Bug 1173377 - (CVE-2020-15563) VUL-0: CVE-2020-15563: xen: XSA-319 - inverted code paths in x86 dirty VRAM tracking
(CVE-2020-15563)
VUL-0: CVE-2020-15563: xen: XSA-319 - inverted code paths in x86 dirty VRAM ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Arnold
Security Team bot
https://smash.suse.de/issue/262306/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-25 16:19 UTC by Wolfgang Frisch
Modified: 2020-09-23 06:47 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 6 Alexandros Toptsoglou 2020-07-07 13:16:31 UTC
now public through https://xenbits.xen.org/xsa/advisory-319.html


            Xen Security Advisory CVE-2020-15563 / XSA-319
                               version 3

            inverted code paths in x86 dirty VRAM tracking

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

An inverted conditional in x86 HVM guests' dirty video RAM tracking
code allows such guests to make Xen de-reference a pointer guaranteed
to point at unmapped space.

IMPACT
======

A malicious or buggy HVM guest may cause the hypervisor to crash,
resulting in Denial of Service (DoS) affecting the entire host.

VULNERABLE SYSTEMS
==================

Xen versions from 4.8 onwards are affected.  Xen versions 4.7 and
earlier are not affected.

Only x86 systems are affected.  Arm systems are not affected.

Only x86 HVM guests using shadow paging can leverage the vulnerability.
In addition there needs to be an entity actively monitoring a guest's
video frame buffer (typically for display purposes) in order for such a
guest to be able to leverage the vulnerability.  x86 PV guests as well
as x86 HVM guest using hardware assisted paging (HAP) cannot leverage
the vulnerability.

MITIGATION
==========

Running only PV guests will avoid the vulnerability.

For HVM guest explicitly configured to use shadow paging (e.g. via the
`hap=0' xl domain configuration file parameter), changing to HAP (e.g.
by setting `hap=1') will avoid exposing the vulnerability to those
guests.  HAP is the default (in upstream Xen), where the hardware
supports it; so this mitigation is only applicable if HAP has been
disabled by configuration.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa319.patch           xen-unstable, 4.13 - 4.9

$ sha256sum xsa319*
1fe0dc2e274776b8e1275f85129280f280f94ca4eabe6a8166113283dad93ed8  xsa319.meta
c145f394f8ac7d8838c376a97e1850c4125c12e478fc66ebe025ae397b27e6ea  xsa319.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patch described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

HOWEVER deployment of the "use HAP mode" mitigation described above is
NOT permitted (except where all the affected systems and VMs are
administered and used only by organisations which are members of the Xen
Project Security Issues Predisclosure List).  Specifically, deployment
on public cloud systems is NOT permitted.

This is because in that case the configuration change can be observed
by guests, which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 7 Swamp Workflow Management 2020-07-10 19:12:52 UTC
SUSE-SU-2020:1887-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1172205,1173376,1173377,1173378,1173380
CVE References: CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.3_04-3.18.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.3_04-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-07-10 19:13:42 UTC
SUSE-SU-2020:1886-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1173377,1173378,1173380
CVE References: CVE-2020-15563,CVE-2020-15565,CVE-2020-15567
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_08-3.66.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_08-3.66.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_08-3.66.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_08-3.66.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_08-3.66.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_08-3.66.1
HPE Helion Openstack 8 (src):    xen-4.9.4_08-3.66.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-07-10 19:14:41 UTC
SUSE-SU-2020:1888-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1173376,1173377,1173378,1173380
CVE References: CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_12-3.35.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_12-3.35.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_12-3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-07-10 19:15:54 UTC
SUSE-SU-2020:1889-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1172205,1173376,1173377,1173378,1173380
CVE References: CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.3_04-3.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.3_04-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-07-13 13:17:34 UTC
SUSE-SU-2020:1891-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1173376,1173377,1173378,1173380
CVE References: CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_04-2.30.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_04-2.30.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_04-2.30.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_04-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-07-14 16:22:00 UTC
SUSE-SU-2020:1902-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1172205,1173376,1173377,1173378,1173380
CVE References: CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.1_04-3.4.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.1_04-3.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-07-15 16:23:54 UTC
openSUSE-SU-2020:0965-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1172205,1173376,1173377,1173378,1173380
CVE References: CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.3_04-lp151.2.21.1
Comment 14 Swamp Workflow Management 2020-07-18 04:16:05 UTC
openSUSE-SU-2020:0985-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1172205,1173376,1173377,1173378,1173380
CVE References: CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.1_04-lp152.2.3.1
Comment 15 Marcus Meissner 2020-09-23 06:47:07 UTC
released