Allele Security Alert
ASA-2019-00655
Identifier(s)
ASA-2019-00655, CVE-2019-19579, XSA-306
Title
Device quarantine for alternate pci assignment methods
Vendor(s)
The Xen Project
Product(s)
Xen
Affected version(s)
Xen versions 4.12.x, 4.11.x, 4.10.x, 4.9.x and 4.8.x before XSA-306 patch
Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
Only systems which use “alternate” methods to assign devices to pciback before assignment are vulnerable. These methods include:
– Assigning devices on the Linux command-line using `xen-pciback.hide`
– Assigning devices via xen-pciback module parameters
– Assigning devices manually via sysfs
– Assigning devices using libvirt
Systems which use `xl pci-assignable-add` or libxl_device_pci_assignable_add, or have the assignable state handled automatically via setting the `seize` parameter, are not affected.
Fixed version(s)
Xen version 4.12.x with the following patch:
xsa306-4.12.patch
https://xenbits.xen.org/xsa/xsa306-4.12.patch
Xen versions 4.10.x and 4.11.x with the following patch:
xsa306-4.11.patch
https://xenbits.xen.org/xsa/xsa306-4.11.patch
Xen versions 4.8.x and 4.9.x with the following patch:
xsa306-4.9.patch
https://xenbits.xen.org/xsa/xsa306-4.9.patch
Proof of concept
Unknown
Description
An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.
Technical details
ASA-2019-00627 / XSA-302 relies on the use of libxl’s “assignable-add” feature to prepare devices to be assigned to untrusted guests.
Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these “alternate” methods are used will still leave the system in a vulnerable state after the device comes back from a guest.
Credits
Marek Marczykowski-Górecki (Invisible Things Lab)
Reference(s)
oss-security – Xen Security Advisory 306 v3 (CVE-2019-19579) – Device quarantine
for alternate pci assignment methods
https://www.openwall.com/lists/oss-security/2019/12/05/7
XSA-306 – Xen Security Advisories
http://xenbits.xen.org/xsa/advisory-306.html
xsa306.meta
https://xenbits.xen.org/xsa/xsa306.meta
xsa306.patch
https://xenbits.xen.org/xsa/xsa306.patch
xsa306-4.9.patch
https://xenbits.xen.org/xsa/xsa306-4.9.patch
xsa306-4.11.patch
https://xenbits.xen.org/xsa/xsa306-4.11.patch
xsa306-4.12.patch
https://xenbits.xen.org/xsa/xsa306-4.12.patch
ASA-2019-00627 – Xen: Passed through PCI devices may corrupt host memory after deassignment
https://allelesecurity.com/asa-2019-00627/
CVE-2019-18424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424
CVE-2019-18424
https://nvd.nist.gov/vuln/detail/CVE-2019-18424
CVE-2019-19579 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-19579
CVE-2019-19579
https://security-tracker.debian.org/tracker/CVE-2019-19579
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-19579.html
CVE-2019-19579 | SUSE
https://www.suse.com/security/cve/CVE-2019-19579
CVE-2019-19579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19579
CVE-2019-19579
https://nvd.nist.gov/vuln/detail/CVE-2019-19579
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2020