-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4642
                      USN-5617-1: Xen vulnerabilities
                             20 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Ubuntu
Operating System:  Ubuntu
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25604 CVE-2020-25603 CVE-2020-25602
                   CVE-2020-25601 CVE-2020-25600 CVE-2020-25599
                   CVE-2020-25597 CVE-2020-25596 CVE-2020-25595
                   CVE-2020-15567 CVE-2020-15566 CVE-2020-15565
                   CVE-2020-15564 CVE-2020-15563 CVE-2020-11743
                   CVE-2020-11742 CVE-2020-11741 CVE-2020-11740
                   CVE-2020-11739 CVE-2020-0543 

Original Bulletin: 
   https://ubuntu.com/security/notices/USN-5617-1

Comment: CVSS (Max):  8.1 CVE-2020-11741 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD, [Red Hat]
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-5617-1: Xen vulnerabilities
19 September 2022

Several security issues were fixed in Xen.
Releases

  o Ubuntu 20.04 LTS

Packages

  o xen - Public headers and libs for Xen

Details

It was discovered that memory contents previously stored in
microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY
read operations on Intel client and Xeon E3 processors may be briefly
exposed to processes on the same or different processor cores. A local
attacker could use this to expose sensitive information. ( CVE-2020-0543 )

Julien Grall discovered that Xen incorrectly handled memory barriers on
ARM-based systems. An attacker could possibly use this issue to cause a
denial of service, obtain sensitive information or escalate privileges.
( CVE-2020-11739 )

Ilja Van Sprundel discovered that Xen incorrectly handled profiling of
guests. An unprivileged attacker could use this issue to obtain sensitive
information from other guests, cause a denial of service or possibly gain
privileges. ( CVE-2020-11740 , CVE-2020-11741 )

It was discovered that Xen incorrectly handled grant tables. A malicious
guest could possibly use this issue to cause a denial of service.
( CVE-2020-11742 , CVE-2020-11743 )

Jan Beulich discovered that Xen incorrectly handled certain code paths. An
attacker could possibly use this issue to cause a denial of service.
( CVE-2020-15563 )

Julien Grall discovered that Xen incorrectly verified memory addresses
provided by the guest on ARM-based systems. A malicious guest administrator
could possibly use this issue to cause a denial of service. ( CVE-2020-15564 )

Roger Pau Monne discovered that Xen incorrectly handled caching on x86 Intel
systems. An attacker could possibly use this issue to cause a denial of
service. ( CVE-2020-15565 )

It was discovered that Xen incorrectly handled error in event-channel port
allocation. A malicious guest could possibly use this issue to cause a
denial of service. ( CVE-2020-15566 )

Jan Beulich discovered that Xen incorrectly handled certain EPT (Extended
Page Tables). An attacker could possibly use this issue to cause a denial
of service, data corruption or privilege escalation. ( CVE-2020-15567 )

Andrew Cooper discovered that Xen incorrectly handled PCI passthrough.
An attacker could possibly use this issue to cause a denial of service.
( CVE-2020-25595 )

Andrew Cooper discovered that Xen incorrectly sanitized path injections.
An attacker could possibly use this issue to cause a denial of service.
( CVE-2020-25596 )

Jan Beulich discovered that Xen incorrectly handled validation of event
channels. An attacker could possibly use this issue to cause a denial
of service. ( CVE-2020-25597 )

Julien Grall and Jan Beulich discovered that Xen incorrectly handled
resetting event channels. An attacker could possibly use this issue to
cause a denial of service or obtain sensitive information. ( CVE-2020-25599 )

Julien Grall discovered that Xen incorrectly handled event channels
memory allocation on 32-bits domains. An attacker could possibly use this
issue to cause a denial of service. ( CVE-2020-25600 )

Jan Beulich discovered that Xen incorrectly handled resetting or cleaning
up event channels. An attacker could possibly use this issue to cause a
denial of service. ( CVE-2020-25601 )

Andrew Cooper discovered that Xen incorrectly handled certain Intel
specific MSR (Model Specific Registers). An attacker could possibly use
this issue to cause a denial of service. ( CVE-2020-25602 )

Julien Grall discovered that Xen incorrectly handled accessing/allocating
event channels. An attacker could possibly use this issue to cause a
denial of service, obtain sensitive information of privilege escalation.
( CVE-2020-25603 )

Igor Druzhinin discovered that Xen incorrectly handled locks. An attacker
could possibly use this issue to cause a denial of service. ( CVE-2020-25604 )

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 20.04

  o libxengnttab1 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o xen-hypervisor-4.11-amd64 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o xen-hypervisor-4.11-armhf - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o libxenmisc4.11 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o libxendevicemodel1 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o xenstore-utils - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o xen-utils-4.11 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o xen-hypervisor-4.11-arm64 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o xen-utils-common - 4.11.3+24-g14b62ab3e5-1ubuntu2.3
  o libxenevtchn1 - 4.11.3+24-g14b62ab3e5-1ubuntu2.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

  o CVE-2020-25599
  o CVE-2020-11740
  o CVE-2020-11739
  o CVE-2020-15567
  o CVE-2020-15563
  o CVE-2020-25596
  o CVE-2020-25600
  o CVE-2020-25602
  o CVE-2020-11743
  o CVE-2020-11741
  o CVE-2020-15564
  o CVE-2020-0543
  o CVE-2020-15566
  o CVE-2020-15565
  o CVE-2020-25604
  o CVE-2020-25597
  o CVE-2020-25603
  o CVE-2020-25601
  o CVE-2020-25595
  o CVE-2020-11742

Related notices

  o USN-4387-1 : linux-image-5.3.0-1024-oracle, linux, linux-aws,
    linux-image-gke, linux-image-azure-edge, linux-oracle, linux-raspi2,
    linux-image-snapdragon-hwe-18.04, linux-image-aws-edge, linux-image-gcp,
    linux-image-azure, linux-image-5.3.0-1026-raspi2, linux-image-gcp-edge,
    linux-image-generic, linux-image-oracle, linux-image-gke-5.3,
    linux-image-generic-lpae-hwe-18.04, linux-image-raspi2, linux-hwe,
    linux-image-lowlatency-hwe-18.04, linux-aws-5.3,
    linux-image-5.3.0-1023-kvm, linux-image-virtual-hwe-18.04, linux-gcp,
    linux-image-5.3.0-59-snapdragon, linux-image-5.3.0-59-lowlatency,
    linux-gcp-5.3, linux-image-generic-hwe-18.04, linux-image-5.3.0-1028-azure,
    linux-image-gkeop-5.3, linux-azure-5.3, linux-azure, linux-image-aws,
    linux-image-generic-lpae, linux-image-virtual, linux-raspi2-5.3,
    linux-image-5.3.0-1026-gcp, linux-image-oracle-edge,
    linux-image-5.3.0-1023-aws, linux-image-raspi2-hwe-18.04,
    linux-image-5.3.0-1026-gke, linux-image-5.3.0-59-generic, linux-gke-5.3,
    linux-image-snapdragon, linux-image-lowlatency,
    linux-image-5.3.0-59-generic-lpae, linux-oracle-5.3, linux-kvm,
    linux-image-kvm
  o USN-4391-1 : linux-image-virtual-lts-xenial, linux-image-powerpc64-smp,
    linux-image-lowlatency-lts-utopic, linux-image-4.4.0-184-generic-lpae,
    linux-image-powerpc-e500mc, linux, linux-aws,
    linux-image-generic-lts-vivid, linux-image-powerpc-smp-lts-utopic,
    linux-image-virtual-lts-vivid, linux-raspi2,
    linux-image-generic-lts-utopic, linux-image-powerpc-e500mc-lts-wily,
    linux-image-powerpc64-emb-lts-vivid, linux-image-generic-lts-xenial,
    linux-image-virtual-lts-utopic, linux-image-generic,
    linux-image-powerpc64-emb-lts-wily, linux-image-generic-lpae-lts-wily,
    linux-image-raspi2, linux-image-powerpc-smp-lts-wily,
    linux-image-lowlatency-lts-wily, linux-image-4.4.0-184-powerpc64-emb,
    linux-image-4.4.0-184-generic, linux-image-4.4.0-1138-snapdragon,
    linux-image-generic-lpae-lts-xenial, linux-image-lowlatency-lts-xenial,
    linux-image-powerpc-smp, linux-image-powerpc64-emb-lts-utopic,
    linux-snapdragon, linux-image-lowlatency-lts-vivid,
    linux-image-powerpc64-emb-lts-xenial, linux-image-4.4.0-1109-aws,
    linux-image-powerpc64-smp-lts-utopic, linux-image-powerpc-smp-lts-vivid,
    linux-image-aws, linux-image-generic-lpae,
    linux-image-4.4.0-184-powerpc-smp, linux-image-powerpc64-emb,
    linux-image-virtual, linux-image-4.4.0-1134-raspi2,
    linux-image-4.4.0-184-powerpc-e500mc, linux-image-powerpc64-smp-lts-wily,
    linux-image-generic-lts-wily, linux-image-powerpc-e500mc-lts-utopic,
    linux-image-4.4.0-184-lowlatency, linux-image-4.4.0-1075-kvm,
    linux-image-kvm, linux-image-powerpc-e500mc-lts-xenial,
    linux-image-virtual-lts-wily, linux-image-powerpc-e500mc-lts-vivid,
    linux-image-generic-lpae-lts-utopic, linux-image-powerpc-smp-lts-xenial,
    linux-image-powerpc64-smp-lts-xenial, linux-image-snapdragon,
    linux-image-generic-lpae-lts-vivid, linux-image-lowlatency,
    linux-lts-xenial, linux-image-4.4.0-184-powerpc64-smp,
    linux-image-powerpc64-smp-lts-vivid, linux-kvm, linux-image-4.4.0-1073-aws
  o USN-4390-1 : linux-azure-4.15, linux-image-4.15.0-1067-kvm, linux,
    linux-aws, linux-image-gke, linux-image-azure-edge, linux-gke-4.15,
    linux-oracle, linux-raspi2, linux-image-4.15.0-1063-raspi2, linux-aws-hwe,
    linux-image-gcp, linux-image-aws-lts-18.04,
    linux-image-4.15.0-1080-snapdragon, linux-image-virtual-hwe-16.04,
    linux-image-azure, linux-image-virtual-hwe-16.04-edge, linux-image-generic,
    linux-image-oracle, linux-image-raspi2, linux-hwe,
    linux-image-generic-hwe-16.04, linux-image-4.15.0-1045-oracle,
    linux-snapdragon, linux-image-4.15.0-1089-azure, linux-oem, linux-gcp,
    linux-image-gke-4.15, linux-kvm, linux-image-4.15.0-1077-gcp,
    linux-image-generic-lpae-hwe-16.04, linux-azure, linux-image-virtual,
    linux-image-generic-lpae, linux-image-lowlatency-hwe-16.04-edge,
    linux-image-4.15.0-106-lowlatency, linux-image-generic-lpae-hwe-16.04-edge,
    linux-image-generic-hwe-16.04-edge, linux-image-4.15.0-106-generic,
    linux-image-oem, linux-image-azure-lts-18.04,
    linux-image-lowlatency-hwe-16.04, linux-image-4.15.0-1063-gke,
    linux-image-snapdragon, linux-image-oracle-lts-18.04,
    linux-image-lowlatency, linux-image-aws-hwe, linux-image-4.15.0-1073-aws,
    linux-image-4.15.0-106-generic-lpae, linux-image-4.15.0-1087-oem,
    linux-image-kvm
  o USN-4385-1 : intel-microcode
  o USN-4389-1 : linux-image-oem-osp1, linux-image-5.4.0-1015-oracle, linux,
    linux-aws, linux-image-gke, linux-image-5.4.0-37-generic,
    linux-image-raspi, linux-oracle, linux-riscv,
    linux-image-5.4.0-37-generic-lpae, linux-image-5.4.0-37-lowlatency,
    linux-image-5.4.0-1015-kvm, linux-image-gcp, linux-image-5.4.0-1016-azure,
    linux-image-azure, linux-image-generic, linux-image-oracle,
    linux-image-lowlatency-hwe-20.04, linux-image-generic-lpae-hwe-18.04,
    linux-image-raspi2, linux-image-generic-hwe-18.04-edge,
    linux-image-lowlatency-hwe-18.04, linux-image-virtual-hwe-18.04-edge,
    linux-raspi, linux-image-virtual-hwe-18.04, linux-gcp,
    linux-image-5.4.0-1012-raspi, linux-image-generic-hwe-18.04, linux-azure,
    linux-image-aws, linux-image-generic-lpae,
    linux-image-generic-lpae-hwe-18.04-edge, linux-image-virtual,
    linux-image-virtual-hwe-20.04, linux-image-lowlatency-hwe-18.04-edge,
    linux-image-oem, linux-image-generic-lpae-hwe-20.04,
    linux-image-generic-hwe-20.04, linux-image-5.4.0-1015-gcp,
    linux-image-5.4.0-27-generic, linux-image-lowlatency,
    linux-image-5.4.0-1015-aws, linux-kvm, linux-image-kvm
  o USN-4392-1 : linux-image-powerpc64-smp, linux-image-omap,
    linux-image-powerpc-e500mc, linux, linux-image-generic,
    linux-image-generic-lts-quantal, linux-image-server,
    linux-image-powerpc-smp, linux-image-3.13.0-180-powerpc64-smp,
    linux-image-generic-pae, linux-image-3.13.0-180-powerpc-e500,
    linux-image-3.13.0-180-powerpc64-emb,
    linux-image-3.13.0-180-powerpc-e500mc, linux-image-generic-lpae,
    linux-image-virtual, linux-image-powerpc64-emb,
    linux-image-generic-lpae-lts-trusty, linux-image-3.13.0-180-generic-lpae,
    linux-image-3.13.0-180-lowlatency, linux-image-3.13.0-180-powerpc-smp,
    linux-image-highbank, linux-image-powerpc-e500,
    linux-image-generic-lts-raring, linux-image-lowlatency-pae,
    linux-image-generic-lts-saucy, linux-image-generic-lts-trusty,
    linux-lts-trusty, linux-image-lowlatency, linux-image-3.13.0-180-generic,
    linux-image-generic-lpae-lts-saucy
  o USN-4388-1 : linux-image-gke-5.0, linux-image-oem-osp1, linux-gke-5.0,
    linux-oem-osp1, linux-image-5.0.0-1042-gke, linux-image-5.0.0-1059-oem-osp1
  o USN-4393-1 : linux-image-powerpc, linux-image-generic,
    linux-image-3.2.0-147-generic-pae, linux-image-highbank,
    linux-image-powerpc64-smp, linux-image-virtual,
    linux-image-3.2.0-147-powerpc64-smp, linux-image-3.2.0-147-highbank, linux,
    linux-image-3.2.0-147-virtual, linux-image-server, linux-image-powerpc-smp,
    linux-image-generic-pae, linux-image-3.2.0-147-generic,
    linux-image-3.2.0-147-powerpc-smp
  o LSN-0068-1 : generic-4.15, generic-4.4, lowlatency-4.15, lowlatency-4.4,
    aws, oem

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYykojckNZI30y1K9AQgx7g/+JwVoz3sPRHoEhIEeqN0/2mJBAfgR2D4r
TiIg2kM8MHPMoMovzwsPsxy9Fwo+Du+Qxyor/K+sNMZ/2x6L8FNRF/fXKz9c/5Bj
JKVXYaYfuM8BSLHSsjTa2oE1f4ukuEYv3xeVDaaFgRWGqF8v4zhtOOosklcjVp0n
jlh8G9acVKhH1nwooiyKDjmsA5NhOIccWeg5yHDVn804B+i5HSEulDVIpfJ7B1U0
OioyWr71p77HyUJ77wvv68y7K3M1uIjwsNrRPO1eXoQwCR/MRWpKZqnslCsu5Ua3
FmkLf7RqAiRTIpvpjZ9S+SHJm2no2Jywc9vs7d5jq+0Z1mFODmlpcPNBrgJEyTEE
J0vFykRKKqXe5+V7BASTMnfARKi+3wgObT3Uukn5VsPRkQh583SECQf9384fhKZD
e3DMLHQCzZR5tBYfoZjEdGK3wL7kreByv3PGAP6O7pUwUHtdHSVP3KVLW/O/kDHF
Pn3DDehufwVNDodjYMe7MvGocbzs8tYxnNeFrcG6EXxdo9Su9psA4caPBwnbN2S9
F6gldwfAWiBXkcl0wse2BCX77/2UqVq8InsL5nPzdMWZFpJby1cEKLq2NmejRuvj
iWC3u68oiyGEUfgQcrVTYfa8ACYz1jjplzU2baVrYVWw8zg1BnQJhCFt0jQHvPXW
wKBSGSePork=
=PPCS
-----END PGP SIGNATURE-----