CVE-2020-29484

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected.

References

https://lists.fedoraproject.org/archives/list/[email protected]/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA/

https://lists.fedoraproject.org/archives/list/[email protected]/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI/

https://www.debian.org/security/2020/dsa-4812

https://xenbits.xenproject.org/xsa/advisory-324.txt

Details

Source: MITRE

Published: 2020-12-15

Updated: 2021-03-16

Type: CWE-476

Risk Information

CVSS v2

Base Score: 4.9

Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 3.9

Severity: MEDIUM

CVSS v3

Base Score: 6

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Impact Score: 4

Exploitability Score: 1.5

Severity: MEDIUM

Tenable Plugins

View all (14 total)

IDNameProductFamilySeverity
150656SUSE SLES11 Security Update : xen (SUSE-SU-2020:14578-1)NessusSuSE Local Security Checks
high
150180OracleVM 3.4 : xen (OVMSA-2021-0014)NessusOracleVM Local Security Checks
high
145360openSUSE Security Update : xen (openSUSE-2020-2313)NessusSuSE Local Security Checks
high
145322openSUSE Security Update : xen (openSUSE-2020-2331)NessusSuSE Local Security Checks
high
144713Xen xenstored watch DoS (XSA-324)NessusMisc.
medium
144637SUSE SLES12 Security Update : xen (SUSE-SU-2020:3945-1)NessusSuSE Local Security Checks
high
144613Fedora 32 : xen (2020-df772b417b)NessusFedora Local Security Checks
high
144611Fedora 33 : xen (2020-64859a826b)NessusFedora Local Security Checks
high
144580SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:3915-1)NessusSuSE Local Security Checks
high
144576SUSE SLES12 Security Update : xen (SUSE-SU-2020:3914-1)NessusSuSE Local Security Checks
high
144570SUSE SLES12 Security Update : xen (SUSE-SU-2020:3913-1)NessusSuSE Local Security Checks
high
144492SUSE SLES12 Security Update : xen (SUSE-SU-2020:3880-1)NessusSuSE Local Security Checks
medium
144476SUSE SLED15 / SLES15 Security Update : xen (SUSE-SU-2020:3881-1)NessusSuSE Local Security Checks
high
144322Debian DSA-4812-1 : xen - security updateNessusDebian Local Security Checks
high