Alpine: multiple xen packages: security update to 4.14.0-r0 (deprecated)

high Tenable Cloud Security Plugin ID 400363

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid
event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that
an event channel, once valid, will not become invalid over the life time of a guest. However, operations
like the resetting of all event channels may involve decreasing one of the bounds checked when determining
validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to
crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards
are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests
permitted to create more than the default number of event channels are vulnerable. This number depends on
the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and
for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this
number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems
using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting
max_event_channels, are not vulnerable. (CVE-2020-25597)

- An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data.
Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device
hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect
these registers, experience shows that it's very common for devices to have out-of-spec "backdoor"
operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen,
leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks
cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are
vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to
leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor")
functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you
have reason to believe that your device does not have such functionality, it's better to assume that it
does. (CVE-2020-25595)

- An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via
SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's
sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the
guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP
fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest kernel,
resulting in a VM Denial of Service. All versions of Xen from 3.2 onwards are vulnerable. Only x86 systems
are vulnerable. ARM platforms are not vulnerable. Only x86 systems that support the SYSENTER instruction
in 64bit mode are vulnerable. This is believed to be Intel, Centaur, and Shanghai CPUs. AMD and Hygon CPUs
are not believed to be vulnerable. Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests
cannot exploit the vulnerability. (CVE-2020-25596)

- An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error
path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the
XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar to
forgetting to unlock a spinlock. A buggy or malicious HVM stubdomain can cause an RCU reference to be
leaked. This causes subsequent administration operations, (e.g., CPU offline) to livelock, resulting in a
host Denial of Service. The buggy codepath has been present since Xen 4.12. Xen 4.14 and later are
vulnerable to the DoS. The side effects are believed to be benign on Xen 4.12 and 4.13, but patches are
provided nevertheless. The vulnerability can generally only be exploited by x86 HVM VMs, as these are
generally the only type of VM that have a Qemu stubdomain. x86 PV and PVH domains, as well as ARM VMs,
typically don't use a stubdomain. Only VMs using HVM stubdomains can exploit the vulnerability. VMs using
PV stubdomains, or with emulators running in dom0, cannot exploit the vulnerability. (CVE-2020-25598)

See Also

https://git.alpinelinux.org/aports/commit/?id=7827f2cdeff854d65e1c9f05d5a80fb7226f18f8

https://git.alpinelinux.org/aports/commit/?id=f48590ae54ca9e0c3bf6b3fae3e6b065f14223e3

Plugin Details

Severity: High

ID: 400363

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 5/13/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2020-25597

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-25603

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/23/2020

Vulnerability Publication Date: 9/22/2020

Reference Information

CVE: CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25598, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604

IAVB: 2020-B-0056-S