OracleVM 3.2 : xen (OVMSA-2013-0036)

medium Nessus Plugin ID 79505

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- VT-d: don't permit SVT_NO_VERIFY entries for known device types Only in cases where we don't know what to do we should leave the IRTE blank (suppressing all validation), but we should always log a warning in those cases (as being insecure). This is CVE-2013-1952 / XSA-49. (CVE-2013-1952)

- x86: make page table handling error paths preemptible ... as they may take significant amounts of time. This requires cloning the tweaked continuation logic from do_mmuext_op to do_mmu_update. Note that in mod_l[34]_entry a negative 'preemptible' value gets passed to put_page_from_l[34]e now, telling the callee to store the respective page in current->arch.old_guest_table (for a hypercall continuation to pick up), rather than carrying out the put right away. This is going to be made a little more explicit by a subsequent cleanup patch. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make page table unpinning preemptible ... as it may take significant amounts of time. Since we can't re-invoke the operation in a second attempt, the continuation logic must be slightly tweaked so that we make sure do_mmuext_op gets run one more time even when the preempted unpin operation was the last one in a batch. This is part of CVE-2013-1918 / XSA-45.
(CVE-2013-1918) (CVE-2013-1918)

- x86: make vcpu_reset preemptible ... as dropping the old page tables may take significant amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make MMUEXT_NEW_USER_BASEPTR preemptible ... as it may take significant amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make new_guest_cr3 preemptible ... as it may take significant amounts of time. This is part of CVE-2013-1918 / XSA-45. (CVE-2013-1918)

- x86: make vcpu_destroy_pagetables preemptible ... as it may take significant amounts of time. The function, being moved to mm.c as the better home for it anyway, and to avoid having to make a new helper function there non-static, is given a 'preemptible' parameter temporarily (until, in a subsequent patch, its other caller is also being made capable of dealing with preemption). This is part of CVE-2013-1918 / XSA-45.
(CVE-2013-1918)

- Fix rcu domain locking for transitive grants When acquiring a transitive grant for copy then the owning domain needs to be locked down as well as the granting domain. This was being done, but the unlocking was not.
The acquire code now stores the struct domain * of the owning domain (rather than the domid) in the active entry in the granting domain. The release code then does the unlock on the owning domain. Note that I believe I also fixed a bug where, for non-transitive grants the active entry contained a reference to the acquiring domain rather than the granting domain. From my reading of the code this would stop the release code for transitive grants from terminating its recursion correctly.

Also, for non-transitive grants we now avoid incorrectly recursing in __release_grant_for_copy. This is CVE-2013-1964 / XSA-50. (CVE-2013-1964)

Solution

Update the affected xen / xen-devel / xen-tools packages.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2013-May/000149.html

Plugin Details

Severity: Medium

ID: 79505

File Name: oraclevm_OVMSA-2013-0036.nasl

Version: 1.6

Type: local

Published: 11/26/2014

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:xen, p-cpe:/a:oracle:vm:xen-devel, p-cpe:/a:oracle:vm:xen-tools, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/3/2013

Vulnerability Publication Date: 5/13/2013

Reference Information

CVE: CVE-2013-1918, CVE-2013-1952, CVE-2013-1964

BID: 59293, 59615, 59617