Bug 1179498 - (CVE-2020-29481) VUL-0: CVE-2020-29481: xen: xenstore: new domains inheriting existing node permissions (XSA-322 v5)
(CVE-2020-29481)
VUL-0: CVE-2020-29481: xen: xenstore: new domains inheriting existing node pe...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272601/
CVSSv3.1:SUSE:CVE-2020-29481:6.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-02 09:13 UTC by Robert Frohl
Modified: 2021-01-22 20:54 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Wolfgang Frisch 2020-12-15 13:10:36 UTC
via oss-security:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29481 / XSA-322
                               version 4

       Xenstore: new domains inheriting existing node permissions

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Access rights of Xenstore nodes are per domid.  Unfortunately,
existing granted access rights are not removed when a domain is
destroyed.  This means that a new domain created with the same domid
will inherit the access rights to Xenstore nodes from the previous
domain(s) with the same domid.

All Xenstore entries of a guest below /local/domain/<domid> are
deleted by Xen tools when a guest is destroyed.  Therefore only
entries belonging to other guests, referring to the deleted guests,
are potentially affected.

IMPACT
======

In some circumstances, it might be possible for a new guest domain to
access resources belonging to a previous domain.  The impact would
depend on the software in use and the configuration, but might include
any of denial of service, information leak, or privilege escalation.

VULNERABLE SYSTEMS
==================

All versions of Xen are in principle vulnerable.

Both Xenstore implementations (C and Ocaml) are vulnerable.

Vulnerable systems are only those running software where one domain is
granted access to another's xenstore nodes, without complete cleanup
of those nodes on domain destruction.  No such software is enabled in
default configurations of upstream Xen.

Therefore upstream Xen, without additional management software (in
host or guest(s)), is not vulnerable in the default (host and guest)
configuration.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Jürgen Groß of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa322-c.patch             xen-unstable        [C xenstored]
xsa322-4.14-c.patch        Xen 4.14 - 4.13     [C xenstored]
xsa322-4.13-c.patch        Xen 4.12 - 4.10     [C xenstored]

xsa322-o.patch             xen-unstable - 4.12 [Ocaml xenstored]
xsa322-4.11-o.patch        Xen 4.11 - 4.10     [Ocaml xenstored]

$ sha256sum xsa322*
89e40422e41b8b2f8926ee5081da0e494e8e7312091151d31bfaa29eefa9b669  xsa322.meta
0cfeb0f8dd1c95e628e06f3402cbb5fb58c0972d6616958f5a0fbed59813dd6c  xsa322-4.11-o.patch
d4f9362b6f7ebfb7349849d4449f70b6004779c35238dc628736c541fe9e4279  xsa322-4.12-c.patch
8efe8fc39bf91a1c0cbdbf572deb2592930b757725951f4fdf0c387904ce4293  xsa322-4.14-c.patch
9275c7c36127f0e9719d4cb3162e39ce9233b2b55e9f9307b4c4d370a7b636a3  xsa322-c.patch
42c0818ceff11792517530237c4972967099c9828b4e2b5ec4bf6bfc1825cd7c  xsa322-o.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/Yqd4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZm4QH/A4suMmviY3ihK5d97oiKhJWg/5bgt6ePoJtZwAe
28nqNX3pI3+hi09RTAUpINVXt+3ealblDs9XY4u+2trTX7yqtbdtRrMF+mhkHueK
Pnqvp3qSREDNaAJUN5gmsJ9vfgNwYTWscHqYga69cq4bHaLZJnEZC1He2qvvac67
MmKJk69go6VxCLG6ZAU59aHXzfs0EoQGKPhV6+Fw41HK9CNG8YErfdK1h2RIJ6Jg
GIf0bhgNSPxMs/0wcKJDmj4u3kmFStfDJbzsYxjmu5K0MZVMD87cQv89EHC+gCCc
e4ipgRwM6ba7pD338JT42gDHptqj2Rhg1YszmG2bQO0TQoA=
=MQnE
-----END PGP SIGNATURE-----
Comment 6 Wolfgang Frisch 2020-12-16 17:10:41 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29481 / XSA-322
                               version 5

       Xenstore: new domains inheriting existing node permissions

UPDATES IN VERSION 5
====================

Fix deployment info to refer to xsa322-4.12-c.patch not nonexistent
file xsa322-4.13-c.patch.

ISSUE DESCRIPTION
=================

Access rights of Xenstore nodes are per domid.  Unfortunately,
existing granted access rights are not removed when a domain is
destroyed.  This means that a new domain created with the same domid
will inherit the access rights to Xenstore nodes from the previous
domain(s) with the same domid.

All Xenstore entries of a guest below /local/domain/<domid> are
deleted by Xen tools when a guest is destroyed.  Therefore only
entries belonging to other guests, referring to the deleted guests,
are potentially affected.

IMPACT
======

In some circumstances, it might be possible for a new guest domain to
access resources belonging to a previous domain.  The impact would
depend on the software in use and the configuration, but might include
any of denial of service, information leak, or privilege escalation.

VULNERABLE SYSTEMS
==================

All versions of Xen are in principle vulnerable.

Both Xenstore implementations (C and Ocaml) are vulnerable.

Vulnerable systems are only those running software where one domain is
granted access to another's xenstore nodes, without complete cleanup
of those nodes on domain destruction.  No such software is enabled in
default configurations of upstream Xen.

Therefore upstream Xen, without additional management software (in
host or guest(s)), is not vulnerable in the default (host and guest)
configuration.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Jürgen Groß of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa322-c.patch             xen-unstable        [C xenstored]
xsa322-4.14-c.patch        Xen 4.14 - 4.13     [C xenstored]
xsa322-4.12-c.patch        Xen 4.12 - 4.10     [C xenstored]

xsa322-o.patch             xen-unstable - 4.12 [Ocaml xenstored]
xsa322-4.11-o.patch        Xen 4.11 - 4.10     [Ocaml xenstored]

$ sha256sum xsa322*
89e40422e41b8b2f8926ee5081da0e494e8e7312091151d31bfaa29eefa9b669  xsa322.meta
0cfeb0f8dd1c95e628e06f3402cbb5fb58c0972d6616958f5a0fbed59813dd6c  xsa322-4.11-o.patch
d4f9362b6f7ebfb7349849d4449f70b6004779c35238dc628736c541fe9e4279  xsa322-4.12-c.patch
8efe8fc39bf91a1c0cbdbf572deb2592930b757725951f4fdf0c387904ce4293  xsa322-4.14-c.patch
9275c7c36127f0e9719d4cb3162e39ce9233b2b55e9f9307b4c4d370a7b636a3  xsa322-c.patch
42c0818ceff11792517530237c4972967099c9828b4e2b5ec4bf6bfc1825cd7c  xsa322-o.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/aOI4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZHGIH/iFQ2CLj2l+CjWu0hevHuUzikJ93X5sa/Yu7DhLg
oa/JCPdiUotBSorMgZedU1aYKPLBZC7vhFQD+q4IUIQsA9sEB6Mux2C9Zs7ZXnOI
i635ZtaWpJnzX3xez5vt5AjIFQXyFZzrXhmbNB9tVFiRgA/cmqikbIhF/tVGcx1H
XtqT0hIcQpiH2GIAuslKHtfV9E9w6Uiye8kcMmm/8nUaNeHs3SGUvHceg9xBbT5M
MTarsmBvk8Usp5jtYqPkrE4WsmtL3HprXv5+U8yPzDia6/CqAF6ekMtpmGEwvwTK
YtYmbLmBRSVYw6/nXPA1AczLkvb12QWrk8eRZhsFpfgxbu4=
=gyZV
-----END PGP SIGNATURE-----
Comment 7 Swamp Workflow Management 2020-12-16 20:18:41 UTC
SUSE-SU-2020:14578-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_48-61.61.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_48-61.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-12-18 20:21:26 UTC
SUSE-SU-2020:3881-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.4_06-3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.4_06-3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-12-18 20:23:17 UTC
SUSE-SU-2020:3880-1: An update that solves 9 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1163019,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571,CVE-2020-8608
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_06-3.36.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_06-3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-12-22 11:15:59 UTC
openSUSE-SU-2020:2313-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.4_06-lp151.2.36.1
Comment 12 Swamp Workflow Management 2020-12-22 17:22:14 UTC
SUSE-SU-2020:3916-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_24-3.53.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_24-3.53.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_24-3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-12-22 17:24:00 UTC
SUSE-SU-2020:3913-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_14-43.73.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_14-43.73.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_14-43.73.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_14-43.73.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-12-22 17:25:44 UTC
SUSE-SU-2020:3914-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_16-2.48.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_16-2.48.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_16-2.48.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_16-2.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-12-22 17:29:04 UTC
SUSE-SU-2020:3915-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.2_06-3.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.2_06-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-12-26 11:16:47 UTC
openSUSE-SU-2020:2331-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.2_06-lp152.2.21.1
Comment 17 Swamp Workflow Management 2020-12-29 17:16:46 UTC
SUSE-SU-2020:3945-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516
CVE References: CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_16-3.80.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_16-3.80.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_16-3.80.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_16-3.80.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_16-3.80.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_16-3.80.1
HPE Helion Openstack 8 (src):    xen-4.9.4_16-3.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Charles Arnold 2021-01-22 20:54:21 UTC
Backported and released to 11-SP3.
Comment 22 Charles Arnold 2021-01-22 20:54:45 UTC
(In reply to Charles Arnold from comment #21)
> Backported and released to 11-SP3.

Backported and released to 11-SP1.