CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
46.7%
The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:2158-1 advisory.
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.
(CVE-2022-26356)
race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.
(CVE-2022-26357)
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, RMRR) for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. (CVE-2022-26358, CVE-2022-26359, CVE-2022-26360, CVE-2022-26361)
x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen’s safety, e.g.
PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited. (CVE-2022-26362)
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen’s safety, e.g. PV guests may not have direct writeable access to pagetables;
updates need auditing by Xen. Unfortunately, Xen’s safety logic doesn’t account for CPU-induced cache non- coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen’s safety logic can incorrectly conclude that the contents of a page is safe.
(CVE-2022-26363, CVE-2022-26364)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2022:2158-1. The text itself
# is copyright (C) SUSE.
##
include('compat.inc');
if (description)
{
script_id(162521);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/13");
script_cve_id(
"CVE-2022-26356",
"CVE-2022-26357",
"CVE-2022-26358",
"CVE-2022-26359",
"CVE-2022-26360",
"CVE-2022-26361",
"CVE-2022-26362",
"CVE-2022-26363",
"CVE-2022-26364"
);
script_xref(name:"SuSE", value:"SUSE-SU-2022:2158-1");
script_name(english:"SUSE SLES15 Security Update : xen (SUSE-SU-2022:2158-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as
referenced in the SUSE-SU-2022:2158-1 advisory.
- Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode
done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing
log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while
another CPU is still in the process of tearing down the structures related to a previously enabled log
dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both
operations and can lead to entries being added in already freed slots, resulting in a memory leak.
(CVE-2022-26356)
- race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only
less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore
internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping
structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed.
(CVE-2022-26357)
- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple
CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a
system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, RMRR)
for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as
legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with
such a region is active, the mappings of these regions need to remain continuouly accessible by the
device. This requirement has been violated. Subsequent DMA or interrupts from the device may have
unpredictable behaviour, ranging from IOMMU faults to memory corruption. (CVE-2022-26358, CVE-2022-26359,
CVE-2022-26360, CVE-2022-26361)
- x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition
to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g.
PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately,
the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too
early and creates a window where the guest can re-establish the read/write mapping before writeability is
prohibited. (CVE-2022-26362)
- x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple
CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type
reference count for pages, in addition to a regular reference count. This scheme is used to maintain
invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables;
updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-
coherency; cases where the CPU can cause the content of the cache to be different to the content in main
memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
(CVE-2022-26363, CVE-2022-26364)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1197423");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1197425");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1197426");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1199965");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1199966");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26356");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26357");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26358");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26359");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26360");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26361");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26362");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26363");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-26364");
# https://lists.suse.com/pipermail/sle-security-updates/2022-June/011336.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bbc1e6e");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-26364");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-26361");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/05");
script_set_attribute(attribute:"patch_publication_date", value:"2022/06/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/06/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES15|SLES_SAP15)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(1)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP1", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'xen-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},
{'reference':'xen-devel-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},
{'reference':'xen-libs-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},
{'reference':'xen-tools-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},
{'reference':'xen-tools-domU-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},
{'reference':'xen-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},
{'reference':'xen-devel-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},
{'reference':'xen-libs-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},
{'reference':'xen-tools-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},
{'reference':'xen-tools-domU-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},
{'reference':'xen-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},
{'reference':'xen-devel-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},
{'reference':'xen-libs-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},
{'reference':'xen-tools-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},
{'reference':'xen-tools-domU-4.12.4_24-150100.3.72.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
var ltss_plugin_caveat = NULL;
if(ltss_caveat_required) ltss_plugin_caveat = '\n' +
'NOTE: This vulnerability check contains fixes that apply to\n' +
'packages only available in SUSE Enterprise Linux Server LTSS\n' +
'repositories. Access to these package security updates require\n' +
'a paid SUSE LTSS subscription.\n';
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get() + ltss_plugin_caveat
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xen / xen-devel / xen-libs / xen-tools / xen-tools-domU');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26356
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26357
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26358
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26359
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26360
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26361
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26362
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26363
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26364
www.nessus.org/u?4bbc1e6e
bugzilla.suse.com/1197423
bugzilla.suse.com/1197425
bugzilla.suse.com/1197426
bugzilla.suse.com/1199965
bugzilla.suse.com/1199966
www.suse.com/security/cve/CVE-2022-26356
www.suse.com/security/cve/CVE-2022-26357
www.suse.com/security/cve/CVE-2022-26358
www.suse.com/security/cve/CVE-2022-26359
www.suse.com/security/cve/CVE-2022-26360
www.suse.com/security/cve/CVE-2022-26361
www.suse.com/security/cve/CVE-2022-26362
www.suse.com/security/cve/CVE-2022-26363
www.suse.com/security/cve/CVE-2022-26364
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
46.7%