Bug 1177414 (CVE-2020-27670) - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347 v2)
Summary: VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347 v2)
Status: RESOLVED FIXED
Alias: CVE-2020-27670
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/268929/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-27670:7.8:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-07 08:21 UTC by Wolfgang Frisch
Modified: 2024-04-15 13:40 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Alexandros Toptsoglou 2020-10-20 13:57:16 UTC 
now public through https://xenbits.xen.org/xsa/advisory-347.html

      Xen Security Advisory XSA-347
                              version 2

                  unsafe AMD IOMMU page table updates

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

AMD IOMMU page table entries are updated in a step by step manner,
without regard to them being potentially in use by the IOMMU.  Therefore
it was possible that the IOMMU would read and then use a half-updated
entry.  Furthermore, updates to Device Table entries lacked suitable
ordering enforcement for certain steps involved in these updates.

In both case the specific outcome heavily depends on how exactly the
compiler translated the affected pieces of code.

IMPACT
======

A malicious guest might be able to cause data corruption and data
leaks.  Host or guest Denial of Service (DoS), and privilege
escalation, cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions are potentially vulnerable.

Only x86 systems with AMD, Hygon, or compatible IOMMU hardware are
vulnerable.  Arm systems as well as x86 systems with VT-d hardware or
without any IOMMUs in use are not vulnerable.

Only x86 guests which have physical devices passed through to them can
leverage the vulnerability.

MITIGATION
==========

Not passing through physical devices to untrusted guests will avoid
the vulnerability.

CREDITS
=======

This issue was discovered by Paul Durrant of Amazon and Jan Beulich of
SUSE.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa347/xsa347-?.patch           xen-unstable
xsa347/xsa347-4.14-?.patch      Xen 4.14
xsa347/xsa347-4.13-?.patch      Xen 4.13
xsa347/xsa347-4.12-?.patch      Xen 4.12
xsa347/xsa347-4.11-?.patch      Xen 4.10 - 4.11
Comment 6 Swamp Workflow Management 2020-10-27 20:16:31 UTC 
SUSE-SU-2020:3052-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_18-3.44.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_18-3.44.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_18-3.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-10-27 20:17:37 UTC 
SUSE-SU-2020:3049-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.1_10-3.13.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.1_10-3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-10-27 20:18:45 UTC 
SUSE-SU-2020:3050-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.3_10-3.27.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.3_10-3.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-10-27 20:19:52 UTC 
SUSE-SU-2020:3051-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.3_10-3.31.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.3_10-3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-10-29 17:19:00 UTC 
SUSE-SU-2020:3088-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_10-2.39.2
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_10-2.39.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_10-2.39.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_10-2.39.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-10-31 05:14:59 UTC 
openSUSE-SU-2020:1783-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.1_10-lp152.2.12.1
Comment 12 Swamp Workflow Management 2020-11-05 23:29:52 UTC 
openSUSE-SU-2020:1844-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.3_10-lp151.2.27.1
Comment 14 Swamp Workflow Management 2020-12-03 14:18:57 UTC 
SUSE-SU-2020:3611-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    xen-4.12.4_04-3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    xen-4.12.4_04-3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-12-03 14:25:36 UTC 
SUSE-SU-2020:3615-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.2_04-3.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.2_04-3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-12-04 20:18:30 UTC 
SUSE-SU-2020:3627-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_22-3.50.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_22-3.50.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_22-3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-12-05 02:16:00 UTC 
openSUSE-SU-2020:2162-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.2_04-lp152.2.18.1
Comment 18 Swamp Workflow Management 2020-12-07 14:40:38 UTC 
SUSE-SU-2020:3631-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_14-3.77.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_14-3.77.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_14-3.77.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_14-3.77.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_14-3.77.1
SUSE Enterprise Storage 5 (src):    xen-4.9.4_14-3.77.1
HPE Helion Openstack 8 (src):    xen-4.9.4_14-3.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-12-07 14:47:26 UTC 
openSUSE-SU-2020:2192-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    xen-4.12.4_04-lp151.2.33.1
Comment 20 Swamp Workflow Management 2020-12-07 20:22:09 UTC 
SUSE-SU-2020:3653-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_14-2.45.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_14-2.45.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_14-2.45.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_14-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2020-12-08 14:16:02 UTC 
SUSE-SU-2020:14557-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178935,1178963
CVE References: CVE-2020-25723,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_46-61.58.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_46-61.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-12-10 14:18:09 UTC 
SUSE-SU-2020:3742-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1177409,1177412,1177413,1177414,1178591,1178963
CVE References: CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    xen-4.7.6_12-43.70.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xen-4.7.6_12-43.70.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xen-4.7.6_12-43.70.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_12-43.70.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Charles Arnold 2021-01-22 20:49:28 UTC 
Backported and released to 11-SP1.
Comment 27 Marcus Meissner 2024-04-15 13:40:20 UTC 
released