Date: Tue, 01 Nov 2022 12:00:47 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 419 v2 (CVE-2022-42322,CVE-2022-42323) - Xenstore: Cooperating guests can create arbitrary numbers of nodes -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42322,CVE-2022-42323 / XSA-419 version 2 Xenstore: Cooperating guests can create arbitrary numbers of nodes UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. IMPACT ====== Two malicious guests working together can drive xenstored into an out of memory situation, resulting in a Denial of Service (DoS) of xenstored. This inhibits creation of new guests and changing the configuration of already running guests. VULNERABLE SYSTEMS ================== All versions of Xen with the fix for XSA-322 are in principle vulnerable. Both Xenstore implementations (C and Ocaml) are vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Jürgen Groß of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa419/xsa419-oxenstored.patch xen-unstable xsa419/xsa419-xenstored-??.patch xen-unstable, Xen 4.16.x xsa419/xsa419-4.15-oxenstored.patch Xen 4.15.x xsa419/xsa419-4.15-xenstored-??.patch Xen 4.15.x xsa419/xsa419-4.14-oxenstored.patch Xen 4.14.x xsa419/xsa419-4.14-xenstored-??.patch Xen 4.14.x xsa419/xsa419-4.13-oxenstored.patch Xen 4.13.x xsa419/xsa419-4.13-xenstored-??.patch Xen 4.13.x $ sha256sum xsa419* xsa419*/* eaeb2a67accac70743cd9bed055b31bee2402600b7452f79da4bb969d7b5607f xsa419.meta 34abd947ceaf1251afc81356a3ff374bc06c046651f5f9d0894d90c93295d1ca xsa419/xsa419-4.13-oxenstored.patch 713eea1d9be7a5bef7a681a10648d2ea7db36c961cc8a9c55e147db14f59fbc2 xsa419/xsa419-4.13-xenstored-01.patch d7b0369ee1c87a08783c0484ae5f62f1c61be9c405e6568085052867bb520b2a xsa419/xsa419-4.13-xenstored-02.patch f6e0cd7491d602db3a7ac9b9e94afb59c30bf8690cd116850d8eafc481f022a9 xsa419/xsa419-4.13-xenstored-03.patch 18daa2d6b9d243bfd81e221af9ae1d74cbc621614b78dc751bb6ccdba3d66451 xsa419/xsa419-4.14-oxenstored.patch d631f12da2a8fcf674aeed33d0037bfff4b11587d6d52e4709739a8d1e90f33a xsa419/xsa419-4.14-xenstored-01.patch dc3834b30ac15d31ad1a13a8b4925229f13ce7955f2cc2223651764c55d41e64 xsa419/xsa419-4.14-xenstored-02.patch f15d02bfc9ee5119347708fd2e4d26c6b4aa18827afab1a10b9139344ca88861 xsa419/xsa419-4.14-xenstored-03.patch 95c35f32cf64229df2768109acc360a6f6ec4ddfdcbde4f0d8165f67432d3eef xsa419/xsa419-4.15-oxenstored.patch 773e98ee9ddb37e4a743d4435340066aabdc5fb41b6ff12e6b91c709484204ab xsa419/xsa419-4.15-xenstored-01.patch 4d1f9135be43e121576909787a6403aa1c1e5fa72ead8764326e21beb48d83d4 xsa419/xsa419-4.15-xenstored-02.patch 484bdddae7a750cbddeddb93be5840e3cfdda5799f667c6b5d66c3c9b7217d55 xsa419/xsa419-4.15-xenstored-03.patch 1c790ddc8cbabb32012c7636c46e017b0cbdd1cc23c56baabda4d5dca9531454 xsa419/xsa419-oxenstored.patch 3c53e103f7927ae28ab5c7a3954c7d0a6fbbdce0340816936adb5938cd48c776 xsa419/xsa419-xenstored-01.patch 978e3100b20e0126ee238d3e1c2036b25582b1c3333a028e120d700bac8d2a13 xsa419/xsa419-xenstored-02.patch 57f7015289a940e7f2dc66aedb1c04d37d0aef687a7b91453582e960b7f93076 xsa419/xsa419-xenstored-03.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patches will result in a guest visible change of behavior of Xenstore. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNg+64MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZR4gIAI+TcWgMKtaJ6G6MeakBbgxliMCO7+C01+94H6ZH 7dC57n3Qm12t3q6WGnPG1YYzKGWT2hsSU8/JtIkuZFe2qyvuG5cVhVcrdOGGkhsZ 4ui517R76Ldb/cBtraX6QRJni+T58ZdQGAChr6KuD8cyMgXAl1gtto9+/rQtsDzr 7XxKcR/+CcNWAOpZTNJ6DtS8V1RuRNtMSuoTCpC3Ph+Edir05bPlz6BF8EnV0cqU +Jk9nYHGg5H11L0K+yx4cIAWfaP/n/Z2AoND23tV3T4o3U3zQR9xNBvcY1zuvioG rEfzGNQx9ECQLHYPTzHNNWs+9Fb8eHyiRvkS6SKGolxpj9A= =nNvr -----END PGP SIGNATURE----- Download attachment "xsa419.meta" of type "application/octet-stream" (2255 bytes) Download attachment "xsa419/xsa419-4.13-oxenstored.patch" of type "application/octet-stream" (3357 bytes) Download attachment "xsa419/xsa419-4.13-xenstored-01.patch" of type "application/octet-stream" (10040 bytes) Download attachment "xsa419/xsa419-4.13-xenstored-02.patch" of type "application/octet-stream" (3845 bytes) Download attachment "xsa419/xsa419-4.13-xenstored-03.patch" of type "application/octet-stream" (1885 bytes) Download attachment "xsa419/xsa419-4.14-oxenstored.patch" of type "application/octet-stream" (3357 bytes) Download attachment "xsa419/xsa419-4.14-xenstored-01.patch" of type "application/octet-stream" (10040 bytes) Download attachment "xsa419/xsa419-4.14-xenstored-02.patch" of type "application/octet-stream" (3819 bytes) Download attachment "xsa419/xsa419-4.14-xenstored-03.patch" of type "application/octet-stream" (1885 bytes) Download attachment "xsa419/xsa419-4.15-oxenstored.patch" of type "application/octet-stream" (3356 bytes) Download attachment "xsa419/xsa419-4.15-xenstored-01.patch" of type "application/octet-stream" (10075 bytes) Download attachment "xsa419/xsa419-4.15-xenstored-02.patch" of type "application/octet-stream" (3842 bytes) Download attachment "xsa419/xsa419-4.15-xenstored-03.patch" of type "application/octet-stream" (1885 bytes) Download attachment "xsa419/xsa419-oxenstored.patch" of type "application/octet-stream" (3356 bytes) Download attachment "xsa419/xsa419-xenstored-01.patch" of type "application/octet-stream" (10085 bytes) Download attachment "xsa419/xsa419-xenstored-02.patch" of type "application/octet-stream" (3839 bytes) Download attachment "xsa419/xsa419-xenstored-03.patch" of type "application/octet-stream" (1885 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.