2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.6%
According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a denial of service vulnerability. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain.
Note only systems with the XSA-295 patch applied are affected. All other hosts are not vulnerable.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(135928);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/14");
script_cve_id("CVE-2020-11743");
script_xref(name:"IAVB", value:"2020-B-0019-S");
script_name(english:"Xen Bad error path in GNTTABOP_map_grant DoS (XSA-316)");
script_set_attribute(attribute:"synopsis", value:
"The remote Xen hypervisor installation is missing a security update.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Xen hypervisor installed on
the remote host is affected by a denial of service vulnerability. Grant table
operations are expected to return 0 for success, and a negative number for
errors. Some misplaced brackets cause one error path to return 1 instead of a
negative value. The grant table code in Linux treats this condition as success,
and proceeds with incorrectly initialised state. A buggy or malicious guest can
construct its grant table in such a way that, when a backend domain tries to
map a grant, it hits the incorrect error path. This will crash a Linux based
dom0 or backend domain.
Note only systems with the XSA-295 patch applied are affected. All other hosts
are not vulnerable.");
script_set_attribute(attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-316.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch or workaround according to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11743");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/24");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:xen:xen");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("xen_server_detect.nbin");
script_require_keys("installed_sw/Xen Hypervisor", "Settings/ParanoidReport");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('install_func.inc');
include('misc_func.inc');
app_name = 'Xen Hypervisor';
install = get_single_install(app_name:app_name);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
version = install['version'];
display_version = install['display_version'];
path = install['path'];
managed_status = install['Managed status'];
changeset = install['Changeset'];
if (!empty_or_null(changeset))
display_version += ' (changeset ' + changeset + ')';
# Installations that are vendor-managed are handled by OS-specific local package checks
if (managed_status == 'managed')
audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
fixes['4.9']['fixed_ver'] = '4.9.4';
fixes['4.9']['fixed_ver_display'] = '4.9.4 (changeset 773686b)';
fixes['4.9']['affected_ver_regex'] = '^4\\.9\\.';
fixes['4.9']['affected_changesets'] = make_list("4e79375", "8d26adc",
"b3718b7", "cf2e9cc", "43ab30b", "55bd90d", "173e805", "248f22e",
"ec229c2", "e879bfe", "ce126c9", "4b69427", "8d1ee9f", "e60b3a9",
"25f5530", "49db55f", "fa34ed5", "704f7ec", "a930a74", "8c52ee2",
"2e15a19", "70639ac", "c3b479d", "e349eae", "632fb4e", "4608c6d",
"7daacca", "859e48e", "5be2dd0", "b0147bd", "cadd66a", "d3c4b60",
"d59f5c4", "44303c6", "79538ba", "80c3157", "73f1a55", "bc20fb1",
"754a531", "7b032c2", "ff4fdf0", "8d2a688", "b9013d7", "bc8e5ec",
"34907f5", "e70bf7e", "fa0b891", "3a8177c", "04ec835", "8d63ec4",
"1ff6b4d", "f092d86", "e4b534f", "87c49fe", "19becb8", "43775c0",
"f6b0f33", "a17e75c", "67530e7", "f804549", "84f81a8", "56aa239",
"105db42", "d9da3ea", "ac90240", "3db28b0", "9b6f1c0", "0c4bbad",
"917d8d3", "3384ea4", "352421f", "04e9dcb", "1612f15", "f952b1d",
"63d9330", "f72414a", "ac3a5f8", "1ae6b8e", "1dd3dcc", "7390fa1",
"7e78dc4", "8fdfb1e", "55d36e2", "045f37c", "dd7e637", "7a40b5b", "f5acf97");
fixes['4.10']['fixed_ver'] = '4.10.4';
fixes['4.10']['fixed_ver_display'] = '4.10.4 (changeset cbedabf)';
fixes['4.10']['affected_ver_regex'] = '^4\\.10\\.';
fixes['4.10']['affected_changesets'] = make_list("38e589d", "a91b8fc",
"3e0c316", "49a5d6e", "6cb1cb9", "ba2776a", "9d143e8", "fe8dab3",
"07e546e", "fefa5f9", "c9f9ff7", "406d40d", "e489955", "37139f1",
"fde09cb", "804ba02", "e8c3971", "a8c4293", "aa40452", "1da3dab",
"e5632c4", "902e72d", "6a14610", "ea815b2", "13ad331", "61b75d9",
"e70e7bf", "e966e2e", "dfa16a1", "a71e199", "c98be9e", "a548e10",
"d3c0e84", "53b1572", "7203f9a", "6d1659d", "a782173", "24e90db",
"0824bc6", "e6f3135", "3131bf9");
fixes['4.11']['fixed_ver'] = '4.11.4';
fixes['4.11']['fixed_ver_display'] = '4.11.4-pre (changeset 52da389)';
fixes['4.11']['affected_ver_regex'] = '^4\\.11\\.';
fixes['4.11']['affected_changesets'] = make_list("d430e15", "7900cb7",
"06a5a27", "affb032", "5adb81a", "4b4ec47", "8f51dad", "09508fd",
"ac3b39c", "480d9b4", "dfcd120", "696d142", "6bc54c0", "f9e2a60",
"98cf186", "a12c52d", "21fc266", "7224587", "2ffed5c", "8348cc7",
"a4f502e", "5abd261", "b187c14", "8fa2976", "9e48faf", "888a7da",
"06adda7", "346eae8", "0e126cc", "ddffc4d", "14b62ab", "6561994",
"f562c6b", "d35cbee", "85e047d", "d9dd863", "0e5be46", "146d5bd",
"81bd09f", "b9527ec", "d627249", "d397a5a", "6a40067", "a700446",
"0d91d9d", "005c9b8", "1432cd5", "608be81", "d81c711", "3d2cc67",
"d4a67be", "b8a8278", "06555fd");
fixes['4.12']['fixed_ver'] = '4.12.3';
fixes['4.12']['fixed_ver_display'] = '4.12.3-pre (changeset 46bde05)';
fixes['4.12']['affected_ver_regex'] = '^4\\.12\\.';
fixes['4.12']['affected_changesets'] = make_list("1541b26", "45624a7",
"dc3fb83", "e8c8071", "a46cd06", "524e739", "36f810b", "752558e",
"c1a1c4e", "4c69d1c", "9a082e1", "e282e87", "f326440", "736c67b",
"94f0bb7", "4c18745", "3c37292", "813757c", "824bdb4", "30acb65",
"2d86de4", "c03afae", "3d89e04", "95d956d", "b165d13", "8663b6a",
"636b40d", "16803a6", "d32c575", "e4f4127", "b9063ce", "58d3a68",
"a12589f", "5454111", "7ee6e17", "71382e9");
fixes['4.13']['fixed_ver'] = '4.13.1';
fixes['4.13']['fixed_ver_display'] = '4.13.1-pre (changeset d91d4fe)';
fixes['4.13']['affected_ver_regex'] = '^4\\.13\\.';
fixes['4.13']['affected_changesets'] = make_list("b6a2c42", "ef922bd",
"65b16f3", "736da59", "460003e", "2e05b8a", "c0dad81", "436c54e",
"181614a", "04497b3", "ad5e611", "b3e08a6", "71b7ead", "d5be080",
"c7a1e58", "18d9129", "16670ad", "69c8307", "e519573", "680356e",
"6a5ebbb", "e9fdf6a", "ac75ea8", "a99de9d", "e1e24c5", "0d16bb7",
"07ac8a9", "431ddeb", "5e10699", "655897c", "a8fbb0f", "d3f3e44",
"1bfc29f", "86f0b73", "994ff51", "c7409f8", "fbb17c4", "80dd503",
"e6854fe", "9e779d1", "0518c16", "ef5961d", "1482807", "8a717bd",
"c0d0b4e", "c080e5b", "7f11b1c", "95d43cd", "328dd23", "e312149",
"659efd4", "721f2c3", "3baeeed", "01acc25", "fe0496e", "55ca8ab",
"cb071e4", "efb9c68", "6a10d04", "492be8e", "c1264bf");
fix = NULL;
foreach ver_branch (keys(fixes))
{
if (version =~ fixes[ver_branch]['affected_ver_regex'])
{
ret = ver_compare(ver:version, fix:fixes[ver_branch]['fixed_ver']);
if (ret < 0)
fix = fixes[ver_branch]['fixed_ver_display'];
else if (ret == 0)
{
if (empty_or_null(changeset))
fix = fixes[ver_branch]['fixed_ver_display'];
else
foreach affected_changeset (fixes[ver_branch]['affected_changesets'])
if (changeset == affected_changeset)
fix = fixes[ver_branch]['fixed_ver_display'];
}
}
}
if (empty_or_null(fix))
audit(AUDIT_INST_PATH_NOT_VULN, app_name, display_version, path);
items = make_array(
'Installed version', display_version,
'Fixed version', fix,
'Path', path
);
order = make_list('Path', 'Installed version', 'Fixed version');
report = report_items_str(report_items:items, ordered_fields:order) + '\n';
security_report_v4(port:0, extra:report, severity:SECURITY_NOTE);
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.6%