Bug 1176339 (CVE-2020-25602) - VUL-0: CVE-2020-25602: xen: x86 pv: Crash when handling guest access to MSR_MISC_ENABLE (XSA-333 v3)
Summary: VUL-0: CVE-2020-25602: xen: x86 pv: Crash when handling guest access to MSR_M...
Status: RESOLVED FIXED
Alias: CVE-2020-25602
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/266938/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25602:6.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-09 14:42 UTC by Marcus Meissner
Modified: 2022-08-16 09:28 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa333.patch (1.27 KB, patch)
2020-09-09 14:42 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2020-09-09 14:42:49 UTC
Created attachment 841519 [details]
xsa333.patch

xsa333.patch
Comment 2 Marcus Meissner 2020-09-17 11:06:03 UTC
CVE-2020-25602
Comment 5 Wolfgang Frisch 2020-09-22 13:45:41 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25602 / XSA-333
                               version 3

      x86 pv: Crash when handling guest access to MSR_MISC_ENABLE

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When a guest accesses certain Model Specific Registers, Xen first reads
the value from hardware to use as the basis for auditing the guest
access.

For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read
is performed without error handling for a #GP fault, which is the
consequence of trying to read this MSR on non-Intel hardware.

IMPACT
======

A buggy or malicious PV guest administrator can crash Xen, resulting in
a host Denial of Service.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only Xen versions 4.11 and onwards are vulnerable.  4.10 and earlier are
not vulnerable.

Only x86 systems which do not implement the MISC_ENABLE MSR (0x1a0) are
vulnerable.  AMD and Hygon systems do not implement this MSR and are
vulnerable.  Intel systems do implement this MSR and are not vulnerable.
Other manufacturers have not been checked.

Only x86 PV guests can exploit the vulnerability.  x86 HVM/PVH guests
cannot exploit the vulnerability.

MITIGATION
==========

Running only HVM/PVH guests avoids the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa333.patch           Xen 4.11 - xen-unstable

$ sha256sum xsa333*
3f3d974ede9fe80f4eb63640dce058cf9e2073cd79e4c085c944f3ca5e454e26  xsa333.meta
8edec914fbdf036fba8cb54a75d3a9b025fac936e0af35512954a2dc2b12a26f  xsa333.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/eUMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZu5EH/RAaLJocX5UJfEZ4QT2osvnc1aaZjBXNz4JN1HDj
46pGxBOv1kEDxBu/lqbbXEY2aLeBLder2nj0OHCYgDkPCh4fqaciBqCEO97COqzo
dFvN17dZ0pjyBUoSXs8mVPWjMblBjf6/Mt+/gh8speJQ32V3lHz6xYc9Nu0CVoL5
+RiaRVPGYOVndF5A0XK6UIiiMAOcVgPHpg485QFT2EIVPlKVu/jDrrsYep/9OrmP
bamEjKcYoFBBsMlpUNAtUK0QZGnSAe2vVtbUNeHgY5T5BDuJzLZXdMDGmBDXK2vV
0PNMOoIeFev6Pq7yuvvTqI0PKEBmO825hkbZ5sEva/7pZ60=
=zf3E
-----END PGP SIGNATURE-----
Comment 6 Swamp Workflow Management 2020-09-29 16:18:00 UTC
SUSE-SU-2020:2786-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_08-2.36.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_08-2.36.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_08-2.36.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_08-2.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-09-29 16:21:34 UTC
SUSE-SU-2020:2791-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.1_08-3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.1_08-3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-09-29 16:27:36 UTC
SUSE-SU-2020:2790-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.3_08-3.28.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.3_08-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-09-29 16:31:27 UTC
SUSE-SU-2020:2788-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.3_08-3.24.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.3_08-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-10-04 10:17:08 UTC
openSUSE-SU-2020:1608-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.1_08-lp152.2.9.1
Comment 11 Charles Arnold 2021-01-22 20:21:15 UTC
Backported and released to 12-SP4.
Comment 14 Alexander Bergmann 2022-08-16 09:28:14 UTC
Closed as fixed.