ID CVE-2016-10025
Summary VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check.
References
Vulnerable Configurations
  • Xen 4.8.0
    cpe:2.3:o:xen:xen:4.8.0
  • Xen Xen 4.6.0
    cpe:2.3:o:xen:xen:4.6.0
  • Xen Xen 4.6.1
    cpe:2.3:o:xen:xen:4.6.1
  • cpe:2.3:o:xen:xen:4.6.3
    cpe:2.3:o:xen:xen:4.6.3
  • Xen 4.6.4
    cpe:2.3:o:xen:xen:4.6.4
  • cpe:2.3:o:xen:xen:4.7.0
    cpe:2.3:o:xen:xen:4.7.0
  • Xen 4.7.1
    cpe:2.3:o:xen:xen:4.7.1
  • Citrix XenServer 7.0
    cpe:2.3:a:citrix:xenserver:7.0
  • cpe:2.3:a:citrix:xenserver:6.5
    cpe:2.3:a:citrix:xenserver:6.5
  • cpe:2.3:a:citrix:xenserver:6.2.0
    cpe:2.3:a:citrix:xenserver:6.2.0
  • Citrix XenServer 6.0.2
    cpe:2.3:a:citrix:xenserver:6.0.2
CVSS
Base: 2.1 (as of 27-01-2017 - 08:36)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-2.NASL
    description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2017-01-31
    plugin id 96250
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96250
    title openSUSE Security Update : xen (openSUSE-2017-2)
  • NASL family Misc.
    NASL id XEN_SERVER_XSA-203.NASL
    description According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by a NULL pointer dereference flaw due to a failure to utilize necessary NULL checks before doing indirect function calls through the hvmemul_vmfunc() function pointer. A guest attacker can exploit this issue to cause the hypervisor to crash, resulting in a denial of service condition. Please note the following items : - Only HVM guests can exploit the vulnerability. PV guests cannot exploit the vulnerability. - Only x86 systems are vulnerable that use SVM (AMD virtualization extensions) rather than VMX (Intel virtualization extensions). This applies to HVM guests on AMD x86 CPUs. Therefore, AMD x86 hardware is vulnerable whereas Intel hardware is not. - ARM systems are not affected by the vulnerability. Note that Nessus has not tested for this vulnerability but has instead relied only on the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall.
    last seen 2019-02-21
    modified 2018-08-08
    plugin id 96959
    published 2017-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96959
    title Xen Intel VMX hvmemul_vmfunc() NULL Pointer Dereference DoS (XSA-203)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-3208-1.NASL
    description This update for xen fixes the following issues : - A Mishandling of SYSCALL singlestep during emulation which could have lead to privilege escalation. (XSA-204, bsc#1016340, CVE-2016-10013) - CMPXCHG8B emulation failed to ignore operand size override which could have lead to information disclosure. (XSA-200, bsc#1012651, CVE-2016-9932) - PV guests may have been able to mask interrupts causing a Denial of Service. (XSA-202, bsc#1014298, CVE-2016-10024) - A missing NULL pointer check in VMFUNC emulation could lead to a hypervisor crash leading to a Denial of Servce. (XSA-203, bsc#1014300, CVE-2016-10025) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96076
    published 2016-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96076
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3208-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-92E3EA2D1B.NASL
    description two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-01-31
    plugin id 96158
    published 2016-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96158
    title Fedora 25 : xen (2016-92e3ea2d1b)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-BC02BFF7F5.NASL
    description two security flaws (#1406840) x86 PV guests may be able to mask interrupts [XSA-202, CVE-2016-10024] x86: missing NULL pointer check in VMFUNC emulation [XSA-203, CVE-2016-10025] x86: Mishandling of SYSCALL singlestep during emulation [XSA-204, CVE-2016-10013] (#1406260) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-01-31
    plugin id 96216
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96216
    title Fedora 24 : xen (2016-bc02bff7f5)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX219378.NASL
    description The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in x86 instruction CMPXCHG8B due to legacy operand size overrides not being properly ignored when handling prefixes. A guest attacker can exploit this to disclose potentially sensitive information on the host system. Note that the ability to read a small amount of hypervisor memory is restricted to privileged-mode code in all guests except on Citrix XenServer 6.2 SP1 and 6.0.2CC, where the attack may also be performed from non-privileged-mode code in HVM guest VMs. (CVE-2016-9932) - A denial of service vulnerability exists when a guest asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF. A guest attacker can exploit this to cause the host to hang or crash. (CVE-2016-10024) - A denial of service vulnerability exists due to a NULL pointer dereference flaw that is triggered when the hvmemul_vmfunc() function pointer uses inappropriate NULL checks before indirect function calls. A guest attacker can exploit this to cause the hypervisor to crash. Note that the ability of privileged-mode code in HVM guest VMs to crash the host is restricted to AMD systems running Citrix XenServer 7.0. (CVE-2016-10025)
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 96778
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96778
    title Citrix XenServer Multiple Vulnerabilities (CTX219378)
refmap via4
bid 95026
confirm
sectrack 1037518
Last major update 27-01-2017 - 09:22
Published 26-01-2017 - 10:59
Back to Top