Bug 1115040 - (CVE-2018-19961) VUL-0: CVE-2018-19961 CVE-2018-19962: xen: insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)
(CVE-2018-19961)
VUL-0: CVE-2018-19961 CVE-2018-19962: xen: insufficient TLB flushing / impro...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Arnold
Security Team bot
https://smash.suse.de/issue/218842/
CVSSv3:SUSE:CVE-2018-19961:7.8:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-07 15:13 UTC by Marcus Meissner
Modified: 2021-01-21 18:21 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa275-4.11-1.patch (4.07 KB, patch)
2018-11-07 15:15 UTC, Marcus Meissner
Details | Diff
xsa275-4.11-2.patch (2.31 KB, patch)
2018-11-07 15:18 UTC, Marcus Meissner
Details | Diff
xsa275-4.7-1.patch (4.06 KB, patch)
2018-11-07 15:18 UTC, Marcus Meissner
Details | Diff
xsa275-4.7-2.patch (3.54 KB, patch)
2018-11-07 15:19 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2018-11-07 15:15:52 UTC
Created attachment 788852 [details]
xsa275-4.11-1.patch

xsa275-4.11-1.patch
Comment 4 Marcus Meissner 2018-11-07 15:18:30 UTC
Created attachment 788853 [details]
xsa275-4.11-2.patch

xsa275-4.11-2.patch
Comment 5 Marcus Meissner 2018-11-07 15:18:50 UTC
Created attachment 788854 [details]
xsa275-4.7-1.patch
Comment 6 Marcus Meissner 2018-11-07 15:19:08 UTC
Created attachment 788855 [details]
xsa275-4.7-2.patch

xsa275-4.7-2.patch
Comment 7 Marcus Meissner 2018-11-20 13:32:54 UTC
                    Xen Security Advisory XSA-275
                              version 2

  insufficient TLB flushing / improper large page mappings with AMD IOMMUs

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

In order to be certain that no undue access to memory is possible
anymore after IOMMU mappings of this memory have been removed,
Translation Lookaside Buffers (TLBs) need to be flushed after most
changes to such mappings.  Xen bypassed certain IOMMU flushes on AMD
x86 hardware.

Furthermore logic exists Xen to re-combine small page mappings
into larger ones.  Such re-combination could have occured in cases
when it was not really safe/correct to do so.

IMPACT
======

A malicious or buggy guest may be able to escalate its privileges, may
cause a Denial of Service (DoS) affecting the entire host, or may be
able to access data it is not supposed to access (information leak).

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are affected.  Note that the
situation is worse in 4.1 and earlier, in that there's no flushing of
the TLB at all.

Only systems with AMD x86 hardware with enabled IOMMU are affected.

ARM and Intel x86 systems, and AMD x86 systems without enabled IOMMU,
are not affected.

Only systems where physical PCI devices are assigned to untrusted guests
are vulnerable.

MITIGATION
==========

There is no known mitigation for affected system/guest combinations.

CREDITS
=======

This issue was discovered by Paul Durrant of Citrix.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

xsa275-?.patch           xen-unstable
xsa275-4.11-?.patch      Xen 4.11.x ... Xen 4.8.x
xsa275-4.7-?.patch       Xen 4.7.x

$ sha256sum xsa275*
b5a02598cd2cffcc2cb59c724eeabb50220fa55f2cbe571726a5228909bf7bfe  xsa275.meta
7a3360e61fbb088f7d9f2b92921c9dceb08a1e01563c42ba4cf4a9999fe42fc4  xsa275-1.patch
4783a3abd2d87386ce9a7b790666ad398c5e027a6a146fce6424f0bcbfd8a7c6  xsa275-2.patch
49844d06f24ea129f1a501b4b0d5cb6ec3b288f3a2b41377ce793cc6fc81a788  xsa275-4.7-1.patch
7ea8bf2ff2c8c92cb064a70959a1148229c4577109015bd5aab72603ccb8f7e3  xsa275-4.7-2.patch
15d1aa7528368ed92caf8ea9baf77a406e1de26d0697dafd8a85da0d66eb95dc  xsa275-4.11-1.patch
0806e8c904ac9e8eb89404dffd227fcd56da84b7eb0150ee1e9b4bee54a05b4e  xsa275-4.11-2.patch
$
Comment 9 Marcus Meissner 2018-12-08 09:33:21 UTC
seems to got assigned 2 cves CVE-2018-19961 CVE-2018-19962.
Comment 10 Swamp Workflow Management 2018-12-12 08:10:33 UTC
SUSE-SU-2018:4070-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1108940,1114405,1114423,1115040,1115045,1115047
CVE References: CVE-2018-18849,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    xen-4.9.3_03-3.47.1
SUSE Linux Enterprise Server 12-SP3 (src):    xen-4.9.3_03-3.47.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    xen-4.9.3_03-3.47.1
SUSE CaaS Platform ALL (src):    xen-4.9.3_03-3.47.1
SUSE CaaS Platform 3.0 (src):    xen-4.9.3_03-3.47.1
Comment 11 Swamp Workflow Management 2018-12-13 02:18:47 UTC
openSUSE-SU-2018:4111-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1108940,1114405,1114423,1115040,1115045,1115047
CVE References: CVE-2018-18849,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.3_03-34.1
Comment 13 Swamp Workflow Management 2018-12-28 23:19:03 UTC
SUSE-SU-2018:4300-1: An update that solves 9 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1078292,1091107,1094508,1103275,1103276,1103279,1105528,1108940,1114405,1115040,1115045,1115047
CVE References: CVE-2018-15468,CVE-2018-15469,CVE-2018-15470,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    xen-4.10.2_04-3.9.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    xen-4.10.2_04-3.9.1
Comment 14 Swamp Workflow Management 2018-12-29 14:13:11 UTC
openSUSE-SU-2018:4304-1: An update that solves 9 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1027519,1078292,1091107,1094508,1103275,1103276,1103279,1105528,1108940,1114405,1115040,1115045,1115047
CVE References: CVE-2018-15468,CVE-2018-15469,CVE-2018-15470,CVE-2018-18883,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-3646
Sources used:
openSUSE Leap 15.0 (src):    xen-4.10.2_04-lp150.2.12.1
Comment 15 Swamp Workflow Management 2019-01-02 19:09:34 UTC
SUSE-SU-2019:0003-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1108940,1111014,1114405,1114423,1114988,1115040,1115043,1115044,1115045,1115047,1117756
CVE References: CVE-2018-17963,CVE-2018-18849,CVE-2018-18883,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19963,CVE-2018-19964,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    xen-4.11.1_02-2.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    xen-4.11.1_02-2.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    xen-4.11.1_02-2.3.1
Comment 16 Swamp Workflow Management 2019-01-04 17:12:52 UTC
SUSE-SU-2019:0020-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1105528,1108940,1114423,1115040,1115045,1115047,1116380,1117756
CVE References: CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_05-43.45.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_05-43.45.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_05-43.45.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_05-43.45.1
SUSE Enterprise Storage 4 (src):    xen-4.7.6_05-43.45.1
Comment 19 Swamp Workflow Management 2019-04-01 13:20:13 UTC
SUSE-SU-2019:0827-1: An update that solves 15 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1027519,1056336,1105528,1108940,1110924,1111007,1111011,1111014,1112188,1114423,1114988,1115040,1115045,1115047,1117756,1123157,1126140,1126141,1126192,1126195,1126196,1126198,1126201,1127400,1129623
CVE References: CVE-2017-13672,CVE-2018-10839,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18438,CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_40-22.77.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2019-04-01 13:23:32 UTC
SUSE-SU-2019:0825-1: An update that solves 14 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1056336,1110924,1111007,1111011,1111014,1112188,1114423,1114988,1115040,1115047,1117756,1123157,1126140,1126141,1126192,1126195,1126196,1126201,1129623
CVE References: CVE-2017-13672,CVE-2018-10839,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18438,CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_28-22.58.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_28-22.58.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2019-04-03 13:10:49 UTC
SUSE-SU-2019:14011-1: An update that solves 14 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1110924,1111007,1111011,1111014,1112188,1114423,1114988,1115040,1115045,1115047,1117756,1123157,1126140,1126141,1126192,1126195,1126196,1129623
CVE References: CVE-2018-10839,CVE-2018-17958,CVE-2018-17962,CVE-2018-17963,CVE-2018-18438,CVE-2018-18849,CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.30.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.30.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-04-17 19:20:46 UTC
openSUSE-SU-2019:1226-1: An update that solves 8 vulnerabilities and has 15 fixes is now available.

Category: security (important)
Bug References: 1026236,1027519,1069468,1105528,1114988,1115040,1115045,1115047,1116380,1117756,1119161,1123157,1126140,1126141,1126192,1126195,1126196,1126197,1126198,1126201,1126325,1127400,1129623
CVE References: CVE-2018-19665,CVE-2018-19961,CVE-2018-19962,CVE-2018-19965,CVE-2018-19966,CVE-2018-19967,CVE-2019-6778,CVE-2019-9824
Sources used:
openSUSE Leap 42.3 (src):    xen-4.9.4_02-37.1
Comment 23 Marcus Meissner 2019-08-30 15:21:10 UTC
released