Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-11741: 313 - Xen Security Advisories

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which “active” profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.

CVE
#vulnerability#dos#redis#js

Information

Advisory

XSA-313

Public release

2020-04-14 12:00

Updated

2020-04-14 12:00

Version

3

CVE(s)

CVE-2020-11740 CVE-2020-11741

Title

multiple xenoprof issues

Filesadvisory-313.txt (signed advisory file)
xsa313.meta
xsa313-1.patch
xsa313-2.patchAdvisory

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Xen Security Advisory CVE-2020-11740,CVE-2020-11741 / XSA-313
                          version 3

                   multiple xenoprof issues

UPDATES IN VERSION 3

Public release.

ISSUE DESCRIPTION

Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. This is CVE-2020-11740.

Furthermore, for guests for which “active” profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This is CVE-2020-11741.

IMPACT

A malicious guest may be able to access sensitive information pertaining to other guests. Guests with “active profiling” enabled can crash the host (DoS). Privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS

Only x86 PV guests can leverage the vulnerabilities. Arm guests and x86 HVM and PVH guests cannot leverage the vulnerabilities.

All Xen versions back to at least 3.2 are vulnerable.

Any x86 PV guest can leverage the information leak. Only x86 PV guests whose host administrator has explicitly enabled “active profiling” for an untrusted guest can exploit the DoS / potential privilege escalation.

Only builds of Xen with the Xenoprof functionality enabled at build time are vulnerable. The option to disable the functionality at build time was been introduced in Xen 4.7.

MITIGATION

Never making any untrusted guests “active” will avoid all but the info leak part of the vulnerabilities. There’s no known mitigation for the information leak (lack of scrubbing).

CREDITS

This issue was discovered by Ilja Van Sprundel of IOActive.

RESOLUTION

Applying the attached set of patches resolves these issues.

The first patch fixes the information leak issue, and should be applied to all x86 systems running untrusted PV guests.

The second patch fixes the “active profiling” issue. Systems which do not enable active profiling can safely skip patch 2.

Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.

xsa313-?.patch xen-unstable, Xen 4.9.x - 4.13.x

$ sha256sum xsa313* 63a11c5470a6c24f19d3a8a45042306256e7422d6556e3d76badaa515deb76d6 xsa313.meta f186ad88b492b730aeae3bd01083dd6c13813ce08bcd4ffc608d7af500633a62 xsa313-1.patch 9fbcb5f11e5029e7d371ddb3520443c2780f240edc3d24436872935e34a85c37 xsa313-2.patch $

DEPLOYMENT DURING EMBARGO

Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.

(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)

For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl6VpdkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZYZcH/0UHo2zmXGMDvZn1EF20ccKXNoZjvAE5TxSr/A/M qkeASj4IMKlrPOrvs7aQSp97vECTz71Fxz2z7wpGwgIdiOYcRVg/t3b/+E1QSx5N T7xYxxD9ULOLBQyPjYnXYwDC9+9yy+PZuWt3oPeXHrdtLI/5VY/gCzU+k+7bDABh uljJ5KqxeQ5W8DOCR+XscQSZ9wiSkyh8MANjuJJ7uhtVDBo+ul94lrInJYEaBVpI At5cU53B5nVGQ3RkNyWKjSW3VbL1TLgTdWAJNQOo+Z0OZJiKm6xQ6OYph2L4C4j4 e5A5c8UZAXLxVFWIMuiRW2GekOQEkGXtu+uJP00GuXm3+cQ= =1C0J -----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907