SB2020092323 - Multiple vulnerabilities in Xen

Main Vulnerability Database SB2020092323

SB2020092323 - Multiple vulnerabilities in Xen

Published: September 23, 2020

Security Bulletin ID SB2020092323

Severity

High

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2020-25601)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application, as the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time. So far there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. A remote user can consume all available CPU resources and perform a denial of service (DoS) attack of the entire host system.

2) Race condition (CVE-ID: CVE-2020-25599)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a race condition caused by uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77). A remote user on the PV guest can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the host system.

3) Resource management error (CVE-ID: CVE-2020-25600)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to the so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties. At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly.

Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail. Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure.

As a result, an unprivileged guest may cause another domain, in particular Domain 0, to misbehave, leading to denial of service of the host system.

4) Resource management error (CVE-ID: CVE-2020-25603)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to event channels control structures can be accessed lockless as long as the port is considered to be valid. Such sequence is missing appropriate memory barrier (e.g smp_*mb()) to prevent both the compiler and CPU to re-order access. A malicious guest may be able to cause a hypervisor crash.

5) Resource management error (CVE-ID: CVE-2020-25596)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within guest VM when processing state sanitization activities. A local user or application on the guest operating system can abuse SYSENTER to cause a crash of the guest VM.

6) Resource management error (CVE-ID: CVE-2020-25597)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due a login error in the handling of event channel operations in Xen, which assumes that an event channel, once valid, will not become invalid over the life time of a guest.An unprivileged guest may be able to crash Xen by resetting of all event channels.

7) Use of uninitialized resource (CVE-ID: CVE-2020-25595)

The vulnerability allows a remote user to escalate privileges on the host operating system.

The vulnerability exists due to PCI passthrough code reading back untrusted values fromhardware registers in Xen. A remote user on a guest operating system can run a specially crafted program to obtain potentially sensitive information from memory and crash Xen or escalate privileges on the hypervisor.

The vulnerability affects x86 systems with PCI passthrough support.

8) Race condition (CVE-ID: CVE-2020-25604)

The vulnerability allows a remote user to perform a denial of service (Dos) attack.

The vulnerability exists due to a race condition when migrating timers between x86 HVM vCPU-s in Xen. A remote user on a guest operating system can run a specially crafted program to crash the hypervisor.

9) Resource management error (CVE-ID: CVE-2020-25598)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing unlock in XENMEM_acquire_resource error path in Xen. A malicious HVM stubdomain can cause an RCU reference to be leaked. This causes subsequent administration operations, (e.g. CPU offline) to livelock, resulting in a host denial of service.

The vulnerability only affects VMs using HVM stubdomains.

10) Resource management error (CVE-ID: CVE-2020-25602)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing guest requests to the "MISC_ENABLE MSR" register in Xen. A remote privileged PV guest can run a specially crafted program and crash Xen.

Only non-non-Intel x86 systems are affected.

Remediation

Install update from vendor's website.

References