4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
0.001 Low
EPSS
Percentile
28.1%
The remote OracleVM system is missing necessary patches to address critical security updates :
defer event channel bucket pointer store until after XSM checks Otherwise a dangling pointer can be left, which would cause subsequent memory corruption as soon as the space got re-allocated for some other purpose. This is CVE-2013-1920 / XSA-47.
John Haxby
x86: fix various issues with handling guest IRQs
properly revoke IRQ access in map_domain_pirq error path
don’t permit replacing an in use IRQ
don’t accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
track IRQ access permission in host IRQ terms, not guest IRQ ones (and with that, also disallow Dom0 access to IRQ0) This is CVE-2013-1919 / XSA-46.
x86: clear EFLAGS.NT in SYSENTER entry path … as it causes problems if we happen to exit back via IRET: In the course of trying to handle the fault, the hypervisor creates a stack frame by hand, and uses PUSHFQ to set the respective EFLAGS field, but expects to be able to IRET through that stack frame to the second portion of the fixup code (which causes a #GP due to the stored EFLAGS having NT set). And even if this worked (e.g if we cleared NT in that path), it would then (through the fail safe callback) cause a #GP in the guest with the SYSENTER handler’s first instruction as the source, which in turn would allow guest user mode code to crash the guest kernel. Inject a #GP on the fake (NULL) address of the SYSENTER instruction instead, just like in the case where the guest kernel didn’t register a corresponding entry point. On 32-bit we also need to make sure we clear SYSENTER_CS for all CPUs (neither #RESET nor #INIT guarantee this). This is CVE-2013-1917 / XSA-44. (CVE-2013-1917)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2013-0031.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(79502);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2013-1917", "CVE-2013-1919", "CVE-2013-1920");
script_bugtraq_id(58880, 59291, 59292);
script_name(english:"OracleVM 3.2 : xen (OVMSA-2013-0031)");
script_summary(english:"Checks the RPM output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote OracleVM host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"The remote OracleVM system is missing necessary patches to address
critical security updates :
- defer event channel bucket pointer store until after XSM
checks Otherwise a dangling pointer can be left, which
would cause subsequent memory corruption as soon as the
space got re-allocated for some other purpose. This is
CVE-2013-1920 / XSA-47.
John Haxby
- x86: fix various issues with handling guest IRQs
- properly revoke IRQ access in map_domain_pirq error path
- don't permit replacing an in use IRQ
- don't accept inputs in the GSI range for
MAP_PIRQ_TYPE_MSI
- track IRQ access permission in host IRQ terms, not guest
IRQ ones (and with that, also disallow Dom0 access to
IRQ0) This is CVE-2013-1919 / XSA-46.
- x86: clear EFLAGS.NT in SYSENTER entry path ... as it
causes problems if we happen to exit back via IRET: In
the course of trying to handle the fault, the hypervisor
creates a stack frame by hand, and uses PUSHFQ to set
the respective EFLAGS field, but expects to be able to
IRET through that stack frame to the second portion of
the fixup code (which causes a #GP due to the stored
EFLAGS having NT set). And even if this worked (e.g if
we cleared NT in that path), it would then (through the
fail safe callback) cause a #GP in the guest with the
SYSENTER handler's first instruction as the source,
which in turn would allow guest user mode code to crash
the guest kernel. Inject a #GP on the fake (NULL)
address of the SYSENTER instruction instead, just like
in the case where the guest kernel didn't register a
corresponding entry point. On 32-bit we also need to
make sure we clear SYSENTER_CS for all CPUs (neither
#RESET nor #INIT guarantee this). This is CVE-2013-1917
/ XSA-44. (CVE-2013-1917)"
);
# https://oss.oracle.com/pipermail/oraclevm-errata/2013-April/000131.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?83affd55"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected xen / xen-devel / xen-tools packages."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/12");
script_set_attribute(attribute:"patch_publication_date", value:"2013/04/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"OracleVM Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
flag = 0;
if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.6")) flag++;
if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.6")) flag++;
if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.6")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools");
}