6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
31.0%
The remote OracleVM system is missing necessary patches to address critical security updates :
xen: fix error handling of guest_physmap_mark_populate_on_demand The only user of the βoutβ label bypasses a necessary unlock, thus enabling the caller to lock up Xen. Also, the function was never meant to be called by a guest for itself, so rather than inspecting the code paths in depth for potential other problems this might cause, and adjusting e.g. the non-guest printk in the above error path, just disallow the guest access to it. Finally, the printk (considering its potential of spamming the log, the more that itβs not using XENLOG_GUEST), is being converted to P2M_DEBUG, as debugging is what it apparently was added for in the first place. This is XSA-30 / CVE-2012-5514.
(CVE-2012-5514)
Revert version 2 of XSA-30 / CVE-2012-5514 (CVE-2012-5514)
memop: limit guest specified extent order Allowing unbounded order values here causes almost unbounded loops and/or partially incomplete requests, particularly in PoD code. The added range checks in populate_physmap, decrease_reservation, and the βinβ one in memory_exchange architecturally all could use PADDR_BITS
xen: fix error path of guest_physmap_mark_populate_on_demand The only user of the βoutβ label bypasses a necessary unlock, thus enabling the caller to lock up Xen. This is XSA-30 / CVE-2012-5514. (CVE-2012-5514)
xen: add missing guest address range checks to XENMEM_exchange handlers Ever since its existence (3.0.3 iirc) the handler for this has been using non address range checking guest memory accessors (i.e. the ones prefixed with two underscores) without first range checking the accessed space (via guest_handle_okay), allowing a guest to access and overwrite hypervisor memory. This is XSA-29 / CVE-2012-5513.
hvm: Limit the size of large HVM op batches Doing large p2m updates for HVMOP_track_dirty_vram without preemption ties up the physical processor. Integrating preemption into the p2m updates is hard so simply limit to 1GB which is sufficient for a 15000 * 15000 * 32bpp framebuffer. For HVMOP_modified_memory and HVMOP_set_mem_type preemptible add the necessary machinery to handle preemption. This is CVE-2012-5511 / XSA-27.
x86/paging: Donβt allocate user-controlled amounts of stack memory. This is XSA-27 / CVE-2012-5511.
v2: Provide definition of GB to fix x86-32 compile.
xen/common/grant_table.c gnttab: fix releasing of memory upon switches between versions gnttab_unpopulate_status_frames incompletely freed the pages previously used as status frame in that they did not get removed from the domainβs xenpage_list, thus causing subsequent list corruption when those pages did get allocated again for the same or another purpose.
Similarly, grant_table_create and gnttab_grow_table both improperly clean up in the event of an error - pages already shared with the guest canβt be freed by just passing them to free_xenheap_page. Fix this by sharing the pages only after all allocations succeeded. This is CVE-2012-5510 / XSA-26. (CVE-2012-5510)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2012-0056.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(79490);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2012-5510", "CVE-2012-5511", "CVE-2012-5513", "CVE-2012-5514", "CVE-2012-5515");
script_bugtraq_id(56794, 56796, 56797, 56798, 56803);
script_name(english:"OracleVM 3.0 : xen (OVMSA-2012-0056)");
script_summary(english:"Checks the RPM output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote OracleVM host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"The remote OracleVM system is missing necessary patches to address
critical security updates :
- xen: fix error handling of
guest_physmap_mark_populate_on_demand The only user of
the 'out' label bypasses a necessary unlock, thus
enabling the caller to lock up Xen. Also, the function
was never meant to be called by a guest for itself, so
rather than inspecting the code paths in depth for
potential other problems this might cause, and adjusting
e.g. the non-guest printk in the above error path, just
disallow the guest access to it. Finally, the printk
(considering its potential of spamming the log, the more
that it's not using XENLOG_GUEST), is being converted to
P2M_DEBUG, as debugging is what it apparently was added
for in the first place. This is XSA-30 / CVE-2012-5514.
(CVE-2012-5514)
- Revert version 2 of XSA-30 / CVE-2012-5514
(CVE-2012-5514)
- memop: limit guest specified extent order Allowing
unbounded order values here causes almost unbounded
loops and/or partially incomplete requests, particularly
in PoD code. The added range checks in populate_physmap,
decrease_reservation, and the 'in' one in
memory_exchange architecturally all could use PADDR_BITS
- PAGE_SHIFT, and are being artificially constrained to
MAX_ORDER. This is XSA-31 / CVE-2012-5515.
(CVE-2012-5515)
- xen: fix error path of
guest_physmap_mark_populate_on_demand The only user of
the 'out' label bypasses a necessary unlock, thus
enabling the caller to lock up Xen. This is XSA-30 /
CVE-2012-5514. (CVE-2012-5514)
- xen: add missing guest address range checks to
XENMEM_exchange handlers Ever since its existence (3.0.3
iirc) the handler for this has been using non address
range checking guest memory accessors (i.e. the ones
prefixed with two underscores) without first range
checking the accessed space (via guest_handle_okay),
allowing a guest to access and overwrite hypervisor
memory. This is XSA-29 / CVE-2012-5513.
- hvm: Limit the size of large HVM op batches Doing large
p2m updates for HVMOP_track_dirty_vram without
preemption ties up the physical processor. Integrating
preemption into the p2m updates is hard so simply limit
to 1GB which is sufficient for a 15000 * 15000 * 32bpp
framebuffer. For HVMOP_modified_memory and
HVMOP_set_mem_type preemptible add the necessary
machinery to handle preemption. This is CVE-2012-5511 /
XSA-27.
x86/paging: Don't allocate user-controlled amounts of
stack memory. This is XSA-27 / CVE-2012-5511.
v2: Provide definition of GB to fix x86-32 compile.
- xen/common/grant_table.c gnttab: fix releasing of memory
upon switches between versions
gnttab_unpopulate_status_frames incompletely freed the
pages previously used as status frame in that they did
not get removed from the domain's xenpage_list, thus
causing subsequent list corruption when those pages did
get allocated again for the same or another purpose.
Similarly, grant_table_create and gnttab_grow_table both
improperly clean up in the event of an error - pages
already shared with the guest can't be freed by just
passing them to free_xenheap_page. Fix this by sharing
the pages only after all allocations succeeded. This is
CVE-2012-5510 / XSA-26. (CVE-2012-5510)"
);
# https://oss.oracle.com/pipermail/oraclevm-errata/2012-December/000113.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?7261a1be"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected xen / xen-devel / xen-tools packages."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.0");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/13");
script_set_attribute(attribute:"patch_publication_date", value:"2012/12/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"OracleVM Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.0" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.0", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
flag = 0;
if (rpm_check(release:"OVS3.0", reference:"xen-4.0.0-81.el5.25")) flag++;
if (rpm_check(release:"OVS3.0", reference:"xen-devel-4.0.0-81.el5.25")) flag++;
if (rpm_check(release:"OVS3.0", reference:"xen-tools-4.0.0-81.el5.25")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools");
}