Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1oppwl-0005X2-BC@xenbits.xenproject.org>
Date: Tue, 01 Nov 2022 12:00:47 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 419 v2 (CVE-2022-42322,CVE-2022-42323) -
 Xenstore: Cooperating guests can create arbitrary numbers of nodes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

     Xen Security Advisory CVE-2022-42322,CVE-2022-42323 / XSA-419
                               version 2

   Xenstore: Cooperating guests can create arbitrary numbers of nodes

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Since the fix of XSA-322 any Xenstore node owned by a removed domain
will be modified to be owned by Dom0.  This will allow two malicious
guests working together to create an arbitrary number of Xenstore
nodes.

This is possible by domain A letting domain B write into domain A's
local Xenstore tree.  Domain B can then create many nodes and reboot.
The nodes created by domain B will now be owned by Dom0.  By repeating
this process over and over again an arbitrary number of nodes can be
created, as Dom0's number of nodes isn't limited by Xenstore quota.

IMPACT
======

Two malicious guests working together can drive xenstored into an
out of memory situation, resulting in a Denial of Service (DoS) of
xenstored.

This inhibits creation of new guests and changing the configuration of
already running guests.

VULNERABLE SYSTEMS
==================

All versions of Xen with the fix for XSA-322 are in principle vulnerable.

Both Xenstore implementations (C and Ocaml) are vulnerable.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Jürgen Groß of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa419/xsa419-oxenstored.patch             xen-unstable
xsa419/xsa419-xenstored-??.patch           xen-unstable, Xen 4.16.x
xsa419/xsa419-4.15-oxenstored.patch        Xen 4.15.x
xsa419/xsa419-4.15-xenstored-??.patch      Xen 4.15.x
xsa419/xsa419-4.14-oxenstored.patch        Xen 4.14.x
xsa419/xsa419-4.14-xenstored-??.patch      Xen 4.14.x
xsa419/xsa419-4.13-oxenstored.patch        Xen 4.13.x
xsa419/xsa419-4.13-xenstored-??.patch      Xen 4.13.x

$ sha256sum xsa419* xsa419*/*
eaeb2a67accac70743cd9bed055b31bee2402600b7452f79da4bb969d7b5607f  xsa419.meta
34abd947ceaf1251afc81356a3ff374bc06c046651f5f9d0894d90c93295d1ca  xsa419/xsa419-4.13-oxenstored.patch
713eea1d9be7a5bef7a681a10648d2ea7db36c961cc8a9c55e147db14f59fbc2  xsa419/xsa419-4.13-xenstored-01.patch
d7b0369ee1c87a08783c0484ae5f62f1c61be9c405e6568085052867bb520b2a  xsa419/xsa419-4.13-xenstored-02.patch
f6e0cd7491d602db3a7ac9b9e94afb59c30bf8690cd116850d8eafc481f022a9  xsa419/xsa419-4.13-xenstored-03.patch
18daa2d6b9d243bfd81e221af9ae1d74cbc621614b78dc751bb6ccdba3d66451  xsa419/xsa419-4.14-oxenstored.patch
d631f12da2a8fcf674aeed33d0037bfff4b11587d6d52e4709739a8d1e90f33a  xsa419/xsa419-4.14-xenstored-01.patch
dc3834b30ac15d31ad1a13a8b4925229f13ce7955f2cc2223651764c55d41e64  xsa419/xsa419-4.14-xenstored-02.patch
f15d02bfc9ee5119347708fd2e4d26c6b4aa18827afab1a10b9139344ca88861  xsa419/xsa419-4.14-xenstored-03.patch
95c35f32cf64229df2768109acc360a6f6ec4ddfdcbde4f0d8165f67432d3eef  xsa419/xsa419-4.15-oxenstored.patch
773e98ee9ddb37e4a743d4435340066aabdc5fb41b6ff12e6b91c709484204ab  xsa419/xsa419-4.15-xenstored-01.patch
4d1f9135be43e121576909787a6403aa1c1e5fa72ead8764326e21beb48d83d4  xsa419/xsa419-4.15-xenstored-02.patch
484bdddae7a750cbddeddb93be5840e3cfdda5799f667c6b5d66c3c9b7217d55  xsa419/xsa419-4.15-xenstored-03.patch
1c790ddc8cbabb32012c7636c46e017b0cbdd1cc23c56baabda4d5dca9531454  xsa419/xsa419-oxenstored.patch
3c53e103f7927ae28ab5c7a3954c7d0a6fbbdce0340816936adb5938cd48c776  xsa419/xsa419-xenstored-01.patch
978e3100b20e0126ee238d3e1c2036b25582b1c3333a028e120d700bac8d2a13  xsa419/xsa419-xenstored-02.patch
57f7015289a940e7f2dc66aedb1c04d37d0aef687a7b91453582e960b7f93076  xsa419/xsa419-xenstored-03.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the patches will result in a guest visible change of
behavior of Xenstore.

Deployment is permitted only AFTER the embargo ends.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNg+64MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZR4gIAI+TcWgMKtaJ6G6MeakBbgxliMCO7+C01+94H6ZH
7dC57n3Qm12t3q6WGnPG1YYzKGWT2hsSU8/JtIkuZFe2qyvuG5cVhVcrdOGGkhsZ
4ui517R76Ldb/cBtraX6QRJni+T58ZdQGAChr6KuD8cyMgXAl1gtto9+/rQtsDzr
7XxKcR/+CcNWAOpZTNJ6DtS8V1RuRNtMSuoTCpC3Ph+Edir05bPlz6BF8EnV0cqU
+Jk9nYHGg5H11L0K+yx4cIAWfaP/n/Z2AoND23tV3T4o3U3zQR9xNBvcY1zuvioG
rEfzGNQx9ECQLHYPTzHNNWs+9Fb8eHyiRvkS6SKGolxpj9A=
=nNvr
-----END PGP SIGNATURE-----

Download attachment "xsa419.meta" of type "application/octet-stream" (2255 bytes)

Download attachment "xsa419/xsa419-4.13-oxenstored.patch" of type "application/octet-stream" (3357 bytes)

Download attachment "xsa419/xsa419-4.13-xenstored-01.patch" of type "application/octet-stream" (10040 bytes)

Download attachment "xsa419/xsa419-4.13-xenstored-02.patch" of type "application/octet-stream" (3845 bytes)

Download attachment "xsa419/xsa419-4.13-xenstored-03.patch" of type "application/octet-stream" (1885 bytes)

Download attachment "xsa419/xsa419-4.14-oxenstored.patch" of type "application/octet-stream" (3357 bytes)

Download attachment "xsa419/xsa419-4.14-xenstored-01.patch" of type "application/octet-stream" (10040 bytes)

Download attachment "xsa419/xsa419-4.14-xenstored-02.patch" of type "application/octet-stream" (3819 bytes)

Download attachment "xsa419/xsa419-4.14-xenstored-03.patch" of type "application/octet-stream" (1885 bytes)

Download attachment "xsa419/xsa419-4.15-oxenstored.patch" of type "application/octet-stream" (3356 bytes)

Download attachment "xsa419/xsa419-4.15-xenstored-01.patch" of type "application/octet-stream" (10075 bytes)

Download attachment "xsa419/xsa419-4.15-xenstored-02.patch" of type "application/octet-stream" (3842 bytes)

Download attachment "xsa419/xsa419-4.15-xenstored-03.patch" of type "application/octet-stream" (1885 bytes)

Download attachment "xsa419/xsa419-oxenstored.patch" of type "application/octet-stream" (3356 bytes)

Download attachment "xsa419/xsa419-xenstored-01.patch" of type "application/octet-stream" (10085 bytes)

Download attachment "xsa419/xsa419-xenstored-02.patch" of type "application/octet-stream" (3839 bytes)

Download attachment "xsa419/xsa419-xenstored-03.patch" of type "application/octet-stream" (1885 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.