Allele Security Alert
ASA-2019-00655, CVE-2019-19579, XSA-306
Device quarantine for alternate pci assignment methods
The Xen Project
Xen versions 4.12.x, 4.11.x, 4.10.x, 4.9.x and 4.8.x before XSA-306 patch
Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
Only systems which use “alternate” methods to assign devices to pciback before assignment are vulnerable. These methods include:
– Assigning devices on the Linux command-line using `xen-pciback.hide`
– Assigning devices via xen-pciback module parameters
– Assigning devices manually via sysfs
– Assigning devices using libvirt
Systems which use `xl pci-assignable-add` or libxl_device_pci_assignable_add, or have the assignable state handled automatically via setting the `seize` parameter, are not affected.
Xen version 4.12.x with the following patch:
Xen versions 4.10.x and 4.11.x with the following patch:
Xen versions 4.8.x and 4.9.x with the following patch:
Proof of concept
An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.
ASA-2019-00627 / XSA-302 relies on the use of libxl’s “assignable-add” feature to prepare devices to be assigned to untrusted guests.
Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these “alternate” methods are used will still leave the system in a vulnerable state after the device comes back from a guest.
Marek Marczykowski-Górecki (Invisible Things Lab)
oss-security – Xen Security Advisory 306 v3 (CVE-2019-19579) – Device quarantine
for alternate pci assignment methods
XSA-306 – Xen Security Advisories
ASA-2019-00627 – Xen: Passed through PCI devices may corrupt host memory after deassignment
CVE-2019-19579 - Red Hat Customer Portal
CVE-2019-19579 | SUSE
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2020