficient bounding of 'REP MOVS' to MMIO emulated inside of the hypervisor. This flaw affects the 'hvm_mmio_intercept()' function in 'intercept.c'. An attacker with access to a guest operating system can exploit this issue to crash the host.\n (CVE-2014-8867)", "published": "2014-12-05T00:00:00", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79745", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-1666"], "lastseen": "2017-10-29T13:38:23"}, {"id": "SUSE_SU-2014-1732-1.NASL", "type": "nessus", "title": "SUSE SLES11 Security Update : xen (SUSE-SU-2014:1732-1)", "description": "xen was updated to fix 10 security issues :\n\n - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling (CVE-2014-9030).\n\n - Insufficient bounding of 'REP MOVS' to MMIO emulated inside the hypervisor (CVE-2014-8867).\n\n - Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595).\n\n - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation (CVE-2014-7155).\n\n - Hypervisor heap contents leaked to guests (CVE-2014-4021).\n\n - Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595).\n\n - Insufficient restrictions on certain MMU update hypercalls (CVE-2014-8594).\n\n - Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts (CVE-2013-3495).\n\n - Missing privilege level checks in x86 emulation of software interrupts (CVE-2014-7156).\n\n - Race condition in HVMOP_track_dirty_vram (CVE-2014-7154).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-05-20T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83659", "cvelist": ["CVE-2013-3495", "CVE-2014-4021", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-7156", "CVE-2014-9030", "CVE-2014-7155", "CVE-2014-7154"], "lastseen": "2017-10-29T13:43:30"}, {"id": "SUSE_SU-2014-1691-1.NASL", "type": "nessus", "title": "SUSE SLES10 Security Update : Xen (SUSE-SU-2014:1691-1)", "description": "Xen has been updated to fix six security issues :\n\n - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling (CVE-2014-9030).\n\n - Insufficient bounding of 'REP MOVS' to MMIO emulated inside the hypervisor (CVE-2014-8867).\n\n - Missing privilege level checks in x86 emulation of far branches (CVE-2014-8595).\n\n - Guest user mode triggerable VM exits not handled by hypervisor (bnc#903850).\n\n - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation (CVE-2014-7155).\n\n - Hypervisor heap contents leaked to guests (CVE-2014-4021).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-05-20T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83651", "cvelist": ["CVE-2014-8866", "CVE-2014-4021", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030", "CVE-2014-7155"], "lastseen": "2017-10-29T13:42:18"}, {"id": "ORACLEVM_OVMSA-2015-0004.NASL", "type": "nessus", "title": "OracleVM 3.3 : xen (OVMSA-2015-0004)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0004 for details.", "published": "2015-01-23T00:00:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=80928", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2014-8866", "CVE-2014-4021", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-9066", "CVE-2014-5149"], "lastseen": "2017-10-29T13:35:25"}], "openvas": [{"id": "OPENVAS:1361412562310703140", "type": "openvas", "title": "Debian Security Advisory DSA 3140-1 (xen - security update)", "description": "Multiple security issues have\nbeen discovered in the Xen virtualisation solution which may result in\ndenial of service, information disclosure or privilege escalation.\n\nCVE-2014-8594\nRoger Pau Monne and Jan Beulich discovered that incomplete\nrestrictions on MMU update hypercalls may result in privilege\nescalation.\n\nCVE-2014-8595\nJan Beulich discovered that missing privilege level checks in the\nx86 emulation of far branches may result in privilege escalation.\n\nCVE-2014-8866\nJan Beulich discovered that an error in compatibility mode hypercall\nargument translation may result in denial of service.\n\nCVE-2014-8867Jan Beulich discovered that an insufficient restriction in\nacceleration support for the REP MOVS\ninstruction may result in\ndenial of service.\n\nCVE-2014-9030\nAndrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE\nhandling, resulting in denial of service.", "published": "2015-01-27T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703140", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030"], "lastseen": "2018-04-06T11:29:48"}, {"id": "OPENVAS:1361412562310105147", "type": "openvas", "title": "Citrix XenServer Multiple Security Updates (CTX200288)", "description": "A number of security vulnerabilities have been identified in Citrix XenServer.\nThese vulnerabilities could, if exploited, allow unprivileged code in an HVM guest to gain privileged execution\nwithin that guest and also allow privileged code within a PV or HVM guest to crash the host or other guests.\n\nThe following vulnerabilities have been addressed:\n\n- CVE-2014-8595: Missing privilege level checks in x86 emulation of far branches\n- CVE-2014-8866: Excessive checking in compatibility mode hypercall argument translation\n- CVE-2014-8867: Insufficient bounding of `REP MOVS` to MMIO emulated inside the hypervisor\n- CVE-2014-1666: PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests", "published": "2014-12-18T00:00:00", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105147", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-1666"], "lastseen": "2017-08-31T16:16:00"}, {"id": "OPENVAS:703140", "type": "openvas", "title": "Debian Security Advisory DSA 3140-1 (xen - security update)", "description": "Multiple security issues have\nbeen discovered in the Xen virtualisation solution which may result in\ndenial of service, information disclosure or privilege escalation.\n\nCVE-2014-8594\nRoger Pau Monne and Jan Beulich discovered that incomplete\nrestrictions on MMU update hypercalls may result in privilege\nescalation.\n\nCVE-2014-8595\nJan Beulich discovered that missing privilege level checks in the\nx86 emulation of far branches may result in privilege escalation.\n\nCVE-2014-8866\nJan Beulich discovered that an error in compatibility mode hypercall\nargument translation may result in denial of service.\n\nCVE-2014-8867Jan Beulich discovered that an insufficient restriction in\nacceleration support for the REP MOVS\ninstruction may result in\ndenial of service.\n\nCVE-2014-9030\nAndrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE\nhandling, resulting in denial of service.", "published": "2015-01-27T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703140", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030"], "lastseen": "2017-07-24T12:53:55"}, {"id": "OPENVAS:1361412562310868797", "type": "openvas", "title": "Fedora Update for xen FEDORA-2014-15951", "description": "Check the version of xen", "published": "2015-01-05T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868797", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-0150", "CVE-2014-9030"], "lastseen": "2017-07-25T10:52:54"}, {"id": "OPENVAS:1361412562310851016", "type": "openvas", "title": "SuSE Update for xen SUSE-SU-2015:0022-1 (xen)", "description": "Check the version of xen", "published": "2015-10-16T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851016", "cvelist": ["CVE-2014-5146", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2017-12-12T11:15:22"}, {"id": "OPENVAS:1361412562310868930", "type": "openvas", "title": "Fedora Update for xen FEDORA-2015-0331", "description": "Check the version of xen", "published": "2015-01-18T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868930", "cvelist": ["CVE-2014-9065", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-0150", "CVE-2014-9030"], "lastseen": "2017-07-25T10:52:50"}, {"id": "OPENVAS:1361412562310850677", "type": "openvas", "title": "SuSE Update for xen openSUSE-SU-2015:0256-1 (xen)", "description": "Check the version of xen", "published": "2015-09-18T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850677", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-9066", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2017-12-12T11:16:08"}, {"id": "OPENVAS:1361412562310869121", "type": "openvas", "title": "Fedora Update for xen FEDORA-2015-3944", "description": "Check the version of xen", "published": "2015-03-24T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869121", "cvelist": ["CVE-2014-9065", "CVE-2015-2044", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-2045", "CVE-2014-0150", "CVE-2015-2151", "CVE-2014-9030", "CVE-2015-1563", "CVE-2015-2152"], "lastseen": "2017-07-25T10:53:45"}, {"id": "OPENVAS:1361412562310850634", "type": "openvas", "title": "SuSE Update for xen openSUSE-SU-2015:0226-1 (xen)", "description": "Check the version of xen", "published": "2015-02-07T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850634", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-9066", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2017-12-12T11:15:52"}, {"id": "OPENVAS:1361412562310869402", "type": "openvas", "title": "Fedora Update for xen FEDORA-2015-8270", "description": "Check the version of xen", "published": "2015-06-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869402", "cvelist": ["CVE-2014-9065", "CVE-2015-2044", "CVE-2015-3340", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-2045", "CVE-2014-0150", "CVE-2015-2752", "CVE-2015-3456", "CVE-2015-2151", "CVE-2015-2751", "CVE-2015-2756", "CVE-2014-9030", "CVE-2015-1563", "CVE-2015-2152"], "lastseen": "2017-07-25T10:53:13"}], "debian": [{"id": "DSA-3140", "type": "debian", "title": "xen -- security update", "description": "Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation.\n\n * [CVE-2014-8594](<https://security-tracker.debian.org/tracker/CVE-2014-8594>)\n\nRoger Pau Monne and Jan Beulich discovered that incomplete restrictions on MMU update hypercalls may result in privilege escalation.\n\n * [CVE-2014-8595](<https://security-tracker.debian.org/tracker/CVE-2014-8595>)\n\nJan Beulich discovered that missing privilege level checks in the x86 emulation of far branches may result in privilege escalation.\n\n * [CVE-2014-8866](<https://security-tracker.debian.org/tracker/CVE-2014-8866>)\n\nJan Beulich discovered that an error in compatibility mode hypercall argument translation may result in denial of service.\n\n * [CVE-2014-8867](<https://security-tracker.debian.org/tracker/CVE-2014-8867>)\n\nJan Beulich discovered that an insufficient restriction in acceleration support for the REP MOVS instruction may result in denial of service.\n\n * [CVE-2014-9030](<https://security-tracker.debian.org/tracker/CVE-2014-9030>)\n\nAndrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE handling, resulting in denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u4.\n\nFor the upcoming stable distribution (jessie), these problems have been fixed in version 4.4.1-4.\n\nFor the unstable distribution (sid), these problems have been fixed in version 4.4.1-4.\n\nWe recommend that you upgrade your xen packages.", "published": "2015-01-27T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3140", "cvelist": ["CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-9030"], "lastseen": "2016-09-02T18:37:20"}], "suse": [{"id": "SUSE-SU-2015:0022-1", "type": "suse", "title": "Security update for xen (important)", "description": "xen was updated to fix nine security issues.\n\n These security issues were fixed:\n - Guest affectable page reference leak in MMU_MACHPHYS_UPDATE handling\n (CVE-2014-9030).\n - Insufficient bounding of "REP MOVS" to MMIO emulated inside the\n hypervisor (CVE-2014-8867).\n - Excessive checking in compatibility mode hypercall argument translation\n (CVE-2014-8866).\n - Guest user mode triggerable VM exits not handled by hypervisor\n (bnc#9038500).\n - Missing privilege level checks in x86 emulation of far branches\n (CVE-2014-8595).\n - Insufficient restrictions on certain MMU update hypercalls\n (CVE-2014-8594).\n - Long latency virtual-mmu operations are not preemptible (CVE-2014-5146,\n CVE-2014-5149).\n - Intel VT-d Interrupt Remapping engines can be evaded by native NMI\n interrupts (CVE-2013-3495).\n\n These non-security issues were fixed:\n - Corrupted save/restore test leaves orphaned data in xenstore\n (bnc#903357).\n - Temporary migration name is not cleaned up after migration (bnc#903359).\n - Xen save/restore of HVM guests cuts off disk and networking\n (bnc#866902).\n - increase limit domUloader to 32MB (bnc#901317).\n - XEN Host crashes when assigning non-VF device (SR-IOV) to guest\n (bnc#898772).\n - Windows 2012 R2 fails to boot up with greater than 60 vcpus (bnc#882089).\n - Restrict requires on grub2-x86_64-xen to x86_64 hosts\n - Change default dump directory (bsc#900292).\n - Update xen2libvirt.py to better detect and handle file formats\n - libxc: check return values on mmap() and madvise() on\n xc_alloc_hypercall_buffer() (bnc#897906).\n - Bug `xen-tools` uninstallable; grub2-x86_64-xen dependency not available\n (bnc#897614).\n - Adjust xentop column layout (bnc#896023).\n\n", "published": "2015-01-09T12:04:44", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00003.html", "cvelist": ["CVE-2014-5146", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2014-8594", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2016-09-04T12:09:51"}, {"id": "OPENSUSE-SU-2015:0256-1", "type": "suse", "title": "Security update for xen (important)", "description": "The XEN virtualization was updated to fix bugs and security issues:\n\n Security issues fixed: CVE-2015-0361: XSA-116: xen: xen crash due to use\n after free on hvm guest teardown\n\n CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation\n\n CVE-2014-9030: XSA-113: Guest effectable page reference leak in\n MMU_MACHPHYS_UPDATE handling\n\n CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO\n emulated inside the hypervisor\n\n CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode\n hypercall argument translation\n\n CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86\n emulation of far branches\n\n CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU\n update hypercalls\n\n CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be\n evaded by native NMI interrupts\n\n CVE-2014-5146, CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu\n operations are not preemptible\n\n Bugs fixed:\n - Restore missing fixes from block-dmmd script\n\n - bnc#904255 - XEN boot hangs in early boot on UEFI system\n\n - Fix missing banner by restoring figlet program\n\n - bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore\n\n - bnc#903359 - Temporary migration name is not cleaned up after migration\n\n - bnc#903850 - Xen: guest user mode triggerable VM exits not handled by\n hypervisor\n\n - bnc#866902 - Xen save/restore of HVM guests cuts off disk and networking\n\n - bnc#901317 - increase limit domUloader to 32MB\n\n - bnc#898772 - SLES 12 RC3 - XEN Host crashes when assigning non-VF device\n (SR-IOV) to guest\n\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n\n - bsc#900292 - xl: change default dump directory\n\n - Update xen2libvirt.py to better detect and handle file formats\n\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n\n\n - bnc#897906 - libxc: check return values on mmap() and madvise()\n on xc_alloc_hypercall_buffer()\n\n - bnc#896023 - Adjust xentop column layout\n\n", "published": "2015-02-11T15:05:20", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00010.html", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-9066", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2016-09-04T12:09:51"}, {"id": "OPENSUSE-SU-2015:0226-1", "type": "suse", "title": "Security update for xen (important)", "description": "The virtualization software XEN was updated to version 4.3.3 and also to\n fix bugs and security issues.\n\n Security issues fixed: CVE-2015-0361: XSA-116: xen: xen crash due to use\n after free on hvm guest teardown\n\n CVE-2014-9065, CVE-2014-9066: XSA-114: xen: p2m lock starvation\n\n CVE-2014-9030: XSA-113: Guest effectable page reference leak in\n MMU_MACHPHYS_UPDATE handling\n\n CVE-2014-8867: XSA-112: xen: Insufficient bounding of "REP MOVS" to MMIO\n emulated inside the hypervisor\n\n CVE-2014-8866: XSA-111: xen: Excessive checking in compatibility mode\n hypercall argument translation\n\n CVE-2014-8595: XSA-110: xen: Missing privilege level checks in x86\n emulation of far branches\n\n CVE-2014-8594: XSA-109: xen: Insufficient restrictions on certain MMU\n update hypercalls\n\n CVE-2013-3495: XSA-59: xen: Intel VT-d Interrupt Remapping engines can be\n evaded by native NMI interrupts\n\n CVE-2014-5146, CVE-2014-5149: xen: XSA-97 Long latency virtual-mmu\n operations are not preemptible\n\n Bugs fixed:\n - bnc#903357 - Corrupted save/restore test leaves orphaned data in xenstore\n\n - bnc#903359 - Temporary migration name is not cleaned up after migration\n\n - bnc#903850 - VUL-0: Xen: guest user mode triggerable VM exits not\n handled by hypervisor\n\n - bnc#866902 - L3: Xen save/restore of HVM guests cuts off disk and\n networking\n\n - bnc#901317 - L3: increase limit domUloader to 32MB domUloader.py\n\n - bnc#882089 - Windows 2012 R2 fails to boot up with greater than 60 vcpus\n\n - bsc#900292 - xl: change default dump directory\n\n - Update to Xen 4.3.3\n\n", "published": "2015-02-06T11:05:09", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00005.html", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2014-8866", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2014-9066", "CVE-2014-5149", "CVE-2014-9030"], "lastseen": "2016-09-04T12:45:45"}], "gentoo": [{"id": "GLSA-201504-04", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly cause a Denial of Service condition or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen 4.4 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.4.2-r1\"\n \n\nAll Xen 4.2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.2.5-r8\"", "published": "2015-04-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201504-04", "cvelist": ["CVE-2014-5146", "CVE-2014-9065", "CVE-2013-3495", "CVE-2015-2044", "CVE-2014-8866", "CVE-2014-3967", "CVE-2014-8595", "CVE-2014-8867", "CVE-2015-0361", "CVE-2014-8594", "CVE-2015-2045", "CVE-2015-2752", "CVE-2014-3968", "CVE-2015-2751", "CVE-2014-9066", "CVE-2015-2756", "CVE-2014-5149", "CVE-2014-9030", "CVE-2015-2152", "CVE-2013-2212"], "lastseen": "2016-09-06T19:46:07"}]}}
