Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1kp9Hc-0005BK-Ic@xenbits.xenproject.org>
Date: Tue, 15 Dec 2020 12:18:24 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 115 v4 (CVE-2020-29480) - xenstore watch
 notifications lacking permission checks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2020-29480 / XSA-115
                               version 4

         xenstore watch notifications lacking permission checks

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Neither xenstore implementation does any permissions checks when
reporting a xenstore watch event.

A guest administrator can watch the root xenstored node, which will
cause notifications for every created, modified and deleted key.

A guest administrator can also use the special watches, which will
cause a notification every time a domain is created and destroyed.

Data may include:
 - number, type and domids of other VMs
 - existence and domids of driver domains
 - numbers of virtual interfaces, block devices, vcpus
 - existence of virtual framebuffers and their backend style (eg,
   existence of VNC service)
 - Xen VM UUIDs for other domains
 - timing information about domain creation and device setup
 - some hints at the backend provisioning of VMs and their devices

The watch events do not contain values stored in xenstore, only key
names.

IMPACT
======

A guest administrator can observe non-sensitive domain and device
lifecycle events relating to other guests.  This information allows
some insight into overall system configuration (including number of
general nature of other guests), and configuration of other guests
(including number and general nature of other guests' devices).  This
information might be commercially interesting or might make other
attacks easier.

There is not believed to be exposure of sensitive data.  Specifically,
there is no exposure of: VNC passwords; port numbers; pathnames in host
and guest filesystems; cryptopgraphic keys; or within-guest data.

VULNERABLE SYSTEMS
==================

All Xen systems are vulnerable.

Both Xenstore implementations (C and Ocaml) are vulnerable.

MITIGATION
==========

There is no mitigation available.

CREDITS
=======

This issue was discovered by Andrew Reimers and Alex Sharp from
OrionVM.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

Note that the Ocaml patches depend on XSA-353.

xsa115-c/*.patch           xen-unstable        [C xenstored]
xsa115-4.14-c/*.patch      Xen 4.14            [C xenstored]
xsa115-4.13-c/*.patch      Xen 4.13 - 4.10     [C xenstored]

xsa115-o/*.patch           xen-unstable - 4.12 [Ocaml xenstored, needs 353]
xsa115-4.11-o/*.patch      Xen 4.11            [Ocaml xenstored, needs 353]
xsa115-4.10-o/*.patch      Xen 4.10            [Ocaml xenstored, needs 353]

$ sha256sum xsa115* xsa115*/*
b2cc3bfbfb48b60e8623b276d823599bc6a33065a340fbc79804bad7ffee48be  xsa115.meta
ced68edb7da44f3e7233120c34a343ee392a4bf094a61775d54d3ea7dc920837  xsa115-4.10-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
21d0e3aff4c696875b9db02d6ba3fc683ba05b768d4716e1a197f4c5475ed324  xsa115-4.10-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
28249e3f48c255bbc1e87f6e4b70f5b832b50fa8028f44924c6308a9492a1cf2  xsa115-4.10-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
219f111181cc8ddcdbca73823688b33f86a2e4bddeb06dcc7dc84c63fc9e9053  xsa115-4.10-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
0cb14326baedd44650ce59a3da5ab6daa4a7f18f1e1440b6eda5d1a5d414233b  xsa115-4.10-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
b84be5a85c1dadbf77fa1ea1157a293408052d9628fc9cb1f343cd3a1dcd687c  xsa115-4.10-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
ced68edb7da44f3e7233120c34a343ee392a4bf094a61775d54d3ea7dc920837  xsa115-4.11-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
21d0e3aff4c696875b9db02d6ba3fc683ba05b768d4716e1a197f4c5475ed324  xsa115-4.11-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
28249e3f48c255bbc1e87f6e4b70f5b832b50fa8028f44924c6308a9492a1cf2  xsa115-4.11-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
046d6d9044c41481071760c54e0ad2f66db70ea720c8d39056cedfd51fda56b8  xsa115-4.11-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
a0042d3524f83ac2514d4040cc049108c3db1fe398f26d86b309dda1c1444472  xsa115-4.11-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
b84be5a85c1dadbf77fa1ea1157a293408052d9628fc9cb1f343cd3a1dcd687c  xsa115-4.11-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
383b1f8ae592f5330832962e98c02cf18b566ed090f9e96338536619ab1bd889  xsa115-4.13-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
0c96d9c27bc0031f2e72170c453aca5677d8f7469b15468dc797aef4bd1d67d6  xsa115-4.13-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
11ec359a426abaa71b7eda4a5bf319d73b14b3cbfeac483206c134b0e3ad5391  xsa115-4.13-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
5fd6461cc96fd787a81a625b9b7e230a5c9092201a54976de088703305e86dd6  xsa115-4.13-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
55bfaa3674fb355a2ed5830e0a7197ede0a5b9168f93889d7fa08044b312ab52  xsa115-4.13-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
0013ad062ee5f2dd79f500e2c829a9534677282ed4a2d596cf16e6b362fd29af  xsa115-4.13-c/0006-tools-xenstore-rework-node-removal.patch
e5ed745da88dd195b03f788f255d0d752eb9e801c39c6905707c0b5fa60e8ddf  xsa115-4.13-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
83e6b4312be4b7fe651f680e5428d47e71a0fd7fdbff5d39433f48b0f4484ad4  xsa115-4.13-c/0008-tools-xenstore-introduce-node_perms-structure.patch
8fa565f136b1fab33f6a06eebad5da9bed571dcac030dcd0b85078817b5adc75  xsa115-4.13-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
4038e76a3a8748b748811e06b91d87d01c3d3d3ae5fead4b123065cfe35eb81a  xsa115-4.13-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
797772d456b194a7cdad1eedbcf61499d2c5c2a71a6ba9a11e4789ac7eda602f  xsa115-4.14-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
2f37019e0d0ca3e425da0ab272a9afae749de963bf89c6a65696b0f134257011  xsa115-4.14-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
7a7b63884dfbea232a14b7ff49f14d1bf89edd638bf738643676504aab6ef5f2  xsa115-4.14-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
52f2c03e318720b7ccf55c9cb11f5d33a46feb922dfed656c7c6db1e5f813d91  xsa115-4.14-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
1db253543e2387abed872c6d94ac8915ce55f38e95d59f24cd0d19d173b8eadb  xsa115-4.14-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
4bd75552186793cbc8bc1567b5952990e41651c1ccbdc2c55b14bbe62b707ac0  xsa115-4.14-c/0006-tools-xenstore-rework-node-removal.patch
22d0a1bc7b413ff9689b06ee7833baf970f54c678da47db3a941801c79339464  xsa115-4.14-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
8d4a53c74d0ce42f8134b073acadf0550552da5a827840517cbae55628e5b4a9  xsa115-4.14-c/0008-tools-xenstore-introduce-node_perms-structure.patch
10a066d28b14ae667d11a9fc3c9113569fa16df4e6039380b13907886551a970  xsa115-4.14-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
9731273b7b096326e28caad8d75b2f87e391131fe40f0952dbb8f974e6b3b298  xsa115-4.14-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
db1b0b44aad333cc8331a3b34199b052fad3897db5386d1f1b9e02247ff72106  xsa115-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
d052bff6d7971500bbed047f914b45fa95cc29b914a024f1d3da9bb151239432  xsa115-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
cb016c3669b0d650d33dbfd6246545a79e75f605bbfe42f8851702a4848f71db  xsa115-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
289beb0917e2554d3c3b6be90e2dd9215ac1aefd3e4fb0ed86e690abbd73b669  xsa115-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
8a61a189987e88dbf4c7bdf4b247f1117c82cfe6ac308302753146b11802a670  xsa115-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
6af64fa35e823fff2f47b11421409f2f21f8ecf853583ac70054907ad3ce83c7  xsa115-c/0006-tools-xenstore-rework-node-removal.patch
4fb7af8330e85f267235a05cce0758473326ddb5d39d47450a5492060209f0c0  xsa115-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
ff1af7e9d36dc8d3c423a3736e82c2e4ab2a595f3fc6622c57096c7a3a1dce59  xsa115-c/0008-tools-xenstore-introduce-node_perms-structure.patch
8895fbef5ab0b8bdf303becd809c848acd85249a53e0e414d1a9c4d917402ec3  xsa115-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
a611598bc76874d69449c23aa43d8b6f1331595e64eb5746731f4ee64301441c  xsa115-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
46c317b0975fe975162dc4b4bd61f82bf9a6b102e7edcd3cd0dccaad84165ed6  xsa115-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
5d0f8c8901196715ed60593bf239caf39b168814ea01ed18c2e3789fb7879790  xsa115-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
002cb251a1dcde811dd5998a53a37afe67653361320316eaff9df2d9c5369f8d  xsa115-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
f640ff6f2e86bc0c4074629a80d17328d7494da3f2fdc2c8d99d0018c36c28dc  xsa115-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
fcc0d36ab9e27a2ab3dd2de8b54495676a454298ca1203d3d424cd4498e03321  xsa115-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
62aeb42ae0a5a93de246aed259b4fe5850a33eb001f03b8d183a70c9c5617618  xsa115-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqMsMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZRJUIAJ66U75O7Pf5tmu9s4vLrrG/n7rCo6qp+TZ1hcio
PNd2xYJaiVfr39m2JByoUyIgBbb3C7R03pXgM15Vbvk0/v6b3QySxzSBbqdIOn3H
yQtOJlNY4OnQh7n0Svs0HV1aCbd/81wIKZ5aCxn/X3ZBjBHOIQGMAdSZ/lkh8g0p
7CTkTZB//gbuR8QZV2KYqFYsKlwhhGCueOFYlnqIs/HWmAL2wnsacF/K7xffVw0S
Fu8pATp1jWXGYc3S1J9o+C77vF4Ai8x2OLw5TCSG8grmPAuojbmB5UuT+ez4VB5q
3KbpqkJSoyuOvWOPHxydb9Z/ExbpZUMgO0c1FmZ2opXRBoA=
=OtzN
-----END PGP SIGNATURE-----

Download attachment "xsa115.meta" of type "application/octet-stream" (1955 bytes)

Download attachment "xsa115-4.10-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch" of type "application/octet-stream" (1475 bytes)

Download attachment "xsa115-4.10-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch" of type "application/octet-stream" (1166 bytes)

Download attachment "xsa115-4.10-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch" of type "application/octet-stream" (1092 bytes)

Download attachment "xsa115-4.10-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch" of type "application/octet-stream" (4238 bytes)

Download attachment "xsa115-4.10-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch" of type "application/octet-stream" (15451 bytes)

Download attachment "xsa115-4.10-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch" of type "application/octet-stream" (3612 bytes)

Download attachment "xsa115-4.11-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch" of type "application/octet-stream" (1475 bytes)

Download attachment "xsa115-4.11-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch" of type "application/octet-stream" (1166 bytes)

Download attachment "xsa115-4.11-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch" of type "application/octet-stream" (1092 bytes)

Download attachment "xsa115-4.11-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch" of type "application/octet-stream" (4244 bytes)

Download attachment "xsa115-4.11-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch" of type "application/octet-stream" (15451 bytes)

Download attachment "xsa115-4.11-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch" of type "application/octet-stream" (3612 bytes)

Download attachment "xsa115-4.13-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch" of type "application/octet-stream" (5923 bytes)

Download attachment "xsa115-4.13-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch" of type "application/octet-stream" (3325 bytes)

Download attachment "xsa115-4.13-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch" of type "application/octet-stream" (3449 bytes)

Download attachment "xsa115-4.13-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch" of type "application/octet-stream" (1609 bytes)

Download attachment "xsa115-4.13-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch" of type "application/octet-stream" (4567 bytes)

Download attachment "xsa115-4.13-c/0006-tools-xenstore-rework-node-removal.patch" of type "application/octet-stream" (7012 bytes)

Download attachment "xsa115-4.13-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch" of type "application/octet-stream" (4374 bytes)

Download attachment "xsa115-4.13-c/0008-tools-xenstore-introduce-node_perms-structure.patch" of type "application/octet-stream" (9786 bytes)

Download attachment "xsa115-4.13-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch" of type "application/octet-stream" (7780 bytes)

Download attachment "xsa115-4.13-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch" of type "application/octet-stream" (13220 bytes)

Download attachment "xsa115-4.14-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch" of type "application/octet-stream" (5924 bytes)

Download attachment "xsa115-4.14-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch" of type "application/octet-stream" (3325 bytes)

Download attachment "xsa115-4.14-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch" of type "application/octet-stream" (3450 bytes)

Download attachment "xsa115-4.14-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch" of type "application/octet-stream" (1609 bytes)

Download attachment "xsa115-4.14-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch" of type "application/octet-stream" (4567 bytes)

Download attachment "xsa115-4.14-c/0006-tools-xenstore-rework-node-removal.patch" of type "application/octet-stream" (7012 bytes)

Download attachment "xsa115-4.14-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch" of type "application/octet-stream" (4374 bytes)

Download attachment "xsa115-4.14-c/0008-tools-xenstore-introduce-node_perms-structure.patch" of type "application/octet-stream" (9786 bytes)

Download attachment "xsa115-4.14-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch" of type "application/octet-stream" (7781 bytes)

Download attachment "xsa115-4.14-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch" of type "application/octet-stream" (13151 bytes)

Download attachment "xsa115-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch" of type "application/octet-stream" (5555 bytes)

Download attachment "xsa115-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch" of type "application/octet-stream" (3066 bytes)

Download attachment "xsa115-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch" of type "application/octet-stream" (3182 bytes)

Download attachment "xsa115-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch" of type "application/octet-stream" (1365 bytes)

Download attachment "xsa115-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch" of type "application/octet-stream" (4258 bytes)

Download attachment "xsa115-c/0006-tools-xenstore-rework-node-removal.patch" of type "application/octet-stream" (6653 bytes)

Download attachment "xsa115-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch" of type "application/octet-stream" (4022 bytes)

Download attachment "xsa115-c/0008-tools-xenstore-introduce-node_perms-structure.patch" of type "application/octet-stream" (9309 bytes)

Download attachment "xsa115-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch" of type "application/octet-stream" (7263 bytes)

Download attachment "xsa115-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch" of type "application/octet-stream" (12570 bytes)

Download attachment "xsa115-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch" of type "application/octet-stream" (1475 bytes)

Download attachment "xsa115-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch" of type "application/octet-stream" (1176 bytes)

Download attachment "xsa115-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch" of type "application/octet-stream" (1092 bytes)

Download attachment "xsa115-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch" of type "application/octet-stream" (4247 bytes)

Download attachment "xsa115-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch" of type "application/octet-stream" (16075 bytes)

Download attachment "xsa115-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch" of type "application/octet-stream" (3612 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.