ASA-2019-00655 – Xen: Device quarantine for alternate pci assignment methods


Allele Security Alert

ASA-2019-00655

Identifier(s)

ASA-2019-00655, CVE-2019-19579, XSA-306

Title

Device quarantine for alternate pci assignment methods

Vendor(s)

The Xen Project

Product(s)

Xen

Affected version(s)

Xen versions 4.12.x, 4.11.x, 4.10.x, 4.9.x and 4.8.x before XSA-306 patch

Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.

Only systems which use “alternate” methods to assign devices to pciback before assignment are vulnerable. These methods include:
– Assigning devices on the Linux command-line using `xen-pciback.hide`
– Assigning devices via xen-pciback module parameters
– Assigning devices manually via sysfs
– Assigning devices using libvirt

Systems which use `xl pci-assignable-add` or libxl_device_pci_assignable_add, or have the assignable state handled automatically via setting the `seize` parameter, are not affected.

Fixed version(s)

Xen version 4.12.x with the following patch:

xsa306-4.12.patch
https://xenbits.xen.org/xsa/xsa306-4.12.patch

Xen versions 4.10.x and 4.11.x with the following patch:

xsa306-4.11.patch
https://xenbits.xen.org/xsa/xsa306-4.11.patch

Xen versions 4.8.x and 4.9.x with the following patch:

xsa306-4.9.patch
https://xenbits.xen.org/xsa/xsa306-4.9.patch

Proof of concept

Unknown

Description

An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.

Technical details

ASA-2019-00627 / XSA-302 relies on the use of libxl’s “assignable-add” feature to prepare devices to be assigned to untrusted guests.

Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these “alternate” methods are used will still leave the system in a vulnerable state after the device comes back from a guest.

Credits

Marek Marczykowski-Górecki (Invisible Things Lab)

Reference(s)

oss-security – Xen Security Advisory 306 v3 (CVE-2019-19579) – Device quarantine
for alternate pci assignment methods
https://www.openwall.com/lists/oss-security/2019/12/05/7

XSA-306 – Xen Security Advisories
http://xenbits.xen.org/xsa/advisory-306.html

xsa306.meta
https://xenbits.xen.org/xsa/xsa306.meta

xsa306.patch
https://xenbits.xen.org/xsa/xsa306.patch

xsa306-4.9.patch
https://xenbits.xen.org/xsa/xsa306-4.9.patch

xsa306-4.11.patch
https://xenbits.xen.org/xsa/xsa306-4.11.patch

xsa306-4.12.patch
https://xenbits.xen.org/xsa/xsa306-4.12.patch

ASA-2019-00627 – Xen: Passed through PCI devices may corrupt host memory after deassignment
https://allelesecurity.com/asa-2019-00627/

CVE-2019-18424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424

CVE-2019-18424
https://nvd.nist.gov/vuln/detail/CVE-2019-18424

CVE-2019-19579 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-19579

CVE-2019-19579
https://security-tracker.debian.org/tracker/CVE-2019-19579

CVE-2019-19579 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19579.html

CVE-2019-19579 | SUSE
https://www.suse.com/security/cve/CVE-2019-19579

CVE-2019-19579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579

CVE-2019-19579
https://nvd.nist.gov/vuln/detail/CVE-2019-19579

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 11, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.