ASA-2019-00623 – Xen: VCPUOP_initialise Denial of Service (DoS)

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

CVE-2019-18420

Identifier(s)

ASA-2019-00623, CVE-2019-18420, XSA-296

Title

VCPUOP_initialise Denial of Service (DoS)

Vendor(s)

The Xen Project

Product(s)

Xen

Affected version(s)

Xen version 4.6 and newer

Xen versions since the following commit:

hypercall: update vcpu_op to take an unsigned vcpuid
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=1d429034

Fixed version(s)

Xen 4.7 – 4.8 with the following patch applied:

xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation()
https://xenbits.xen.org/xsa/xsa296-4.8.patch

Xen 4.9 – unstable with the following patch applied:

xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation()
https://xenbits.xen.org/xsa/xsa296.patch

Proof of concept

Unknown

Description

Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (Dos).

Technical details

hypercall_create_continuation() is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG(), which crashes Xen.

One path, via the VCPUOP_initialise hypercall, has a bad format character. The BUG() can be hit if VCPUOP_initialise executes for a sufficiently long period of time for a continuation to be created.

Credits

Andrew Cooper (Citrix)

Reference(s)

XSA-296 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-296.html

oss-security – Xen Security Advisory 296 v4 (CVE-2019-18420) – VCPUOP_initialise DoS
https://www.openwall.com/lists/oss-security/2019/10/31/1

hypercall: update vcpu_op to take an unsigned vcpuid
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=1d429034

xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation()
https://xenbits.xen.org/xsa/xsa296.patch

xen/hypercall: Don’t use BUG() for parameter checking in hypercall_create_continuation()
https://xenbits.xen.org/xsa/xsa296-4.8.patch

CVE-2019-18420
https://security-tracker.debian.org/tracker/CVE-2019-18420

CVE-2019-18420 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-18420.html

CVE-2019-18420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420

CVE-2019-18420
https://nvd.nist.gov/vuln/detail/CVE-2019-18420

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.