|
Message-Id: <E1kp9Hc-0005BK-Ic@xenbits.xenproject.org> Date: Tue, 15 Dec 2020 12:18:24 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 115 v4 (CVE-2020-29480) - xenstore watch notifications lacking permission checks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-29480 / XSA-115 version 4 xenstore watch notifications lacking permission checks UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Neither xenstore implementation does any permissions checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: - number, type and domids of other VMs - existence and domids of driver domains - numbers of virtual interfaces, block devices, vcpus - existence of virtual framebuffers and their backend style (eg, existence of VNC service) - Xen VM UUIDs for other domains - timing information about domain creation and device setup - some hints at the backend provisioning of VMs and their devices The watch events do not contain values stored in xenstore, only key names. IMPACT ====== A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including number of general nature of other guests), and configuration of other guests (including number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of: VNC passwords; port numbers; pathnames in host and guest filesystems; cryptopgraphic keys; or within-guest data. VULNERABLE SYSTEMS ================== All Xen systems are vulnerable. Both Xenstore implementations (C and Ocaml) are vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Andrew Reimers and Alex Sharp from OrionVM. RESOLUTION ========== Applying the appropriate attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. Note that the Ocaml patches depend on XSA-353. xsa115-c/*.patch xen-unstable [C xenstored] xsa115-4.14-c/*.patch Xen 4.14 [C xenstored] xsa115-4.13-c/*.patch Xen 4.13 - 4.10 [C xenstored] xsa115-o/*.patch xen-unstable - 4.12 [Ocaml xenstored, needs 353] xsa115-4.11-o/*.patch Xen 4.11 [Ocaml xenstored, needs 353] xsa115-4.10-o/*.patch Xen 4.10 [Ocaml xenstored, needs 353] $ sha256sum xsa115* xsa115*/* b2cc3bfbfb48b60e8623b276d823599bc6a33065a340fbc79804bad7ffee48be xsa115.meta ced68edb7da44f3e7233120c34a343ee392a4bf094a61775d54d3ea7dc920837 xsa115-4.10-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch 21d0e3aff4c696875b9db02d6ba3fc683ba05b768d4716e1a197f4c5475ed324 xsa115-4.10-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch 28249e3f48c255bbc1e87f6e4b70f5b832b50fa8028f44924c6308a9492a1cf2 xsa115-4.10-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch 219f111181cc8ddcdbca73823688b33f86a2e4bddeb06dcc7dc84c63fc9e9053 xsa115-4.10-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch 0cb14326baedd44650ce59a3da5ab6daa4a7f18f1e1440b6eda5d1a5d414233b xsa115-4.10-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch b84be5a85c1dadbf77fa1ea1157a293408052d9628fc9cb1f343cd3a1dcd687c xsa115-4.10-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch ced68edb7da44f3e7233120c34a343ee392a4bf094a61775d54d3ea7dc920837 xsa115-4.11-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch 21d0e3aff4c696875b9db02d6ba3fc683ba05b768d4716e1a197f4c5475ed324 xsa115-4.11-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch 28249e3f48c255bbc1e87f6e4b70f5b832b50fa8028f44924c6308a9492a1cf2 xsa115-4.11-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch 046d6d9044c41481071760c54e0ad2f66db70ea720c8d39056cedfd51fda56b8 xsa115-4.11-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch a0042d3524f83ac2514d4040cc049108c3db1fe398f26d86b309dda1c1444472 xsa115-4.11-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch b84be5a85c1dadbf77fa1ea1157a293408052d9628fc9cb1f343cd3a1dcd687c xsa115-4.11-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch 383b1f8ae592f5330832962e98c02cf18b566ed090f9e96338536619ab1bd889 xsa115-4.13-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch 0c96d9c27bc0031f2e72170c453aca5677d8f7469b15468dc797aef4bd1d67d6 xsa115-4.13-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch 11ec359a426abaa71b7eda4a5bf319d73b14b3cbfeac483206c134b0e3ad5391 xsa115-4.13-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch 5fd6461cc96fd787a81a625b9b7e230a5c9092201a54976de088703305e86dd6 xsa115-4.13-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch 55bfaa3674fb355a2ed5830e0a7197ede0a5b9168f93889d7fa08044b312ab52 xsa115-4.13-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch 0013ad062ee5f2dd79f500e2c829a9534677282ed4a2d596cf16e6b362fd29af xsa115-4.13-c/0006-tools-xenstore-rework-node-removal.patch e5ed745da88dd195b03f788f255d0d752eb9e801c39c6905707c0b5fa60e8ddf xsa115-4.13-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch 83e6b4312be4b7fe651f680e5428d47e71a0fd7fdbff5d39433f48b0f4484ad4 xsa115-4.13-c/0008-tools-xenstore-introduce-node_perms-structure.patch 8fa565f136b1fab33f6a06eebad5da9bed571dcac030dcd0b85078817b5adc75 xsa115-4.13-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch 4038e76a3a8748b748811e06b91d87d01c3d3d3ae5fead4b123065cfe35eb81a xsa115-4.13-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch 797772d456b194a7cdad1eedbcf61499d2c5c2a71a6ba9a11e4789ac7eda602f xsa115-4.14-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch 2f37019e0d0ca3e425da0ab272a9afae749de963bf89c6a65696b0f134257011 xsa115-4.14-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch 7a7b63884dfbea232a14b7ff49f14d1bf89edd638bf738643676504aab6ef5f2 xsa115-4.14-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch 52f2c03e318720b7ccf55c9cb11f5d33a46feb922dfed656c7c6db1e5f813d91 xsa115-4.14-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch 1db253543e2387abed872c6d94ac8915ce55f38e95d59f24cd0d19d173b8eadb xsa115-4.14-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch 4bd75552186793cbc8bc1567b5952990e41651c1ccbdc2c55b14bbe62b707ac0 xsa115-4.14-c/0006-tools-xenstore-rework-node-removal.patch 22d0a1bc7b413ff9689b06ee7833baf970f54c678da47db3a941801c79339464 xsa115-4.14-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch 8d4a53c74d0ce42f8134b073acadf0550552da5a827840517cbae55628e5b4a9 xsa115-4.14-c/0008-tools-xenstore-introduce-node_perms-structure.patch 10a066d28b14ae667d11a9fc3c9113569fa16df4e6039380b13907886551a970 xsa115-4.14-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch 9731273b7b096326e28caad8d75b2f87e391131fe40f0952dbb8f974e6b3b298 xsa115-4.14-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch db1b0b44aad333cc8331a3b34199b052fad3897db5386d1f1b9e02247ff72106 xsa115-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch d052bff6d7971500bbed047f914b45fa95cc29b914a024f1d3da9bb151239432 xsa115-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch cb016c3669b0d650d33dbfd6246545a79e75f605bbfe42f8851702a4848f71db xsa115-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch 289beb0917e2554d3c3b6be90e2dd9215ac1aefd3e4fb0ed86e690abbd73b669 xsa115-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch 8a61a189987e88dbf4c7bdf4b247f1117c82cfe6ac308302753146b11802a670 xsa115-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch 6af64fa35e823fff2f47b11421409f2f21f8ecf853583ac70054907ad3ce83c7 xsa115-c/0006-tools-xenstore-rework-node-removal.patch 4fb7af8330e85f267235a05cce0758473326ddb5d39d47450a5492060209f0c0 xsa115-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch ff1af7e9d36dc8d3c423a3736e82c2e4ab2a595f3fc6622c57096c7a3a1dce59 xsa115-c/0008-tools-xenstore-introduce-node_perms-structure.patch 8895fbef5ab0b8bdf303becd809c848acd85249a53e0e414d1a9c4d917402ec3 xsa115-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch a611598bc76874d69449c23aa43d8b6f1331595e64eb5746731f4ee64301441c xsa115-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch 46c317b0975fe975162dc4b4bd61f82bf9a6b102e7edcd3cd0dccaad84165ed6 xsa115-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch 5d0f8c8901196715ed60593bf239caf39b168814ea01ed18c2e3789fb7879790 xsa115-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch 002cb251a1dcde811dd5998a53a37afe67653361320316eaff9df2d9c5369f8d xsa115-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch f640ff6f2e86bc0c4074629a80d17328d7494da3f2fdc2c8d99d0018c36c28dc xsa115-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch fcc0d36ab9e27a2ab3dd2de8b54495676a454298ca1203d3d424cd4498e03321 xsa115-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch 62aeb42ae0a5a93de246aed259b4fe5850a33eb001f03b8d183a70c9c5617618 xsa115-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqMsMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZRJUIAJ66U75O7Pf5tmu9s4vLrrG/n7rCo6qp+TZ1hcio PNd2xYJaiVfr39m2JByoUyIgBbb3C7R03pXgM15Vbvk0/v6b3QySxzSBbqdIOn3H yQtOJlNY4OnQh7n0Svs0HV1aCbd/81wIKZ5aCxn/X3ZBjBHOIQGMAdSZ/lkh8g0p 7CTkTZB//gbuR8QZV2KYqFYsKlwhhGCueOFYlnqIs/HWmAL2wnsacF/K7xffVw0S Fu8pATp1jWXGYc3S1J9o+C77vF4Ai8x2OLw5TCSG8grmPAuojbmB5UuT+ez4VB5q 3KbpqkJSoyuOvWOPHxydb9Z/ExbpZUMgO0c1FmZ2opXRBoA= =OtzN -----END PGP SIGNATURE----- Download attachment "xsa115.meta" of type "application/octet-stream" (1955 bytes) Download attachment "xsa115-4.10-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch" of type "application/octet-stream" (1475 bytes) Download attachment "xsa115-4.10-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch" of type "application/octet-stream" (1166 bytes) Download attachment "xsa115-4.10-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch" of type "application/octet-stream" (1092 bytes) Download attachment "xsa115-4.10-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch" of type "application/octet-stream" (4238 bytes) Download attachment "xsa115-4.10-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch" of type "application/octet-stream" (15451 bytes) Download attachment "xsa115-4.10-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch" of type "application/octet-stream" (3612 bytes) Download attachment "xsa115-4.11-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch" of type "application/octet-stream" (1475 bytes) Download attachment "xsa115-4.11-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch" of type "application/octet-stream" (1166 bytes) Download attachment "xsa115-4.11-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch" of type "application/octet-stream" (1092 bytes) Download attachment "xsa115-4.11-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch" of type "application/octet-stream" (4244 bytes) Download attachment "xsa115-4.11-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch" of type "application/octet-stream" (15451 bytes) Download attachment "xsa115-4.11-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch" of type "application/octet-stream" (3612 bytes) Download attachment "xsa115-4.13-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch" of type "application/octet-stream" (5923 bytes) Download attachment "xsa115-4.13-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch" of type "application/octet-stream" (3325 bytes) Download attachment "xsa115-4.13-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch" of type "application/octet-stream" (3449 bytes) Download attachment "xsa115-4.13-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch" of type "application/octet-stream" (1609 bytes) Download attachment "xsa115-4.13-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch" of type "application/octet-stream" (4567 bytes) Download attachment "xsa115-4.13-c/0006-tools-xenstore-rework-node-removal.patch" of type "application/octet-stream" (7012 bytes) Download attachment "xsa115-4.13-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch" of type "application/octet-stream" (4374 bytes) Download attachment "xsa115-4.13-c/0008-tools-xenstore-introduce-node_perms-structure.patch" of type "application/octet-stream" (9786 bytes) Download attachment "xsa115-4.13-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch" of type "application/octet-stream" (7780 bytes) Download attachment "xsa115-4.13-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch" of type "application/octet-stream" (13220 bytes) Download attachment "xsa115-4.14-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch" of type "application/octet-stream" (5924 bytes) Download attachment "xsa115-4.14-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch" of type "application/octet-stream" (3325 bytes) Download attachment "xsa115-4.14-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch" of type "application/octet-stream" (3450 bytes) Download attachment "xsa115-4.14-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch" of type "application/octet-stream" (1609 bytes) Download attachment "xsa115-4.14-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch" of type "application/octet-stream" (4567 bytes) Download attachment "xsa115-4.14-c/0006-tools-xenstore-rework-node-removal.patch" of type "application/octet-stream" (7012 bytes) Download attachment "xsa115-4.14-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch" of type "application/octet-stream" (4374 bytes) Download attachment "xsa115-4.14-c/0008-tools-xenstore-introduce-node_perms-structure.patch" of type "application/octet-stream" (9786 bytes) Download attachment "xsa115-4.14-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch" of type "application/octet-stream" (7781 bytes) Download attachment "xsa115-4.14-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch" of type "application/octet-stream" (13151 bytes) Download attachment "xsa115-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch" of type "application/octet-stream" (5555 bytes) Download attachment "xsa115-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch" of type "application/octet-stream" (3066 bytes) Download attachment "xsa115-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch" of type "application/octet-stream" (3182 bytes) Download attachment "xsa115-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch" of type "application/octet-stream" (1365 bytes) Download attachment "xsa115-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch" of type "application/octet-stream" (4258 bytes) Download attachment "xsa115-c/0006-tools-xenstore-rework-node-removal.patch" of type "application/octet-stream" (6653 bytes) Download attachment "xsa115-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch" of type "application/octet-stream" (4022 bytes) Download attachment "xsa115-c/0008-tools-xenstore-introduce-node_perms-structure.patch" of type "application/octet-stream" (9309 bytes) Download attachment "xsa115-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch" of type "application/octet-stream" (7263 bytes) Download attachment "xsa115-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch" of type "application/octet-stream" (12570 bytes) Download attachment "xsa115-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch" of type "application/octet-stream" (1475 bytes) Download attachment "xsa115-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch" of type "application/octet-stream" (1176 bytes) Download attachment "xsa115-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch" of type "application/octet-stream" (1092 bytes) Download attachment "xsa115-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch" of type "application/octet-stream" (4247 bytes) Download attachment "xsa115-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch" of type "application/octet-stream" (16075 bytes) Download attachment "xsa115-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch" of type "application/octet-stream" (3612 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.