Information
Advisory | XSA-115 |
Public release | 2020-12-15 12:00 |
Updated | 2020-12-15 12:15 |
Version | 4 |
CVE(s) | CVE-2020-29480 |
Title | xenstore watch notifications lacking permission checks |
Files
advisory-115.txt (signed advisory file)
xsa115.meta
xsa115-4.10-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
xsa115-4.10-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
xsa115-4.10-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
xsa115-4.10-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
xsa115-4.10-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
xsa115-4.10-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
xsa115-4.11-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
xsa115-4.11-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
xsa115-4.11-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
xsa115-4.11-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
xsa115-4.11-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
xsa115-4.11-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
xsa115-4.13-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
xsa115-4.13-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
xsa115-4.13-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
xsa115-4.13-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
xsa115-4.13-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
xsa115-4.13-c/0006-tools-xenstore-rework-node-removal.patch
xsa115-4.13-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
xsa115-4.13-c/0008-tools-xenstore-introduce-node_perms-structure.patch
xsa115-4.13-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
xsa115-4.13-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
xsa115-4.14-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
xsa115-4.14-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
xsa115-4.14-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
xsa115-4.14-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
xsa115-4.14-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
xsa115-4.14-c/0006-tools-xenstore-rework-node-removal.patch
xsa115-4.14-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
xsa115-4.14-c/0008-tools-xenstore-introduce-node_perms-structure.patch
xsa115-4.14-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
xsa115-4.14-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
xsa115-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
xsa115-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
xsa115-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
xsa115-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
xsa115-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
xsa115-c/0006-tools-xenstore-rework-node-removal.patch
xsa115-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
xsa115-c/0008-tools-xenstore-introduce-node_perms-structure.patch
xsa115-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
xsa115-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
xsa115-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
xsa115-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
xsa115-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
xsa115-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
xsa115-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
xsa115-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2020-29480 / XSA-115
version 4
xenstore watch notifications lacking permission checks
UPDATES IN VERSION 4
====================
Public release.
ISSUE DESCRIPTION
=================
Neither xenstore implementation does any permissions checks when
reporting a xenstore watch event.
A guest administrator can watch the root xenstored node, which will
cause notifications for every created, modified and deleted key.
A guest administrator can also use the special watches, which will
cause a notification every time a domain is created and destroyed.
Data may include:
- number, type and domids of other VMs
- existence and domids of driver domains
- numbers of virtual interfaces, block devices, vcpus
- existence of virtual framebuffers and their backend style (eg,
existence of VNC service)
- Xen VM UUIDs for other domains
- timing information about domain creation and device setup
- some hints at the backend provisioning of VMs and their devices
The watch events do not contain values stored in xenstore, only key
names.
IMPACT
======
A guest administrator can observe non-sensitive domain and device
lifecycle events relating to other guests. This information allows
some insight into overall system configuration (including number of
general nature of other guests), and configuration of other guests
(including number and general nature of other guests' devices). This
information might be commercially interesting or might make other
attacks easier.
There is not believed to be exposure of sensitive data. Specifically,
there is no exposure of: VNC passwords; port numbers; pathnames in host
and guest filesystems; cryptopgraphic keys; or within-guest data.
VULNERABLE SYSTEMS
==================
All Xen systems are vulnerable.
Both Xenstore implementations (C and Ocaml) are vulnerable.
MITIGATION
==========
There is no mitigation available.
CREDITS
=======
This issue was discovered by Andrew Reimers and Alex Sharp from
OrionVM.
RESOLUTION
==========
Applying the appropriate attached patches resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
Note that the Ocaml patches depend on XSA-353.
xsa115-c/*.patch xen-unstable [C xenstored]
xsa115-4.14-c/*.patch Xen 4.14 [C xenstored]
xsa115-4.13-c/*.patch Xen 4.13 - 4.10 [C xenstored]
xsa115-o/*.patch xen-unstable - 4.12 [Ocaml xenstored, needs 353]
xsa115-4.11-o/*.patch Xen 4.11 [Ocaml xenstored, needs 353]
xsa115-4.10-o/*.patch Xen 4.10 [Ocaml xenstored, needs 353]
$ sha256sum xsa115* xsa115*/*
b2cc3bfbfb48b60e8623b276d823599bc6a33065a340fbc79804bad7ffee48be xsa115.meta
ced68edb7da44f3e7233120c34a343ee392a4bf094a61775d54d3ea7dc920837 xsa115-4.10-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
21d0e3aff4c696875b9db02d6ba3fc683ba05b768d4716e1a197f4c5475ed324 xsa115-4.10-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
28249e3f48c255bbc1e87f6e4b70f5b832b50fa8028f44924c6308a9492a1cf2 xsa115-4.10-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
219f111181cc8ddcdbca73823688b33f86a2e4bddeb06dcc7dc84c63fc9e9053 xsa115-4.10-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
0cb14326baedd44650ce59a3da5ab6daa4a7f18f1e1440b6eda5d1a5d414233b xsa115-4.10-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
b84be5a85c1dadbf77fa1ea1157a293408052d9628fc9cb1f343cd3a1dcd687c xsa115-4.10-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
ced68edb7da44f3e7233120c34a343ee392a4bf094a61775d54d3ea7dc920837 xsa115-4.11-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
21d0e3aff4c696875b9db02d6ba3fc683ba05b768d4716e1a197f4c5475ed324 xsa115-4.11-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
28249e3f48c255bbc1e87f6e4b70f5b832b50fa8028f44924c6308a9492a1cf2 xsa115-4.11-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
046d6d9044c41481071760c54e0ad2f66db70ea720c8d39056cedfd51fda56b8 xsa115-4.11-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
a0042d3524f83ac2514d4040cc049108c3db1fe398f26d86b309dda1c1444472 xsa115-4.11-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
b84be5a85c1dadbf77fa1ea1157a293408052d9628fc9cb1f343cd3a1dcd687c xsa115-4.11-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
383b1f8ae592f5330832962e98c02cf18b566ed090f9e96338536619ab1bd889 xsa115-4.13-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
0c96d9c27bc0031f2e72170c453aca5677d8f7469b15468dc797aef4bd1d67d6 xsa115-4.13-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
11ec359a426abaa71b7eda4a5bf319d73b14b3cbfeac483206c134b0e3ad5391 xsa115-4.13-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
5fd6461cc96fd787a81a625b9b7e230a5c9092201a54976de088703305e86dd6 xsa115-4.13-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
55bfaa3674fb355a2ed5830e0a7197ede0a5b9168f93889d7fa08044b312ab52 xsa115-4.13-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
0013ad062ee5f2dd79f500e2c829a9534677282ed4a2d596cf16e6b362fd29af xsa115-4.13-c/0006-tools-xenstore-rework-node-removal.patch
e5ed745da88dd195b03f788f255d0d752eb9e801c39c6905707c0b5fa60e8ddf xsa115-4.13-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
83e6b4312be4b7fe651f680e5428d47e71a0fd7fdbff5d39433f48b0f4484ad4 xsa115-4.13-c/0008-tools-xenstore-introduce-node_perms-structure.patch
8fa565f136b1fab33f6a06eebad5da9bed571dcac030dcd0b85078817b5adc75 xsa115-4.13-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
4038e76a3a8748b748811e06b91d87d01c3d3d3ae5fead4b123065cfe35eb81a xsa115-4.13-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
797772d456b194a7cdad1eedbcf61499d2c5c2a71a6ba9a11e4789ac7eda602f xsa115-4.14-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
2f37019e0d0ca3e425da0ab272a9afae749de963bf89c6a65696b0f134257011 xsa115-4.14-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
7a7b63884dfbea232a14b7ff49f14d1bf89edd638bf738643676504aab6ef5f2 xsa115-4.14-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
52f2c03e318720b7ccf55c9cb11f5d33a46feb922dfed656c7c6db1e5f813d91 xsa115-4.14-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
1db253543e2387abed872c6d94ac8915ce55f38e95d59f24cd0d19d173b8eadb xsa115-4.14-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
4bd75552186793cbc8bc1567b5952990e41651c1ccbdc2c55b14bbe62b707ac0 xsa115-4.14-c/0006-tools-xenstore-rework-node-removal.patch
22d0a1bc7b413ff9689b06ee7833baf970f54c678da47db3a941801c79339464 xsa115-4.14-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
8d4a53c74d0ce42f8134b073acadf0550552da5a827840517cbae55628e5b4a9 xsa115-4.14-c/0008-tools-xenstore-introduce-node_perms-structure.patch
10a066d28b14ae667d11a9fc3c9113569fa16df4e6039380b13907886551a970 xsa115-4.14-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
9731273b7b096326e28caad8d75b2f87e391131fe40f0952dbb8f974e6b3b298 xsa115-4.14-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
db1b0b44aad333cc8331a3b34199b052fad3897db5386d1f1b9e02247ff72106 xsa115-c/0001-tools-xenstore-allow-removing-child-of-a-node-exceed.patch
d052bff6d7971500bbed047f914b45fa95cc29b914a024f1d3da9bb151239432 xsa115-c/0002-tools-xenstore-ignore-transaction-id-for-un-watch.patch
cb016c3669b0d650d33dbfd6246545a79e75f605bbfe42f8851702a4848f71db xsa115-c/0003-tools-xenstore-fix-node-accounting-after-failed-node.patch
289beb0917e2554d3c3b6be90e2dd9215ac1aefd3e4fb0ed86e690abbd73b669 xsa115-c/0004-tools-xenstore-simplify-and-rename-check_event_node.patch
8a61a189987e88dbf4c7bdf4b247f1117c82cfe6ac308302753146b11802a670 xsa115-c/0005-tools-xenstore-check-privilege-for-XS_IS_DOMAIN_INTR.patch
6af64fa35e823fff2f47b11421409f2f21f8ecf853583ac70054907ad3ce83c7 xsa115-c/0006-tools-xenstore-rework-node-removal.patch
4fb7af8330e85f267235a05cce0758473326ddb5d39d47450a5492060209f0c0 xsa115-c/0007-tools-xenstore-fire-watches-only-when-removing-a-spe.patch
ff1af7e9d36dc8d3c423a3736e82c2e4ab2a595f3fc6622c57096c7a3a1dce59 xsa115-c/0008-tools-xenstore-introduce-node_perms-structure.patch
8895fbef5ab0b8bdf303becd809c848acd85249a53e0e414d1a9c4d917402ec3 xsa115-c/0009-tools-xenstore-allow-special-watches-for-privileged-.patch
a611598bc76874d69449c23aa43d8b6f1331595e64eb5746731f4ee64301441c xsa115-c/0010-tools-xenstore-avoid-watch-events-for-nodes-without-.patch
46c317b0975fe975162dc4b4bd61f82bf9a6b102e7edcd3cd0dccaad84165ed6 xsa115-o/0001-tools-ocaml-xenstored-ignore-transaction-id-for-un-w.patch
5d0f8c8901196715ed60593bf239caf39b168814ea01ed18c2e3789fb7879790 xsa115-o/0002-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
002cb251a1dcde811dd5998a53a37afe67653361320316eaff9df2d9c5369f8d xsa115-o/0003-tools-ocaml-xenstored-unify-watch-firing.patch
f640ff6f2e86bc0c4074629a80d17328d7494da3f2fdc2c8d99d0018c36c28dc xsa115-o/0004-tools-ocaml-xenstored-introduce-permissions-for-spec.patch
fcc0d36ab9e27a2ab3dd2de8b54495676a454298ca1203d3d424cd4498e03321 xsa115-o/0005-tools-ocaml-xenstored-avoid-watch-events-for-nodes-w.patch
62aeb42ae0a5a93de246aed259b4fe5850a33eb001f03b8d183a70c9c5617618 xsa115-o/0006-tools-ocaml-xenstored-add-xenstored.conf-flag-to-tur.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl/YqMsMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZRJUIAJ66U75O7Pf5tmu9s4vLrrG/n7rCo6qp+TZ1hcio
PNd2xYJaiVfr39m2JByoUyIgBbb3C7R03pXgM15Vbvk0/v6b3QySxzSBbqdIOn3H
yQtOJlNY4OnQh7n0Svs0HV1aCbd/81wIKZ5aCxn/X3ZBjBHOIQGMAdSZ/lkh8g0p
7CTkTZB//gbuR8QZV2KYqFYsKlwhhGCueOFYlnqIs/HWmAL2wnsacF/K7xffVw0S
Fu8pATp1jWXGYc3S1J9o+C77vF4Ai8x2OLw5TCSG8grmPAuojbmB5UuT+ez4VB5q
3KbpqkJSoyuOvWOPHxydb9Z/ExbpZUMgO0c1FmZ2opXRBoA=
=OtzN
-----END PGP SIGNATURE-----
Xenproject.org Security Team