Bug 1158006 - (CVE-2019-19580) VUL-0: CVE-2019-19580: xen: XSA-310 - Further issues with restartable PV type change operations
(CVE-2019-19580)
VUL-0: CVE-2019-19580: xen: XSA-310 - Further issues with restartable PV type...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/248101/
CVSSv3.1:NVD:CVE-2019-19580:6.6:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-28 13:51 UTC by Wolfgang Frisch
Modified: 2022-05-24 11:43 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 10 Alexandros Toptsoglou 2019-12-11 12:14:27 UTC
now public through oss 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-19580 / XSA-310
                               version 3

      Further issues with restartable PV type change operations

UPDATES IN VERSION 3
====================

Public release.

Updated metadata to add 4.13, update StableRef's

ISSUE DESCRIPTION
=================

XSA-299 addressed several critical issues in restartable PV type
change operations.  Despite extensive testing and auditing, some
corner cases were missed.

IMPACT
======

A malicious PV guest administrator may be able to escalate their
privilege to that of the host.

VULNERABLE SYSTEMS
==================

All security-supported versions of Xen are vulnerable.

Only x86 systems are affected.  Arm systems are not affected.

Only x86 PV guests can leverage the vulnerability.  x86 HVM and PVH
guests cannot leverage the vulnerability.

Note that these attacks require very precise timing, which may
be difficult to exploit in practice.

MITIGATION
==========

Running only HVM or PVH guests will avoid this vulnerability.

Running PV guests in "shim" mode will also avoid this vulnerability.

CREDITS
=======

This issue was discovered by Sarah Newman at prgmr.com.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa310/*.patch           xen-unstable, Xen 4.13 - 4.10
xsa310-4.9/*.patch       Xen 4.9 - 4.8

$ sha256sum xsa310* xsa310*/*
2208e40c71aa521ae487782bd751963ce696be451d10a179fcecdff7a0065369  xsa310.meta
8e75f0fb5fe890a661c8d46ec622131bc650f1a95b170b99569b50dd2224616c  xsa310-4.9/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch
3da404a0c088936ed92377ccef1fa6fdeb23900358ca9284e3488e8e1dcb5dd2  xsa310-4.9/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch
cd1a77c2f767474dcfbd1e6282ad3219ce2abcac2021b040120d40b52fc76bc8  xsa310-4.9/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch
44c670a1b1b8164202766d52fb741e62c104118525eb7a3e56f4b232bcb8be3f  xsa310/0001-x86-mm-Set-old_guest_table-when-destroying-vcpu-page.patch
173dc0ffb4c572c8493bd9d5f3309b113e51888bdc9e462c78933f5c85f69b7a  xsa310/0002-x86-mm-alloc-free_lN_table-Retain-partial_flags-on-E.patch
1833fbfc2cdea9b37f161b09df947dffdd8db5e60a2f3512913de0e0c0d4b3ef  xsa310/0003-x86-mm-relinquish_memory-Grab-an-extra-type-ref-when.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl3w3F0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ1noH/i6Sb3F6ZiaSl460OvdCRKd9lZm3ONunOH4IHuc6
+Q/G0G4b48UYfK/8FSAAjldv8tPOA5+j3GAFr2JgVtTWjP7tZyzSs0tDvn37sZrZ
D3l0AeOHxLCuSRxnoRDtpKiuJv71DrnYEfCDdc6R4DTZuciOWYpYq6PQTac5bLZX
8G5nR+33SvzdIpncvONa0Xqm1+Cgy8yOOQQJHeQvN7GJfVvs6AHepU5zuP2Ez42W
ReNA6o13xwiI8LGKvf8cV7s74JklIxR9gzkv4bBtMKInUY2loSIbKpI8E9GsVa3n
VOJ2kwKgGgszewBoVyJdGYY1ZlXeIdPjOj7+575bsRnDlGo=
=f2/B
-----END PGP SIGNATURE-----
Comment 11 Swamp Workflow Management 2019-12-13 23:12:19 UTC
SUSE-SU-2019:3297-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154460,1154461,1154464,1155945,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18422,CVE-2019-18423,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_06-3.59.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_06-3.59.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_06-3.59.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_06-3.59.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_06-3.59.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_06-3.59.1
SUSE CaaS Platform 3.0 (src):    xen-4.9.4_06-3.59.1
HPE Helion Openstack 8 (src):    xen-4.9.4_06-3.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-12-13 23:14:16 UTC
SUSE-SU-2019:3296-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.1_10-3.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.1_10-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-12-16 17:14:15 UTC
SUSE-SU-2019:3310-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1154460,1154461,1154464,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-18422,CVE-2019-18423,CVE-2019-18424,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    xen-4.11.3_02-2.20.1
SUSE Linux Enterprise Server 12-SP4 (src):    xen-4.11.3_02-2.20.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    xen-4.11.3_02-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-12-16 17:16:02 UTC
SUSE-SU-2019:3309-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1154460,1154464,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-18422,CVE-2019-18423,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    xen-4.10.4_08-3.28.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    xen-4.10.4_08-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-12-18 23:12:58 UTC
SUSE-SU-2019:3338-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1027519,1152497,1157047,1157888,1158003,1158004,1158005,1158006,1158007
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.1_06-3.9.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    xen-4.12.1_06-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.1_06-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-02-06 14:15:23 UTC
SUSE-SU-2020:0334-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158003,1158004,1158005,1158006,1158007,1161181
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-7211
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_06-43.59.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_06-43.59.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_06-43.59.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_06-43.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2020-02-17 17:14:01 UTC
SUSE-SU-2020:0388-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 1115045,1126140,1126141,1126192,1126195,1126196,1126201,1135905,1143797,1145652,1146874,1149813,1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158003,1158004,1158005,1158006,1158007,1161181
CVE References: CVE-2018-12207,CVE-2018-19965,CVE-2019-11135,CVE-2019-12067,CVE-2019-12068,CVE-2019-12155,CVE-2019-14378,CVE-2019-15890,CVE-2019-17340,CVE-2019-17341,CVE-2019-17342,CVE-2019-17343,CVE-2019-17344,CVE-2019-17347,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-7211
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_28-22.64.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_28-22.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-06-16 19:12:53 UTC
SUSE-SU-2020:1630-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1157888,1158003,1158004,1158005,1158006,1158007,1161181,1167152,1168140,1168142,1169392,1172205
CVE References: CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19581,CVE-2019-19583,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_06-3.62.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_06-3.62.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_06-3.62.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_06-3.62.1
HPE Helion Openstack 8 (src):    xen-4.9.4_06-3.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-08-04 19:40:21 UTC
SUSE-SU-2020:14444-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1152497,1154448,1154456,1154458,1154461,1155945,1157888,1158004,1158005,1158006,1158007,1161181,1163019,1168140,1169392,1174543
CVE References: CVE-2018-12207,CVE-2019-11135,CVE-2019-18420,CVE-2019-18421,CVE-2019-18424,CVE-2019-18425,CVE-2019-19577,CVE-2019-19578,CVE-2019-19579,CVE-2019-19580,CVE-2019-19583,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-7211,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_42-61.52.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_42-61.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Charles Arnold 2021-01-22 19:00:56 UTC
Backported and released to 11-SP1.
Comment 28 Gabriele Sonnu 2022-05-24 11:43:25 UTC
Done.