Описание
Security update for xen
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: potential OOB access due to unsafe snprintf() usages
- bsc#1169392 - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy
- bsc#1168140 - CVE-2020-11740, CVE-2020-11741: multiple xenoprof issues
- bsc#1161181 - CVE-2020-7211: potential directory traversal using relative paths via tftp server on Windows host
- bsc#1154456 - CVE-2019-18425: missing descriptor table limit checking in x86 PV emulation
- bsc#1154458 - CVE-2019-18421: Issues with restartable PV type change operations
Список пакетов
SUSE Linux Enterprise Point of Sale 11 SP3
Ссылки
- Link for SUSE-SU-2020:14448-1
- E-Mail link for SUSE-SU-2020:14448-1
- SUSE Security Ratings
- SUSE Bug 1154456
- SUSE Bug 1154458
- SUSE Bug 1161181
- SUSE Bug 1163019
- SUSE Bug 1168140
- SUSE Bug 1169392
- SUSE Bug 1174543
- SUSE CVE CVE-2019-18421 page
- SUSE CVE CVE-2019-18425 page
- SUSE CVE CVE-2020-11740 page
- SUSE CVE CVE-2020-11741 page
- SUSE CVE CVE-2020-11742 page
- SUSE CVE CVE-2020-7211 page
- SUSE CVE CVE-2020-8608 page
Описание
An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability.
Затронутые продукты
Ссылки
- CVE-2019-18421
- SUSE Bug 1154458
- SUSE Bug 1178658
Описание
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected.
Затронутые продукты
Ссылки
- CVE-2019-18425
- SUSE Bug 1154456
- SUSE Bug 1178658
Описание
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.
Затронутые продукты
Ссылки
- CVE-2020-11740
- SUSE Bug 1168140
- SUSE Bug 1178658
Описание
An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.
Затронутые продукты
Ссылки
- CVE-2020-11741
- SUSE Bug 1168140
- SUSE Bug 1178658
Описание
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour.
Затронутые продукты
Ссылки
- CVE-2020-11742
- SUSE Bug 1169392
- SUSE Bug 1178658
Описание
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.
Затронутые продукты
Ссылки
- CVE-2020-7211
- SUSE Bug 1161180
- SUSE Bug 1161181
- SUSE Bug 1178658
Описание
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.
Затронутые продукты
Ссылки
- CVE-2020-8608
- SUSE Bug 1163018
- SUSE Bug 1163019