Headline
Ubuntu Security Notice USN-5617-1
Ubuntu Security Notice 5617-1 - It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. Julien Grall discovered that Xen incorrectly handled memory barriers on ARM-based systems. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or escalate privileges.
==========================================================================
Ubuntu Security Notice USN-5617-1
September 19, 2022
xen vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Xen.
Software Description:
- xen: Public headers and libs for Xen
Details:
It was discovered that memory contents previously stored in
microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY
read operations on Intel client and Xeon E3 processors may be briefly
exposed to processes on the same or different processor cores. A local
attacker could use this to expose sensitive information. (CVE-2020-0543)
Julien Grall discovered that Xen incorrectly handled memory barriers on
ARM-based systems. An attacker could possibly use this issue to cause a
denial of service, obtain sensitive information or escalate privileges.
(CVE-2020-11739)
Ilja Van Sprundel discovered that Xen incorrectly handled profiling of
guests. An unprivileged attacker could use this issue to obtain sensitive
information from other guests, cause a denial of service or possibly gain
privileges. (CVE-2020-11740, CVE-2020-11741)
It was discovered that Xen incorrectly handled grant tables. A malicious
guest could possibly use this issue to cause a denial of service.
(CVE-2020-11742, CVE-2020-11743)
Jan Beulich discovered that Xen incorrectly handled certain code paths. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2020-15563)
Julien Grall discovered that Xen incorrectly verified memory addresses
provided by the guest on ARM-based systems. A malicious guest administrator
could possibly use this issue to cause a denial of service. (CVE-2020-15564)
Roger Pau Monné discovered that Xen incorrectly handled caching on x86 Intel
systems. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15565)
It was discovered that Xen incorrectly handled error in event-channel port
allocation. A malicious guest could possibly use this issue to cause a
denial of service. (CVE-2020-15566)
Jan Beulich discovered that Xen incorrectly handled certain EPT (Extended
Page Tables). An attacker could possibly use this issue to cause a denial
of service, data corruption or privilege escalation. (CVE-2020-15567)
Andrew Cooper discovered that Xen incorrectly handled PCI passthrough.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2020-25595)
Andrew Cooper discovered that Xen incorrectly sanitized path injections.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2020-25596)
Jan Beulich discovered that Xen incorrectly handled validation of event
channels. An attacker could possibly use this issue to cause a denial
of service. (CVE-2020-25597)
Julien Grall and Jan Beulich discovered that Xen incorrectly handled
resetting event channels. An attacker could possibly use this issue to
cause a denial of service or obtain sensitive information. (CVE-2020-25599)
Julien Grall discovered that Xen incorrectly handled event channels
memory allocation on 32-bits domains. An attacker could possibly use this
issue to cause a denial of service. (CVE-2020-25600)
Jan Beulich discovered that Xen incorrectly handled resetting or cleaning
up event channels. An attacker could possibly use this issue to cause a
denial of service. (CVE-2020-25601)
Andrew Cooper discovered that Xen incorrectly handled certain Intel
specific MSR (Model Specific Registers). An attacker could possibly use
this issue to cause a denial of service. (CVE-2020-25602)
Julien Grall discovered that Xen incorrectly handled accessing/allocating
event channels. An attacker could possibly use this issue to cause a
denial of service, obtain sensitive information of privilege escalation.
(CVE-2020-25603)
Igor Druzhinin discovered that Xen incorrectly handled locks. An attacker
could possibly use this issue to cause a denial of service. (CVE-2020-25604)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libxendevicemodel1 4.11.3+24-g14b62ab3e5-1ubuntu2.3
libxenevtchn1 4.11.3+24-g14b62ab3e5-1ubuntu2.3
libxengnttab1 4.11.3+24-g14b62ab3e5-1ubuntu2.3
libxenmisc4.11 4.11.3+24-g14b62ab3e5-1ubuntu2.3
xen-hypervisor-4.11-amd64 4.11.3+24-g14b62ab3e5-1ubuntu2.3
xen-hypervisor-4.11-arm64 4.11.3+24-g14b62ab3e5-1ubuntu2.3
xen-hypervisor-4.11-armhf 4.11.3+24-g14b62ab3e5-1ubuntu2.3
xen-utils-4.11 4.11.3+24-g14b62ab3e5-1ubuntu2.3
xen-utils-common 4.11.3+24-g14b62ab3e5-1ubuntu2.3
xenstore-utils 4.11.3+24-g14b62ab3e5-1ubuntu2.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5617-1
CVE-2020-0543, CVE-2020-11739, CVE-2020-11740, CVE-2020-11741,
CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564,
CVE-2020-15565, CVE-2020-15566, CVE-2020-15567, CVE-2020-25595,
CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600,
CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604
Package Information:
https://launchpad.net/ubuntu/+source/xen/4.11.3+24-g14b62ab3e5-1ubuntu2.3
Related news
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a #GP fault, which is the consequence of trying to read this MSR on non-Intel hardware. A buggy or malicious PV guest administrator can crash Xen, resulting in a host Denial of Service. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only Xen versions 4.11 and onwards are vulnerable. 4.10 and earlier are not vulnerable. Only x86 systems that do not implement the MISC_ENABLE MSR (0x1a0) are vulnerable. AMD and Hygon systems do not implement this MSR and are vulnerable. Intel systems do implement this MSR and are not vulnerable. Other manufacturers have not been checked. Only x86 PV...
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service. All versions of Xen from 3.2 onwards are vulnerable. Only x86 systems are vulnerable. ARM platforms are not vulnerable. Only x86 systems that support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur, and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable. Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability.
An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability.
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests permitted to create more than the default number of event channels are vulnerable. This number depends on the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and for all ARM guests, this number is 4095. Systems where u...
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functi...