Bug 1176345 - (CVE-2020-25596) VUL-0: CVE-2020-25596: xen: x86 pv guest kernel DoS via SYSENTER (XSA-339 v3)
(CVE-2020-25596)
VUL-0: CVE-2020-25596: xen: x86 pv guest kernel DoS via SYSENTER (XSA-339 v3)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/266942/
CVSSv3.1:SUSE:CVE-2020-25596:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-09 15:03 UTC by Marcus Meissner
Modified: 2021-02-14 07:55 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa339.patch (2.81 KB, patch)
2020-09-09 15:03 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2020-09-09 15:03:46 UTC
Created attachment 841526 [details]
xsa339.patch

xsa339.patch
Comment 4 Wolfgang Frisch 2020-09-22 13:47:23 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-25596 / XSA-339
                               version 3

                 x86 pv guest kernel DoS via SYSENTER

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The SYSENTER instruction leaves various state sanitization activities
to software.  One of Xen's sanitization paths injects a #GP fault, and
incorrectly delivers it twice to the guest.

This causes the guest kernel to observe a kernel-privilege #GP fault
(typically fatal) rather than a user-privilege #GP fault (usually
converted into SIGSEGV/etc).

IMPACT
======

Malicious or buggy userspace can crash the guest kernel, resulting in
a VM Denial of Service.

VULNERABLE SYSTEMS
==================

All versions of Xen from 3.2 onwards are vulnerable.

Only x86 systems are vulnerable.  ARM platforms are not vulnerable.

Only x86 systems which support the SYSENTER instruction in 64bit mode
are vulnerable.  This is believed to be Intel, Centaur and Shanghai
CPUs.  AMD and Hygon CPUs are not believed to be vulnerable.

Only x86 PV guests can exploit the vulnerability.  x86 PVH / HVM
guests cannot exploit the vulnerability.

MITIGATION
==========

Running only x86 PVH / HVM guests avoids the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa339.patch           Xen 4.10 - xen-unstable

$ sha256sum xsa339*
5cece13878cc40b32bc5753c0ef64f989f9b1c7f9549d62ea4fcd06e9620de9e  xsa339.meta
b6ffa7671d905aa12498ad64915be3b7cba74ce1c5bf6bce18b1f106ebf6d715  xsa339.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl9p/ecMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZgEUH/1/5DUgXRKzwvYuERdBintUdCUaezYpjY0VEJ/v5
nPXEZDDkBFZZxtWmLg6gqMsJg4O6npTcZ6Z3ZpP8xTiRexr0fHHRY5FHqOCW0aS+
c0WYQzSvfDW1L/m9fjwsbFKKRCmrwE24L/Jc7GZJlpps22f1mZpn3cwsjidlofHi
WxqpdAPNDLsPDF3+iwt5a8gL3onyeo03MaBhO29UAJIKCo4hxiKu5/e3upXFBdN2
Z4Pyr79E51SiCGxZ/A1NTil9+FyYkP1DgBQdJ6pVrxMnZUhdcjbGLEbrUNaTfgox
yORU8rE3XS2ZajRpW3D2CIGnKJj3zGWaQqx+FufX1m6Y8qE=
=tkQp
-----END PGP SIGNATURE-----
Comment 5 Swamp Workflow Management 2020-09-29 16:15:33 UTC
SUSE-SU-2020:2789-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_16-3.41.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_16-3.41.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_16-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-09-29 16:18:18 UTC
SUSE-SU-2020:2786-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_08-2.36.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_08-2.36.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_08-2.36.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_08-2.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-09-29 16:22:00 UTC
SUSE-SU-2020:2791-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.1_08-3.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.1_08-3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-09-29 16:25:16 UTC
SUSE-SU-2020:2787-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_12-3.74.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_12-3.74.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_12-3.74.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_12-3.74.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_12-3.74.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_12-3.74.1
HPE Helion Openstack 8 (src):    xen-4.9.4_12-3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-09-29 16:28:02 UTC
SUSE-SU-2020:2790-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.3_08-3.28.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.3_08-3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-09-29 16:31:52 UTC
SUSE-SU-2020:2788-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.3_08-3.24.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.3_08-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-10-01 16:15:37 UTC
SUSE-SU-2020:2822-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_10-43.67.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_10-43.67.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_10-43.67.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_10-43.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-10-04 10:17:38 UTC
openSUSE-SU-2020:1608-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350
CVE References: CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.1_08-lp152.2.9.1
Comment 14 Swamp Workflow Management 2020-10-22 16:17:18 UTC
SUSE-SU-2020:14521-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1172205,1173378,1173380,1175534,1176343,1176344,1176345,1176346,1176347,1176348,1176350
CVE References: CVE-2020-0543,CVE-2020-14364,CVE-2020-15565,CVE-2020-15567,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_44-61.55.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_44-61.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Charles Arnold 2021-01-22 20:25:50 UTC
Backported and released to 11-SP1.
Comment 19 Marcus Meissner 2021-02-14 07:55:00 UTC
done