Lucene search

nessusThis script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLEVM_OVMSA-2013-0037.NASL
HistoryNov 26, 2014 - 12:00 a.m.

OracleVM 3.1 : xen (OVMSA-2013-0037)

This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

6.9 Medium


Attack Vector


Attack Complexity




Confidentiality Impact


Integrity Impact


Availability Impact



0.001 Low




The remote OracleVM system is missing necessary patches to address critical security updates :

  • VT-d: don’t permit SVT_NO_VERIFY entries for known device types Only in cases where we don’t know what to do we should leave the IRTE blank (suppressing all validation), but we should always log a warning in those cases (as being insecure). This is CVE-2013-1952 / XSA-49.

  • x86: make page table handling error paths preemptible … as they may take significant amounts of time. This requires cloning the tweaked continuation logic from do_mmuext_op to do_mmu_update. Note that in mod_l[34]_entry a negative ‘preemptible’ value gets passed to put_page_from_l[34]e now, telling the callee to store the respective page in current->arch.old_guest_table (for a hypercall continuation to pick up), rather than carrying out the put right away. This is going to be made a little more explicit by a subsequent cleanup patch. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  • x86: make page table unpinning preemptible … as it may take significant amounts of time. Since we can’t re-invoke the operation in a second attempt, the continuation logic must be slightly tweaked so that we make sure do_mmuext_op gets run one more time even when the preempted unpin operation was the last one in a batch. This is part of CVE-2013-1918 / XSA-45.

  • x86: make arch_set_info_guest preemptible … as the root page table validation (and the dropping of an eventual old one) can require meaningful amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  • x86: make vcpu_reset preemptible … as dropping the old page tables may take significant amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  • x86: make MMUEXT_NEW_USER_BASEPTR preemptible … as it may take significant amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  • x86: make new_guest_cr3 preemptible … as it may take significant amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  • x86: make vcpu_destroy_pagetables preemptible … as it may take significant amounts of time. The function, being moved to mm.c as the better home for it anyway, and to avoid having to make a new helper function there non-static, is given a ‘preemptible’ parameter temporarily (until, in a subsequent patch, its other caller is also being made capable of dealing with preemption). This is part of CVE-2013-1918 / XSA-45.

  • Fix rcu domain locking for transitive grants When acquiring a transitive grant for copy then the owning domain needs to be locked down as well as the granting domain. This was being done, but the unlocking was not.
    The acquire code now stores the struct domain * of the owning domain (rather than the domid) in the active entry in the granting domain. The release code then does the unlock on the owning domain. Note that I believe I also fixed a bug where, for non-transitive grants the active entry contained a reference to the acquiring domain rather than the granting domain. From my reading of the code this would stop the release code for transitive grants from terminating its recursion correctly.

    Also, for non-transitive grants we now avoid incorrectly recursing in __release_grant_for_copy. This is CVE-2013-1964 / XSA-50. (CVE-2013-1964)

# (C) Tenable Network Security, Inc.
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2013-0037.


if (description)
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2013-1918", "CVE-2013-1952", "CVE-2013-1964");
  script_bugtraq_id(59293, 59615, 59617);

  script_name(english:"OracleVM 3.1 : xen (OVMSA-2013-0037)");
  script_summary(english:"Checks the RPM output for the updated packages.");

    value:"The remote OracleVM host is missing one or more security updates."
"The remote OracleVM system is missing necessary patches to address
critical security updates :

  - VT-d: don't permit SVT_NO_VERIFY entries for known
    device types Only in cases where we don't know what to
    do we should leave the IRTE blank (suppressing all
    validation), but we should always log a warning in those
    cases (as being insecure). This is CVE-2013-1952 /

  - x86: make page table handling error paths preemptible
    ... as they may take significant amounts of time. This
    requires cloning the tweaked continuation logic from
    do_mmuext_op to do_mmu_update. Note that in
    mod_l[34]_entry a negative 'preemptible' value gets
    passed to put_page_from_l[34]e now, telling the callee
    to store the respective page in
    current->arch.old_guest_table (for a hypercall
    continuation to pick up), rather than carrying out the
    put right away. This is going to be made a little more
    explicit by a subsequent cleanup patch. This is part of
    CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  - x86: make page table unpinning preemptible ... as it may
    take significant amounts of time. Since we can't
    re-invoke the operation in a second attempt, the
    continuation logic must be slightly tweaked so that we
    make sure do_mmuext_op gets run one more time even when
    the preempted unpin operation was the last one in a
    batch. This is part of CVE-2013-1918 / XSA-45.

  - x86: make arch_set_info_guest preemptible .. as the root
    page table validation (and the dropping of an eventual
    old one) can require meaningful amounts of time. This is
    part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  - x86: make vcpu_reset preemptible ... as dropping the old
    page tables may take significant amounts of time. This
    is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  - x86: make MMUEXT_NEW_USER_BASEPTR preemptible ... as it
    may take significant amounts of time. This is part of
    CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  - x86: make new_guest_cr3 preemptible ... as it may take
    significant amounts of time. This is part of
    CVE-2013-1918 / XSA-45. (CVE-2013-1918)

  - x86: make vcpu_destroy_pagetables preemptible ... as it
    may take significant amounts of time. The function,
    being moved to mm.c as the better home for it anyway,
    and to avoid having to make a new helper function there
    non-static, is given a 'preemptible' parameter
    temporarily (until, in a subsequent patch, its other
    caller is also being made capable of dealing with
    preemption). This is part of CVE-2013-1918 / XSA-45.

  - Fix rcu domain locking for transitive grants When
    acquiring a transitive grant for copy then the owning
    domain needs to be locked down as well as the granting
    domain. This was being done, but the unlocking was not.
    The acquire code now stores the struct domain * of the
    owning domain (rather than the domid) in the active
    entry in the granting domain. The release code then does
    the unlock on the owning domain. Note that I believe I
    also fixed a bug where, for non-transitive grants the
    active entry contained a reference to the acquiring
    domain rather than the granting domain. From my reading
    of the code this would stop the release code for
    transitive grants from terminating its recursion

    Also, for non-transitive grants we now avoid incorrectly
    recursing in __release_grant_for_copy. This is
    CVE-2013-1964 / XSA-50. (CVE-2013-1964)"
    value:"Update the affected xen / xen-devel / xen-tools packages."
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26");
  script_set_attribute(attribute:"generated_plugin", value:"current");

  script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"OracleVM Local Security Checks");

  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");



if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.1" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.1", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

flag = 0;
if (rpm_check(release:"OVS3.1", reference:"xen-4.1.2-18.el5.50")) flag++;
if (rpm_check(release:"OVS3.1", reference:"xen-devel-4.1.2-18.el5.50")) flag++;
if (rpm_check(release:"OVS3.1", reference:"xen-tools-4.1.2-18.el5.50")) flag++;

if (flag)
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools");

6.9 Medium


Attack Vector


Attack Complexity




Confidentiality Impact


Integrity Impact


Availability Impact



0.001 Low


