Bug 1168140 (CVE-2020-11740)

Summary: VUL-0: CVE-2020-11740,CVE-2020-11741 xen: XSA-313 v1 - multiple xenoprof issues
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, carnold, gabriele.sonnu, jbeulich
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/256122
Whiteboard: CVSSv2:NVD:CVE-2020-11740:2.1:(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2020-11741:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv3.1:NVD:CVE-2020-11740:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSSv3.1:NVD:CVE-2020-11741:8.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:RedHat:CVE-2020-11740:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3.1:RedHat:CVE-2020-11741:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 11 Alexandros Toptsoglou 2020-04-14 12:23:32 UTC 
now public through oss 
 
Xen Security Advisory CVE-2020-11740,CVE-2020-11741 / XSA-313
                              version 3

                       multiple xenoprof issues

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Unprivileged guests can request to map xenoprof buffers, even if
profiling has not been enabled for those guests.  These buffers were
not scrubbed.  This is CVE-2020-11740.

Furthermore, for guests for which "active" profiling was enabled by
the administrator, the xenoprof code uses the standard Xen shared ring
structure.  Unfortunately, this code did not treat the guest as a
potential adversary: it trusts the guest not to modify buffer size
information or modify head / tail pointers in unexpected ways.  This is
CVE-2020-11741.

IMPACT
======

A malicious guest may be able to access sensitive information
pertaining to other guests.  Guests with "active profiling" enabled
can crash the host (DoS).  Privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS
==================

Only x86 PV guests can leverage the vulnerabilities.  Arm guests and
x86 HVM and PVH guests cannot leverage the vulnerabilities.

All Xen versions back to at least 3.2 are vulnerable.

Any x86 PV guest can leverage the information leak.  Only x86 PV guests
whose host administrator has explicitly enabled "active profiling" for an
untrusted guest can exploit the DoS / potential privilege escalation.

Only builds of Xen with the Xenoprof functionality enabled at build
time are vulnerable.  The option to disable the functionality at build
time was been introduced in Xen 4.7.

MITIGATION
==========

Never making any untrusted guests "active" will avoid all but the info
leak part of the vulnerabilities.  There's no known mitigation for the
information leak (lack of scrubbing).

CREDITS
=======

This issue was discovered by Ilja Van Sprundel of IOActive.

RESOLUTION
==========

Applying the attached set of patches resolves these issues.

The first patch fixes the information leak issue, and should be
applied to all x86 systems running untrusted PV guests.

The second patch fixes the "active profiling" issue.  Systems which do
not enable active profiling can safely skip patch 2.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa313-?.patch         xen-unstable, Xen 4.9.x - 4.13.x

$ sha256sum xsa313*
63a11c5470a6c24f19d3a8a45042306256e7422d6556e3d76badaa515deb76d6  xsa313.meta
f186ad88b492b730aeae3bd01083dd6c13813ce08bcd4ffc608d7af500633a62  xsa313-1.patch
9fbcb5f11e5029e7d371ddb3520443c2780f240edc3d24436872935e34a85c37  xsa313-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 13 Swamp Workflow Management 2020-04-28 10:21:01 UTC 
SUSE-SU-2020:1124-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1134506,1155200,1157490,1160932,1165206,1167007,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.2_04-3.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    xen-4.12.2_04-3.15.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.2_04-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-04-29 16:28:43 UTC 
SUSE-SU-2020:1138-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1155200,1160932,1161181,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743,CVE-2020-7211
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    xen-4.11.3_04-2.23.1
SUSE Linux Enterprise Server 12-SP4 (src):    xen-4.11.3_04-2.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-04-29 17:05:38 UTC 
SUSE-SU-2020:1139-1: An update that solves 6 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1027519,1134506,1155200,1157490,1160932,1161181,1162040,1165206,1167007,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743,CVE-2020-7211
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.2_04-3.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.2_04-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-05-01 22:41:06 UTC 
openSUSE-SU-2020:0599-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1134506,1155200,1157490,1160932,1165206,1167007,1167152,1168140,1168142,1168143,1169392
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.2_04-lp151.2.15.1
Comment 18 Swamp Workflow Management 2020-06-16 19:13:19 UTC 
SUSE-SU-2020:1630-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1157888,1158003,1158004,1158005,1158006,1158007,1161181,1167152,1168140,1168142,1169392,1172205
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_06-3.62.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_06-3.62.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_06-3.62.1
HPE Helion Openstack 8 (src):    xen-4.9.4_06-3.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-06-17 13:13:05 UTC 
SUSE-SU-2020:1634-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1167152,1168140,1168142,1168143,1169392,1172205
CVE References: CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_10-3.31.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_10-3.31.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_10-3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-08-04 19:40:50 UTC 
SUSE-SU-2020:14444-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158004,1158005,1158006,1158007,1161181,1163019,1168140,1169392,1174543
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19583,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_42-61.52.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_42-61.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-08-11 16:18:43 UTC 
SUSE-SU-2020:14448-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1154456,1154458,1161181,1163019,1168140,1169392,1174543
CVE References: CVE-2019-18421,CVE-2019-18425,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_22-45.36.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_22-45.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-08-13 13:18:36 UTC 
SUSE-SU-2020:2234-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1163019,1168140,1168142,1169392,1174543
CVE References: CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-8608
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_08-43.64.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_08-43.64.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_08-43.64.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_08-43.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Charles Arnold 2021-01-22 20:11:16 UTC 
Backported and released to 11-SP1.
Comment 28 Gabriele Sonnu 2022-04-14 15:26:42 UTC 
Done.